ACL enforcement and enablement for VOBs and VOB objects

Review information about ACL enforcement and enablement and supporting clients and servers in mixed version environments.

For information, click these links or scroll down.

ACL enablement
ACL enforcement
Operating in mixed version environments

ACL enablement

In ClearCase® 8.0.1, ACL authorization is supported only for VOBs formatted with schema version 80 at feature level 8 or higher. ACL enablement requirements are different for VOBs created in version 8.0.1 and existing VOBs upgraded from an earlier version of ClearCase.

New ClearCase 8.0.1 VOBs: VOBs created with ClearCase version 8.0.1 are at schema 80 feature level 8 with ACLs enabled by default. After ACLs are enabled, the ClearCase VOB can be used only with clients and servers that support feature level 8 or higher.
If your ClearCase 8.0.1 deployment requires a new VOB at feature level 8 that supports ClearCase version 7.1 and 8.0 clients, create the VOB at feature level 7. Then, raise the feature level to level 8. Do not enable ACLs for the VOB.
Existing ClearCase VOBs upgraded to 8.0.1: When you upgrade from an earlier version of ClearCase 8.0.1, existing VOBs can be raised to feature level 8. However, if you want to enable feature level 8 ACLs on the VOB, you must enable ACLs explicitly by using the cleartool protectvob -enable_acls.
If you encounter errors during the VOB protection operation, run the cleartool vob-sidwalk command to fix the underlying cause. Then, repair the container protection. Run the command as a ClearCase privileged user.

ACL enforcement

Before ACLs on ClearCase VOBs and VOB objects can be enforced, the VOB must be at feature level 8 with ACLs enabled.
ACLs are always enforced on rolemaps and policies, regardless of the enforcement setting for other metatypes.
After a VOB starts enforcing ACLs, you cannot disable ACLs and go back to the previous protection model.

Operating in mixed version environments

Because ClearCase version 8.0.1 supports schema version 54, feature level 7 VOBs, it is compatible with ClearCase version 7.1.2 and version 8.0.

ClearCase clients on version 7.1.2 and 8.0 can access version 8.0.1 servers if the server are not configured for ACL enforcement.
ClearCase clients on version 8.0.1 can access ClearCase version 8.0.1 servers.

VOBs created with ClearCase version 8.0.1 are not compatible with clients that support only up to feature level 7. The default protection of a new VOB at feature level 8 is to enable ACL enforcement and reject clients that support only up to feature level 7. If your deployment requires a new VOB at feature level 8 that supports feature level 7 or lower clients, create the VOB at feature level 7. Then, raise it to feature level 8. Do not enable ACLs for the VOB.

Controlling client access to VOBs

You can set the minimum client feature level that is allowed to access a VOB with this command cleartool protectvob -min_client_flevel. The following table shows minimum client feature level values and the server access that is granted at each level.

Table 1. Minimum client feature level values to control access to VOBs
Minimum client feature level	Server access
8	Version 7.1.2 and 8.0 clients are denied access to the VOB, even if ACLs are not enforced
7	Standard setting of 7 allows version 7.1.2 or 8.0 clients to access feature level 8 VOBs when the ACL enforcement setting is less than 8.
5	Version 7.1 and 8.0 clients can access feature level 8 VOBs when the ACL enforcement setting is less than 8

Note: The first time that you raise the VOB family feature level above 7, run the chflevel cleartool command on a preserving replica in the VOB family to avoid divergence in the predefined ACL objects and the required repair process.