Access control for dynamic views
Only dynamic views implement HCL VersionVault access control. Other types of views control access by using file-system permissions.
- Owner. The initial owner is the user of the process that creates the view.
- Group. The initial group is the primary group of the process that creates the view.
- Protection mode. The initial protection mode for a view is determined one way on hosts
running Linux or the UNIX system, and another way on Windows® hosts.
- On Windows, a view initially has read, write, and execute permission for the owner and group, and it has read and execute permission for others. You can use the Properties of View window in Windows Explorer or HCL VersionVault Windows Explorer to display the owner, group, and protection mode for a view. You cannot change the owner and group after the view is created. You can use the chview command to change the protection mode to read/write or read-only.
- On Linux and the UNIX system, the initial protection mode depends on the umask of the user who creates the view. A umask is a setting supported on Linux and the UNIX system that specifies that some permissions are not granted when the user creates a file. (For details, see the umask reference page on Linux or the UNIX system.) When a user creates a view, HCL VersionVault grants read, write, and execute permissions for all users and then removes the permissions specified by the user’s umask. For example, if the user’s umask is 002, write permission for others is removed.
Permission to create views
Any user can create a view.
Permission to delete views
Only the view owner or a privileged user can delete a view.
Permission to read views
A process must have read permission for both a dynamic view and a file or directory in the view to read the file or directory. To read a version of a file or directory element, the process must have read permission for the element. See Permission to read elements. To read a view-private file or directory, the process must have read permission for the view-private file or directory. See Permission to read view-private files.
The algorithm used by HCL VersionVault considers the process’s user and group and the view’s owner, group, and protection mode to determine whether to grant read permission for a view. See Access algorithm for VOB and view data.
Permission to write views
A process must have write permission for a view to perform some operations that change the view itself, such as setting its config spec.
A process must have write permission for both a dynamic view and a containing directory in the view to create or delete a file or directory in the containing directory. If the containing directory is an element version, the process must have write permission for the element. See Permission to write elements. If the containing directory is a view-private directory, the process must have write permission for the view-private directory. See Permission to write view-private files.
The algorithm used by HCL VersionVault considers the process’s user and group and the view’s owner, group, and protection mode to determine whether to grant read permission for a view. See Access algorithm for VOB and view data.
Permission to execute views
A process must have execute permission for both a dynamic view and a file or directory in the view to execute the file or directory. To execute a version of a file or directory element, the process must have execute permission for the element. See Permission to execute elements. To execute a view-private file or directory, the process must have execute permission for the view-private file or directory. See Permission to execute view-private files.
An algorithm is used by HCL VersionVault that considers the process’s user and group and the view’s owner, group, and protection mode to determine whether to grant execute permission for a view. See Access algorithm for VOB and view data.