ACL enforcement and enablement for VOBs and VOB objects
Review information about ACL enforcement and enablement and supporting clients and servers in mixed version environments.
ACL enablement
In VersionVault 2.0.0.0 and later, ACL authorization is supported only for VOBs formatted with schema version 80 at feature level 8 or higher. ACL enablement requirements are different for VOBs created at schema 54 or at lower feature levels.
- New VersionVault 2.0.0.0 and later VOBs
- VOBs created with VersionVault version 2.0.0.0 and later are at schema 81 feature level 9 with ACLs enabled by default. After ACLs are enabled, the VersionVault VOB can be used only with clients and
servers that support feature level 8 or higher.
If your VersionVault 2.0.0.0 and later deployment requires a new VOB at feature level 8 that supports clients able to support only up to feature level 7, create the VOB at feature level 7. Then, raise the feature level to level 8. Do not enable ACLs for the VOB.
- Existing VersionVault VOBs upgraded to 2.0.0.0 and later
- When you upgrade to
VersionVault
2.0.0.0 and later, existing VOBs can be raised
to feature level 8. However, if you want to enable feature level 8 ACLs on the VOB, you must enable
ACLs explicitly by using the cleartool protectvob -enable_acls.
If you encounter errors during the VOB protection operation, run the cleartool vob-sidwalk command to fix the underlying cause. Then, repair the container protection. Run the command as a VersionVault privileged user.
ACL enforcement
- Before ACLs on VersionVault VOBs and VOB objects can be enforced, the VOB must be at feature level 8 with ACLs enabled.
- ACLs are always enforced on rolemaps and policies, regardless of the enforcement setting for other metatypes.
- After a VOB starts enforcing ACLs, you cannot disable ACLs and go back to the previous protection model.
Operating in mixed version environments
VersionVault version 2.0.0.0 and later supports schema version 54, feature level 7 VOBs.
Clients that support only up to feature level 6 can access version 2.0.0.0 and later servers if the servers are not configured for ACL enforcement.
- Controlling client access to VOBs
- You can set the minimum client feature level that is allowed to access a VOB with this command
cleartool protectvob -min_client_flevel.
The
following table shows minimum client feature level values and the server access that is granted
at each level.
Table 1. Minimum client feature level values to control access to VOBs Minimum client feature level Server access 8 Clients that support feature level 7 or lower are denied access to the VOB even if ACLs are not enforced 7 Clients that support feature level 6 or lower can access feature level 8 VOBs when the ACL enforcement setting is less than 8. 5 Clients that support feature level 4 or lower can access feature level 8 VOBs when the ACL enforcement setting is less than 6. Note: The first time that you raise the VOB family feature level above 7, run the chflevel cleartool command on a preserving replica in the VOB family to avoid divergence in the predefined ACL objects and the required repair process.