Repairing storage directory ACLS on NTFS

ACLs for VOB and view storage directories are established when VOBs and views are created. These ACLs have a particular form that DevOps Code ClearCase® relies on.

Use NTFS-formatted disks to hold VOB and view storage directories on Windows® computers. NTFS file system objects are protected by security descriptors, which contain ownership information and access control lists (ACLs). FAT file systems do not support ACLs, so objects in FAT file systems can be protected only by the readonly attribute. This attribute is available in both NTFS and FAT, but it is not enforced and can be removed easily.

On NTFS, a VOB or view storage directory's ownership (its owner and primary group ID) is determined from the security descriptor on the directory root. On FAT file systems, this information is stored in the file identity.sd in the storage directory root. (For compatibility, the file identity.sd is also created on NTFS file systems). On both FAT and NTFS, the file groups.sd holds the supplementary VOB group list.

VOB and view storage directory ACLs

The following example shows the correct ACL for a VOB storage directory, sources.vbs, created by user NT_WEST\ccase_adm, whose primary group is user. The ClearCase administrators group is named clearcase.

cacls c:\vobstore\sources.vbs
NT AUTHORITY\NETWORK:(OI)(CI)(DENY)(special access:)   (on VOB storage only)
                  DELETE
                  FILE_WRITE_DATA
                  FILE_APPEND_DATA
                  FILE_WRITE_EA
                  FILE_WRITE_ATTRIBUTES

NT_WEST\user:(CI)R                                   (VOB's principal group)
Everyone:(CI)R 
NT_WEST\ccase_adm:(CI)(special access:)              (VOB owner) 
                  STANDARD_RIGHTS_ALL 
                  DELETE
                  READ_CONTROL
                  WRITE_DAC
                  WRITE_OWNER
                  SYNCHRONIZE
                  STANDARD_RIGHTS_REQUIRED
                  FILE_GENERIC_READ
                  FILE_GENERIC_WRITE
                  FILE_GENERIC_EXECUTE
                  FILE_READ_DATA
                  FILE_WRITE_DATA
                  FILE_APPEND_DATA
                  FILE_READ_EA
                  FILE_WRITE_EA
                  FILE_EXECUTE
                  FILE_READ_ATTRIBUTES
                  FILE_WRITE_ATTRIBUTES

NT_WEST\clearcase:(CI)F    (The built-in identity NT AUTHORITY\SYSTEMis used)
NT_WEST\user:(OI)(IO)(special access:)                    (VOB's principal group) 
                  GENERIC_READ
                  GENERIC_EXECUTE

Everyone:(OI)(IO)(special access:)
                  GENERIC_READ
                  GENERIC_EXECUTE

NT_WEST\ccase_adm:(OI)(IO)(special access:)               (VOB owner) 
                  DELETE
                  WRITE_DAC
                  WRITE_OWNER
                  GENERIC_READ
                  GENERIC_WRITE
                  GENERIC_EXECUTE

NT_WEST\clearcase:(OI)(IO)F       (the built-in identity NT AUTHORITY\SYSTEMis used)
BUILTIN\administrators:(OI)(CI)F