chpolicy

Changes the definition of a policy

Applicability

Product

Command type

VersionVault

cleartool subcommand

Platform

UNIX

Linux

Windows

Synopsis

chpolicy { –kind object-kind[,...]
{ –add principal-name[,...] –permission perm[,...] |

–remove principal-name[,...] [ –permission perm[,...]] |

–modify principal-name[,...] –permission perm[,...] }

[ –c comment | –cfile pname | –cq | –cqe | –nc ] } |

{ –validate_pools }

policy-selector ...

Description

The chpolicy command changes the definition of a policy. It may change the effective ACL of the rolemaps that implement the policy. This command updates file system ACLs on elements and their version containers for elements that are protected by such rolemaps.

Restrictions

Authorization

The principal must have the following permissions:
  • read-info on VOB object
  • read-name on the policy
  • read-info on policy
  • mod-props on policy

Locks

An error occurs if one or more of these objects are locked: VOB, policy.

Mastership

(Replicated VOBs only) The replica must master the policy to modify its contents (adding or removing roles, modifying permissions assigned to roles).

Options and arguments

Modifying the policy

–kind object-kind
The object that is to be subject to a change of permissions. Valid object-kinds are vob, element, policy, and rolemap. If more than one object kind is specified, then the values specified by –permission must be valid for all of those object kinds.
–add principal-name[,…] –permission perm[,…]
Adds a principal with the specified permission to the specified policy.
–remove principal-name[,…] –permission perm[,…]
Removes a principal from the policy. If the –permission option is specified, this command removes only the permissions that are specified by the values of perm[,…]. If more than one principal is specified, the permission that is being removed must be in effect for all principals in the policy; otherwise, the operation fails.
–modify principal-name[,…] -permission perm[,…]
Modifies a principal. The specified permissions replace the current permissions for the specified principal(s).
policy-selector
The policy that is to be modified.

Reprotecting storage containers

–validate_pools
Reprotects storage containers for elements when they are protected by a rolemap that implements the specified policy. You can use this option to fix container protections if an earlier chpolicy operation was interrupted.

Event records and comments

Default
Creates one or more event records, with commenting controlled by your .versionvault_profile file (default: –cqe). See the comments reference page. Comments can be edited with chevent.
–c/omment comment | –cfi/le comment-file-pname |–cq/uery | –cqe/ach | –nc/omment
Overrides the default with the option you specify. See the comments reference page.

Examples

The UNIX system and Linux examples in this section are written for use in csh. If you use another shell, you might need to use different quoting and escaping conventions.

The Windows examples that include wildcards or quoting are written for use in cleartool interactive mode. If you use cleartool single-command mode, you might need to change the wildcards and quoting to make your command interpreter process the command appropriately.

In cleartool single-command mode, cmd-context represents the UNIX system and Linux shells or Windows command interpreter prompt, followed by the cleartool command. In cleartool interactive mode, cmd-context represents the interactive cleartool prompt.

  • Change the definition of VOBAdminPolicy to permit all users and groups in the VOBAdmins role to create policies in the VOB.

    cmd-context  cleartool chpolicy -kind vob -add Role:VOBAdmins -permission Full VOBAdminPolicy