Grantable permissions

Each metatype has a specific set of operation-based individual permissions, specific to each metatype.

Individual and generic permissions

For example, elements have a specific mod-checkout permission that covers operations that make new versions (checkout, checkin); the VOB object has permissions for making new objects, such as mkrolemap, mkpolicy, and so on. Besides the individual permissions, you can also use generic permissions (predefined groupings of permissions). Each metatype has a Read, Change, and Full generic permission. These are mapped to an appropriate subset of the metatype's specific permissions. You can think of these as levels of permission, with Change incorporating all of Read and adding in additional permitted operations, and Full enabling yet more operations.

You can grant principals generic permissions, or specific permissions, or a combination of both. You can grant multiple permissions to the same principal by separating them with a comma (cleartool) or by selecting checkboxes (ClearTeam Explorer GUI). If you grant all the specific permissions that make up a generic grouping, the entry will be displayed showing just that generic name. For example, an ACE granting read-info,lookup-dir,AclRead on an element will be displayed as Read.

For rolemaps and policies, read-name is required to see an object's name in a list or collection; read-info is required to see the object's properties.

For elements, it is the containing directory's permissions that govern visibility of the element's file name; the reading process needs read-info on a versioned directory to see the list of elements catalogued in any version of the directory (this mimics the permissions model of Linux and UNIX system directories). The process also needs read-info permission on the element to access the contents of a version of a plain file element.

For the VOB object, read-info stands for the basic permission to open VOB for any operation.

Generic permissions applicable to multiple object types

AclRead
Permission to read the dbid of the object's rolemap
AclWrite
Permission to reprotect the object with a new rolemap
chmaster
Permission to change mastership of the object
delete
Permission to remove an object
lock
Permission to lock an object
mod-props
Permission to modify properties of an object (owner, group, fstat permission, event record, and so on.)
read-info
Permission to read properties of an object
read-name
Permission to read name of an object

Generic and individual permissions

Below are listed, for each object meta-type, the individual permissions that are included in each of the generic permissions.

Table 1. Generic and individual permissions

Generic and individual permissions

Generic permission Individual permissions
VOB object permissions
Read read-info, read-name, AclRead
Change read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink
Full read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink, chmaster, mkpolicy, mkrolemap, rmelem, lock, AclWrite, Delete
Policy object permissions
Read read-info, read-name, AclRead
Change read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink
Full read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink, chmaster, lock, AclWrite, Delete
Rolemap object permissions
Read read-info, read-name, AclRead
Change read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink
Full read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink, chmaster, lock, AclWrite, Delete
Element object generic permissions
Read read-info, lookup-dir, AclRead
Change read-info, lookup-dir, AclRead, mod-props, mod-checkout, mod-branch, write-dir, mod-task, mod-attr, mod-hlink, mod-trig
Full read-info, lookup-dir, AclRead, mod-props, mod-checkout, mod-branch, write-dir, mod-task, mod-attr, mod-hlink, mod-trig, chmaster, rmver, mod-label, lock, AclWrite, Delete