mkpolicy

Creates or updates a policy

Applicability

Product

Command type

VersionVault

cleartool subcommand

Platform

UNIX

Linux

Windows

Synopsis

mkpolicy [ -replace ]
[ -set policy-file-pname ]
[ -rolemap controlling-rolemap-selector ]
[ -c/omment comment | -cfi/le pname | -cq/uery | -cqe/ach | -nc/omment ]
policy-selector ...

Description

The mkpolicy command creates or updates a policy. Policies have an Access Control List (ACL) for each controlled VOB metatype (such as UCM project, branch type, and element). The access control entries (ACEs) in a policy list a principal and the permissions that are granted to it. Principals in a policy are usually roles, with the name of the role defined by the administrator. You can also specify users or groups in a policy, but most administrators prefer to specify such identities in the rolemaps that implement the policy.

Restrictions

Authorization

The principal must have the following permissions:
  • mkpolicy: read-info on VOB object, mkpolicy on VOB
  • mkpolicy -replace: read-info on VOB object, mod-props on policy

Locks

An error occurs if the VOB object is locked.

Mastership

(Replicated VOBs) No mastership restrictions.

Options and arguments

Specifying the policy

-set policy-file-pname
Specify a file containing one or more sections, each labeled with a meta-type name and containing a list of principals and roles, along with their respective permissions.
  • The possible section names are: VOB, policy, rolemap, element.
  • For the VOB section, the possible permissions are: read-info, read-name, mod-props, chmaster, mkpolicy, mkrolemap, rmelem, lock, mod-hlink, mod-attr.
  • For the policy section, the possible permissions are: read-info, read-name, mod-props, chmaster, lock, mod-hlink, mod-attr.
  • For the rolemap section, the possible permissions are: read-info, read-name, mod-props, chmaster, lock, mod-hlink, mod-attr.
  • For the element section, the possible permissions are: read-info, mod-props, chmaster, mod-checkout, rmver, mod-branch, mod-label, write-dir, lookup-dir, lock, mod-task, mod-hlink, mod-attr, mod-trig.
policy-file-pname
The full path to a file containing the sections and permissions. Each section must be delineated with a [section] line. Each entry in the section must be formatted as 
identity_type:[identity] permission,[...,]
For example, a sample file perms.acl could contain: 
[vob]
User:NTDOMAIN\administrator read-name,read-info,mkpolicy
Group:NTDOMAIN\users read-name,read-info
Role:Developer read-name,read-info
Owner-User: Full
Owner-Group: Full
Everyone: Read

[element]
Owner-User: Full
Owner-Group: Full
Role:Developer Read,mod-checkout
Role:ProjectLead Read,mod-checkout,rmver
Everyone: Read
-rolemap controlling-rolemap-selector
The controlling rolemap that protects the policy; the controlling rolemap defines principals who may read or modify the policy.
policy-selector
The name or list of names for the policy that is about to be created; or, if used with -replace, the policy name of the existing policy that is to be redefined.

Updating a policy

-replace
Replaces the policy for the current policy-selector with the new permissions defined in policy-file-pname.

Event records and comments

Default
Creates one or more event records, with commenting controlled by your .versionvault_profile file (default: -cqe). See the comments reference page. Comments can be edited with chevent.
-c/omment comment | -cfi/le comment-file-pname |-cq/uery | -cqe/ach | -nc/omment
Overrides the default with the option you specify. See the comments reference page.

Examples

The UNIX system and Linux examples in this section are written for use in csh. If you use another shell, you might need to use different quoting and escaping conventions.

The Windows examples that include wildcards or quoting are written for use in cleartool interactive mode. If you use cleartool single-command mode, you might need to change the wildcards and quoting to make your command interpreter process the command appropriately.

In cleartool single-command mode, cmd-context represents the UNIX system and Linux shells or Windows command interpreter prompt, followed by the cleartool command. In cleartool interactive mode, cmd-context represents the interactive cleartool prompt.

  • Create a policy for VOBs and elements.

    cmd-context  cleartool mkpolicy -set perms.acl -c "Creating new Policy" DevPolicy