Using active directory universal groups

About this task

When a DevOps Code ClearCase® community operating in a Microsoft Active Directory environment includes users from multiple Active Directory domains that are part of the same forest, you can use an Active Directory universal group to provide users logged on to different domains with access to a common set of VOBs and views.

Note: If you are upgrading a multimaster Windows NT domain environment to Active Directory, use the procedure in Converting proxy groups to convert the proxy groups to members of an Active Directory universal group.

To create an Active Directory universal group that can be used as the DevOps Code ClearCase primary group by users from multiple Active Directory domains in a single forest, use the following procedure.

Procedure

  1. Verify that the Active Directory environment is operating in native mode. (Universal groups cannot be created in an Active Directory domain that is operating in mixed mode.)
  2. Create the DevOps Code ClearCase users group as an Active Directory universal group.
  3. Make each domain global group whose members are part of the DevOps Code ClearCase community a member of the DevOps Code ClearCase users group. Do not add individual user accounts to a universal group. Instead, group the users from each Active Directory domain into a domain global group defined in that domain, and make each of those groups a member of the universal group.
  4. Require DevOps Code ClearCase users to set CLEARCASE_PRIMARY_GROUP to the domain-qualified name of the (universal) DevOps Code ClearCase users group. (You cannot use Active Directory account management tools to specify a universal group as a user's primary group.)