Grantable permissions
Each metatype has a specific set of operation-based individual permissions, specific to each metatype.
Individual and generic permissions
For example, elements have a specific mod-checkout permission that covers operations that make new versions (checkout, checkin); the VOB object has permissions for making new objects, such as mkrolemap, mkpolicy, and so on. Besides the individual permissions, you can also use generic permissions (predefined groupings of permissions). Each metatype has a Read, Change, and Full generic permission. These are mapped to an appropriate subset of the metatype's specific permissions. You can think of these as levels of permission, with Change incorporating all of Read and adding in additional permitted operations, and Full enabling yet more operations.You can grant principals generic permissions, or specific permissions, or a combination of both. You can grant multiple permissions to the same principal by separating them with a comma (cleartool) or by selecting checkboxes (VersionVault Explorer GUI). If you grant all the specific permissions that make up a generic grouping, the entry will be displayed showing just that generic name. For example, an ACE granting read-info,lookup-dir,AclRead on an element will be displayed as Read.
For rolemaps and policies, read-name is required to see an object's name in a list or collection; read-info is required to see the object's properties.
For elements, it is the containing directory's permissions that govern visibility of the element's file name; the reading process needs read-info on a versioned directory to see the list of elements catalogued in any version of the directory (this mimics the permissions model of Linux and UNIX system directories). The process also needs read-info permission on the element to access the contents of a version of a plain file element.
For the VOB object, read-info stands for the basic permission to open VOB for any operation.
Generic permissions applicable to multiple object types
- AclRead
- Permission to read the dbid of the object's rolemap
- AclWrite
- Permission to reprotect the object with a new rolemap
- chmaster
- Permission to change mastership of the object
- delete
- Permission to remove an object
- lock
- Permission to lock an object
- mod-props
- Permission to modify properties of an object (owner, group, fstat permission, event record, and so on.)
- read-info
- Permission to read properties of an object
- read-name
- Permission to read name of an object
Generic and individual permissions
Below are listed, for each object meta-type, the individual permissions that are included in each of the generic permissions.
| Generic permission | Individual permissions |
|---|---|
| VOB object permissions | |
| Read | read-info, read-name, AclRead |
| Change | read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink |
| Full | read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink, chmaster, mkpolicy, mkrolemap, rmelem, lock, AclWrite, Delete |
| Policy object permissions | |
| Read | read-info, read-name, AclRead |
| Change | read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink |
| Full | read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink, chmaster, lock, AclWrite, Delete |
| Rolemap object permissions | |
| Read | read-info, read-name, AclRead |
| Change | read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink |
| Full | read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink, chmaster, lock, AclWrite, Delete |
| Element object generic permissions | |
| Read | read-info, lookup-dir, AclRead |
| Change | read-info, lookup-dir, AclRead, mod-props, mod-checkout, mod-branch, write-dir, mod-task, mod-attr, mod-hlink, mod-trig |
| Full | read-info, lookup-dir, AclRead, mod-props, mod-checkout, mod-branch, write-dir, mod-task, mod-attr, mod-hlink, mod-trig, chmaster, rmver, mod-label, lock, AclWrite, Delete |