Planning support for ACL authorization of VOBs and VOB objects

Create a plan to add support for ACL authorization of VOBs and VOB objects. Adding support requires installing HCL VersionVault on client hosts, enabling ACL authorization support, and setting up ACL rules.

Install server and client software
HCL VersionVault client software must be at version 2.0.0.0 or later to support ACL-enabled VOBs. VersionVault VOBs must be at schema 80 or higher, feature level 8 or higher. VOBs created with VersionVault version 2.0.0.0 are at schema 80, feature level 9 with ACLs enabled by default. VOBs created with VersionVault version 3.0.0.0 are at schema 81, feature level 9 with ACLs enabled by default.

If you have moved or replicated a VOB to a host running HCL VersionVault version 2.0.0.0 or later, you can complete the remaining configuration tasks to upgrade the schema version, raise the feature level, and complete configuration tasks to enable ACLs.

In parallel with this work, upgrade full-client desktops and shared multi-user systems to VersionVault 2.0.0.0 or later.

Upgrade VOB schema version

Decide whether to reformat each VOB on the newly installed VersionVault version 3.0.0.0 server.

You can leave VOBs at schema 54 and immediately use them in production. However, you cannot define or enable ACLs until you update to at least schema 80 by using the reformatvob cleartool command. You must reformat each VOB and each replica in a MultiSite replication VOB. The VOB is out of service during the reformat operation, but other VOBs on the same server host are available to users.

Raise the feature level
After a VOB database is formatted with schema 80 or higher, you can raise the VOB feature level to feature level 8. Replicated VOBs must raise the feature level on each replica, and then raise the family feature level.
Note: The first time that you raise the VOB family feature level above 7, run the chflevel command at a preserving replica in the VOB family to avoid divergence in the predefined ACL objects and the required repair process.

After the family feature level is raised to feature level 8, you can define ACL rules, but the ACL rules are not enforced until you run the protectvob cleartool command. This architecture allows administrators to customize the default ACL rolemap and policy before you enable ACL enforcement. See ACL enforcement and enablement for VOBs and VOB objects.

If you do not want to use ACLs, you can raise the VOB feature level to feature level 7, which will allow you to use VersionVault features like evil twin detection.

If you have no plans to use ACL authorization on the VOB, run this command to verify that the ACL enforcement is set to none: cleartool describe vob: <vob-tag>.

Create new ACLs

After you raise the VOB feature level, all ACL-controlled objects in the VOB are controlled by a single default rolemap and its default policy. You can use ACLs to protect the VOB object, policies, rolemaps, and elements.

To provide the same protection for all VOB elements, modify the default rolemap and policy to customize ACL rules for element access without changing the protections for individual elements.

If you prefer to have different access controls to some subset of elements in the VOB, define new policies and rolemaps. After you create new rolemaps, use this command to restore protection on existing elements by using your new rolemap: cleartool protect -chrolemap.

You administer policies and rolemaps by using cleartool policy and rolemap commands or from the VersionVault Explorer client.

For more information, see these resources:
Full deployment
After you configure ACL rules and verify that VOB access protections are configured correctly, enable ACL use for all VersionVault version 2.0.0.0 or later clients. Set the ACL enforcement level for the VOB to feature level 8.