Using proxy groups and domain mapping in Windows NT domains

About this task

When a DevOps Code ClearCase® community includes users from multiple Windows NT® domains, you must enable the DevOps Code ClearCase domain mapping feature as described in this section to provide all users with access to a common set of VOBs. Because this configuration can be complicated to set up and administer, you should avoid using it unless organizational or security concerns require you to do so.
Note: When users in proxy groups share a dynamic view on Windows®, all directory elements accessed in the view must have mode 777 (write permission for all users).

Suppose that DevOps Code ClearCase users have accounts in domains named ATLANTA, BOSTON, and CHICAGO, and that the primary group of each VOB they need to share is ATLANTA\clearusers. To use DevOps Code ClearCase in this environment, create proxy groups and enable domain mapping as illustrated in the following procedure.

Procedure

  1. Ensure that each DevOps Code ClearCase host is a member of a resource domain that trusts the ATLANTA, BOSTON, and CHICAGO domains.
  2. Create the DevOps Code ClearCase users group in one of the user account domains. In this example, the domain is ATLANTA and the group is ATLANTA\clearusers.
    VOBs to be shared by users taking advantage of domain mapping must be owned by the ATLANTA\clearusers group.
  3. Configure the albd_server on every DevOps Code ClearCase host in each of these domains to log on as the clearcase_albd user in the primary DevOps Code ClearCase domain (in this case, ATLANTA\clearcase_albd).
  4. Create two more domain global groups, one in each of the other domains.
    1. In the BOSTON domain, create the group BOSTON\clearusers_Boston.
    2. In the CHICAGO domain, create the group CHICAGO\clearusers_Chicago.
    When creating these groups, make sure their description strings contain the following text string:
    ClearCaseGroup(ATLANTA\clearusers)
    This string must be case-correct and contain no spaces. When this text string is present in a group description, the group is recognized by DevOps Code ClearCase as a proxy group for the group whose name is delimited by the parentheses (in this case, the group ATLANTA\clearusers). When evaluating VOB access rights, members of a proxy group are treated as though they were members of the group named in the ClearCaseGroup substring. In this example, a member of BOSTON\clearusers_Boston has the same VOB access rights as a member of ATLANTA\clearusers if the description of BOSTON\clearusers_Boston includes the string ClearCaseGroup(ATLANTA\clearusers).
  5. Make DevOps Code ClearCase users members of the appropriate domain groups:
    • Make users whose accounts are in domain ATLANTA members of ATLANTA\clearusers.
    • Make users whose accounts are in domain BOSTON members of BOSTON\clearusers_Boston. Make users whose accounts are in domain CHICAGO members of CHICAGO\clearusers_Chicago.
  6. Enable domain mapping on each host. To do so, edit the Windows registry on that host to make the following changes:
    1. Using a Windows registry editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Atria\ClearCase\CurrentVersion.
    2. Click Edit > Add Value.
    3. In the Add Value window, enter DomainMappingEnabled as the Value Name and select REG_DWORD as the value type.
    4. Click OK to start the DWORD editor
    5. In the DWORD editor, enter 1 (hex) in the Data field.
    6. Click OK to add the value.
  7. Require each DevOps Code ClearCase user to set the user environment variable CLEARCASE_PRIMARY_GROUP to the value ATLANTA\clearusers. See Setting the DevOps Code ClearCase primary group.
  8. Adjust VOB element permissions.
    All elements in any VOB that are accessed by users who are members of proxy groups must allow Read rights for Other. Newly created elements grant this right by default. Use cleartool describe to examine an element's protection. Use cleartool protect to change an element's protection. You can also use GUIs such as the DevOps ClearCase Explorer to examine and change protections of elements.
  9. Optional: Modify VOB storage ACLs.
    If necessary, you can restrict access to world-readable elements to a smaller set of users by setting the access control list (ACL) on the share that contains the VOB storage directory. For example, if a VOB is registered with the global path \\myserver\vobstorage\src_vob, you can set the ACL on the vobstorage share to restrict access to members of the domain groups ATLANTA\clearusers, BOSTON\clearusers_Boston, and CHICAGO\clearusers_Chicago, in addition to the DevOps Code ClearCase administrators group.