Role-based preoperation trigger script
The following preoperation trigger script maps users to the following roles:
- Project manager
- Integrator
- Developer
use strict;
sub has_permission
{
my ($user,$op,$pop,$proj) = @_;
#When performing a composite operation like 'deliver' or 'rebase',
#we don’t need to check permissions on the individual sub-operations
#that make up the composite.
return 1 if($pop eq 'deliver_start' || $pop eq 'rebase_start' ||
($pop eq 'deliver_complete' || $pop eq 'rebase_complete' ||
($pop eq 'deliver_cancel' || $pop eq 'rebase_cancel');
# Which roles can perform what operations?
# Note that these maps can be stored in the DevOps ClearCase attribute
# on each project instead of hard-coded here in the trigger script
# to give true per-project control.
my %map_op_to_roles = (
mkactivity => [ "projectmgr", "integrator", "developer" ],
mkbl => [ "projectmgr", "integrator" ],
mkstream => [ "projectmgr", "integrator", "developer" ],
);
# Which users belong to what roles?
my %map_role_to_users = (
projectmgr => [ "kate" ],
integrator => [ "kate", "mike" ],
developer => [ "kate", "mike", "jones" ],
);
# Does user belong to any of the roles that can perform this
operation?
my ($role,$tmp_user);
for $role (@{ $map_op_to_roles{$op} }) {
for $tmp_user (@{ $map_role_to_users{$role} }) {
if ($tmp_user eq $user) {
return 1;
}
}
}
return 0;
}
sub Main
{
my $user = $ENV{CLEARCASE_USER};
my $proj = $ENV{CLEARCASE_PROJECT};
my $op = $ENV{CLEARCASE_OP_KIND};
my $pop = $ENV{CLEARCASE_POP_KIND};
my $perm = has_permission($user, $op, $proj);
printf("$user %s permission to perform '$op' in project $proj\n",
$perm ? "has" : "does NOT have");
exit($perm ? 0 : 1);
}
Main();
The script maps the mkactivity, mkbl, and mkstream operations to the roles that are permitted to perform them. For example, only users designated as project managers or integrators can make a baseline.
The script uses the CLEARCASE_USER environment variable to retrieve the user’s name, the CLEARCASE_OP_KIND environment variable to identify the operation the user attempts to perform, and the CLEARCASE_POP_KIND environment variable to identify the parent operation. If the parent operation is deliver or rebase, the script does not check permissions.