Using proxy groups and domain mapping in Windows NT® domains
About this task
When an
HCL
VersionVault community includes users from
multiple Windows NT® domains, you must enable the HCL
VersionVault domain mapping feature as described in
this section to provide all users with access to a common set of VOBs. Because this configuration
can be complicated to set up and administer, you should avoid using it unless organizational or
security concerns require you to do so.
Note: When users in proxy groups share a dynamic view on Windows®, all
directory elements accessed in the view must have mode 777 (write permission for all
users).
Suppose that HCL VersionVault users have accounts in domains named ATLANTA, BOSTON, and CHICAGO, and that the primary group of each VOB they need to share is ATLANTA\clearusers. To use HCL VersionVault in this environment, create proxy groups and enable domain mapping as illustrated in the following procedure.
Procedure
- Ensure that each HCL VersionVault host is a member of a resource domain that trusts the ATLANTA, BOSTON, and CHICAGO domains.
- Create the HCL
VersionVault users
group in one of the user account domains. In this example, the domain
is ATLANTA and the group is ATLANTA\clearusers. VOBs to be shared by users taking advantage of domain mapping must be owned by the ATLANTA\clearusers group.
- Configure the albd_server on every HCL VersionVault host in each of these domains to log on as the versionvault_albd user in the primary HCL VersionVault domain (in this case, ATLANTA\versionvault_albd).
- Create two more domain global groups, one in each of the
other domains.
- In the BOSTON domain, create the group BOSTON\clearusers_Boston.
- In the CHICAGO domain, create the group CHICAGO\clearusers_Chicago.
When creating these groups, make sure their description strings contain the following text string:
This string must be case-correct and contain no spaces. When this text string is present in a group description, the group is recognized by HCL VersionVault as a proxy group for the group whose name is delimited by the parentheses (in this case, the group ATLANTA\clearusers). When evaluating VOB access rights, members of a proxy group are treated as though they were members of the group named in the ClearCaseGroup substring. In this example, a member of BOSTON\clearusers_Boston has the same VOB access rights as a member of ATLANTA\clearusers if the description of BOSTON\clearusers_Boston includes the string ClearCaseGroup(ATLANTA\clearusers).ClearCaseGroup(ATLANTA\clearusers)
- Make HCL
VersionVault users
members of the appropriate domain groups:
- Make users whose accounts are in domain ATLANTA members of ATLANTA\clearusers.
- Make users whose accounts are in domain BOSTON members of BOSTON\clearusers_Boston. Make users whose accounts are in domain CHICAGO members of CHICAGO\clearusers_Chicago.
- Enable domain mapping on each host. To do so, edit the Windows® registry on that host to make the
following changes:
-
Using a Windows® registry editor, navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Atria\ClearCase\CurrentVersion
. - Click .
- In the Add Value window, enter DomainMappingEnabled as the Value Name and select REG_DWORD as the value type.
- Click OK to start the DWORD editor
- In the DWORD editor, enter 1 (hex) in the Data field.
- Click OK to add the value.
-
Using a Windows® registry editor, navigate to
- Require each HCL VersionVault user to set the user environment variable CLEARCASE_PRIMARY_GROUP to the value ATLANTA\clearusers. See Setting the HCL VersionVault primary group.
-
Adjust VOB element permissions.
All elements in any VOB that are accessed by users who are members of proxy groups must allow Read rights for Other. Newly created elements grant this right by default. Use cleartool describe to examine an element's protection. Use cleartool protect to change an element's protection. You can also use GUIs such as the HCL VersionVault Windows Explorer to examine and change protections of elements.
- Optional: Modify VOB storage ACLs.If necessary, you can restrict access to world-readable elements to a smaller set of users by setting the access control list (ACL) on the share that contains the VOB storage directory. For example, if a VOB is registered with the global path \\myserver\vobstorage\src_vob, you can set the ACL on the vobstorage share to restrict access to members of the domain groups ATLANTA\clearusers, BOSTON\clearusers_Boston, and CHICAGO\clearusers_Chicago, in addition to the HCL VersionVault administrators group.