Comparison of OS-defined groups and ACL authorization
Instead of assigning users to multiple OS-defined groups, ACLs enable you to assign elements into multiple groups, which simplifies authorization administration.
OS-defined groups
Each VOB element has three protection categories: owner, group, and other. For each category, the administrator can set or clear the read and execute bits. For example, if you have a source file that should be readable to the owner and members of the element group, but not to all users in the network, then you would set owner=read, group=read, other=none. If you have an executable file for some programming tool, you might set all three to read and execute.
In practical terms, this model requires you to use a separate group for each class of elements that shares the same protection. If you do not permit all users to read elements in your VOB, then you set other=none and must control access using the owner and group categories.
The element owner has only limited usefulness in element protection, leaving only the group as an effective control. An element's owner is by default set to the user account that created the element. If you have multiple developers, then the elements' owners will vary, which is not convenient for access control. Some administrators configure a trigger to change ownership to the VOB owner account after element creation, but this is also inconvenient for access control since most users seldom assume the identity of the VOB owner
That leaves the element's group as the mechanism to control access to each element. The administrator must define a separate group for each class of element needing protection. For example, element class 1 is for developers of component A. Element class 2 is for developers of component B. Element class 3 is for all developers (shared code). If you have 25 components (A-Y) and one shared component (Z), you need 26 groups to control access. You would protect all elements in component A as readable to group A but not world readable. Likewise for components B-Y. Each developer of component A-Y would be a member of that group, plus also a member of group Z. The account used to build and integrate all the code needs to be a member of all groups A-Z.
The groups used by HCL VersionVault are defined by the operating system (Windows Domain, Linux or UNIX NIS or LDAP) and added to a user's credentials when he/she logs into a host running VersionVault. Unfortunately, due to limitations in the network protocols used in the operating system and in HCL VersionVault, a single user can only use 16 groups (UNIX and Linux) or 32 groups (Windows) at a time with VersionVault. In the example above, the build/integrate account needs to use 26 groups to complete the build – necessitating either some complex sequencing of build steps and credentials changes defining which groups are activated for HCL VersionVault (CLEARCASE_GROUPS environment on windows and setgroup-swap tool on Linux or the UNIX system), or compromising on the implementation of your element security and using fewer element classes/groups. Neither option is desirable.
ACLs on elements
You can change your access control strategy to eliminate many cases where you would hit the per-user group membership limits. It might help to think of ACLs as enabling you to put elements into multiple groups instead of having to put users into multiple groups. Because the number of groups that are allowed in an element effective ACL is not limited to the same low limits as the number of groups for a user account, this security mechanism enables some new protection use cases and simplifies others.
With ACLs on elements, you can grant access to multiple individual users, multiple groups, and a few categories of "everyone". This topic discusses ACLs on elements in terms of their effective ACLs. In this and related topics are examples of how rolemaps and policies combine to generate effective ACLs.
Group:domain/groupA Change
Group:domain/builders Change
Every other component B-Y would have a similar effective ACL. Component Z (the shared component) also has a similar effective ACL. In this configuration, each team member's account is in the corresponding group for their component, plus the group for Z (as before). But the builder account only needs to be in the "builders" group. You do not run into limits on simultaneous group membership for the builder account.
Group:domain/groupZ Change
Group:domain/alldevelopers Read
Group:domain/builders Change
and put the non-Z developers into group "alldevelopers" instead of "groupZ". A developer on team A will be able to read elements in component Z but not modify them. (Without ACLs, this would require a pre-operation checkout and mkbranch trigger to check the permission to modify the element, and reject an operation if not authorized.)
Group:domain/groupB Change
User:domain/extrauser Change
Group:domain/builders Change
Group:domain/groupC Change
Group:domain/groupD Change
Group:domain/builders Change
Example of a policy and associated rolemaps
The foregoing description talks in terms of effective ACLs. In a VOB, the effective ACL is generated by appling a rolemap to a policy. The VOB database computes and caches the effective ACL for each rolemap. Each element is associated with a rolemap (for example, by cleartool protect -chrolemap or cleartool mkelem -rolemap). To implement the above examples, you will need a distinct rolemap for each class of elements (components A - Z). You can link all these rolemaps to a single policy that describes your general protection model. Below is an example policy and set of rolemaps that yield the effective ACLs shown above. (In practice, you probably want to add an administrative user or group to have Full control over all elements, but for ease of explanation we don't show such an entry in this policy and the example effective ACLs above.)
[element]
Role:ComponentModify Change
Role:ComponentReader Read
Group:domain/builders Change
Component A Rolemap:
Role:ComponentModify --> Group:domain/groupA
Role:ComponentModify --> Group:domain/groupZ
Role:ComponentReader --> User:domain/alldevelopers
Component B Rolemap:Role:ComponentModify --> Group:domain/groupB
Role:ComponentModify --> User:domain/extrauser
Role:ComponentModify --> Group:domain/groupC
Role:ComponentModify --> Group:domain/groupD