permissions
Identity checking
Applicability
Product |
Command type |
---|---|
VersionVault |
general information |
MultiSite |
general information |
Platform |
---|
UNIX |
Linux |
Windows |
Description (non-ACL-enabled VOBs)
In general, only commands that modify (write to) a VOB or a project VOB are subjected to identity checking. The following hierarchy of identity checking is used, in a command-specific manner, to determine whether a command can proceed or be canceled:
- All products on UNIX and Linux only: root
- All products on Windows only: Member of the VersionVault administrators group
- VOB owner
- Owner of the relevant element (for modifications to branches and versions)
- Owner of the relevant type object (for modifications to objects of that type)
- Creator of a version or derived object
- Owner of the object (pool, hyperlink, replica, activity, checkpoint, domain, role, state, user)
- User associated with an event
- Members of an object's group
(same group ID) Note: Object in this case refers to objects in a VOB. A VOB object itself is not an object in a VOB and therefore group membership is not sufficient for commands that modify a VOB object itself. The group membership on a VOB is used to set the OS-level permissions on files and directories within the VOB storage area, not the permission to modify the VOB object itself.
Both file system and non-file-system objects have an owner and a group; this information is stored with the object. When an object is created, its owner and group are set to that of the user who created it. Use the protect command to change the owner (–chown) or group (–chgrp) of the object. The describe command displays the owner and group of the object.
The scheduler maintains its own access control list (ACL), which determines who is allowed access to the scheduler and to the ACL itself. See the schedule reference page for more information.
The reference page for a command lists the special identities (if any) required to use the command along with other restrictions on its use.
The sections below list all cleartool subcommands, categorized by their identity requirements. For information about identity checking for VersionVault commands (that is, other than cleartool subcommands), see the corresponding reference pages.
None
annotate apropos catcr catcs cd chactivity checkvob (except with –fix or –hlink) chfolder describe diff diffbl diffcr deliver dospace 1 edcs endview (except with -server) file find findmerge 2 get getcache getlog help hostinfo import 3 |
ln 4 ls lsactivity lsbl lscheckout lsclients lscomp lsdo lsfolder lshistory lslocal lslock lsmaster lspool lsprivate lsproject lsregion lsreplica lssite lsstgloc lsstream lstype lsview lsvob lsvtree lsws make |
man mkactivity mkattype 5 mkbl mkbrtype 5 mkdir 4 mkelem 4 mkeltype 5 mkfolder mkhltype 5 mklbtype 5 mkproject mkregion mkstgloc mkstream mktag 6 mkview 7 mkvob 7 mkws mount 10 mv 4 mvws put pwd pwv quit |
rebase recoverview reformatview register reqmaster (requesting mastership only) 9 rmname 4 8 rmregion rmstgloc rmtag rmws setactivity setcs setplevel setsite setview setws shell space 1 startview umount (public VOB) unregister update winkin wshell |
1 Except with –update or –generate |
|||
2 No special identity required for "search" functionality |
|||
3 For created elements only |
|||
4 One or more directory elements must be checked out |
|||
5 Except with –replace |
|||
6 Except for private VOB tag |
|||
7 Standard UNIX and Linux or Windows permissions for creating a subdirectory required |
|||
8 Except with –nco |
|||
9 Must be on ACL at master replica |
|||
10 Only for public VOB |
One of: element group member, element owner, VOB owner, root, member of the VersionVault administrators group; (for commands that operate on objects) object group member, object owner, VOB owner, root, member of the VersionVault administrators group
checkout checkvob –hlink import 1 merge 2 |
mkattr mkbranch mkhlink mklabel |
mktrigger reserve rmattr rmhlink |
rmlabel rmmerge rmtrigger unreserve |
1 For checked-out directories only 2 Applies to creation of merge arrows only, not to data |
One of: version creator, element owner, VOB owner, root, member of the VersionVault administrators group
checkin rmver |
uncheckout |
One of: element owner, VOB owner, root, member of the VersionVault administrators group
chtype (element) lock (element) |
rmelem unlock (element) |
One of: user associated with event, object owner, VOB owner, root, member of the VersionVault administrators group
chevent
One of: branch creator, element owner, VOB owner, root, member of the VersionVault administrators group
chtype (branch) lock (branch) chmaster (branch) |
rmbranch unlock (branch) |
One of: type owner, VOB owner, root, member of the VersionVault administrators group
lock (type object) mkattype –replace mkbrtype –replace mkeltype –replace mkhltype –replace |
mklbtype –replace mktrtype –replace rename (type object) rmtype unlock (type object) |
One of: pool owner, VOB owner, root, member of the VersionVault administrators group
rename (pool) |
rmpool |
One of: DO group member, DO owner, VOB owner, root, member of the VersionVault administrators group
rmdo
One of: view owner, root, member of the VersionVault administrators group
endview -server rmview |
setcache –view space –view –generate |
One of: owner, VOB owner, root, member of the VersionVault administrators group
protect |
One of: owner, project VOB owner, root, member of the VersionVault administrators group
chproject chstream rmactivity rmbl |
rmcomp rmfolder rmproject rmstream |
One of: owner, stream owner, root, member of the VersionVault administrators group
chbl |
One of: owner, VOB owner, root, member of the VersionVault administrators group
chmaster (other than branch) |
|
One of: VOB owner, root, member of the VersionVault administrators group
checkvob –fix chpool dospace –generate ln –nco lock (pool or VOB) mkpool mktrtype 1 reformatvob |
relocate reqmaster (to set access controls) rmname –nco rmvob space –vob –generate umount (private VOB) unlock (pool or VOB) |
1 except with –replace |
One of: VOB owner, root, member of the VersionVaultadministrators group
checkvob –fix ln –nco lock (pool or VOB) mkcomp mktrtype 1 |
reformatvob rmname –nco rmvob setplevel space –vob –generate unlock (pool or VOB) |
1 except with –replace |
VOB owner
mktag (private VOB tag) mount (private VOB)
View owner
chview (can also be root on view server host)
root, member of the VersionVault administrators group
setcache –host |
setcache –mvfs |
root, local administrator of the VersionVault VOB server host
protectvob |
Same permissions as those for creating the corresponding type object
cptype
Permissions controlled by the scheduler ACL
dospace –update schedule |
space –update |
Description of enforcement behavior (ACL-enabled VOBs)
Operation | Required permission |
---|---|
chmaster | chmaster on object |
protect | AclWrite on object |
describe | Read (read-name and read-info) on object |
describe -eacl | AclRead on object |
ls | read-name on object |
lock, unlock (on policy, rolemap, elements, VOB) | lock on object |
mkattr (policy,rolemap,VOB) | mod-attr on object |
rmattr (policy,rolemap,VOB) | mod-attr on object |
mkhlink (policy,rolemap,VOB) | mod-attr on object |
rmhlink (policy,rolemap,VOB) | mod-attr on object |
Operation | Required permission |
---|---|
checkout | mod-checkout on element |
uncheckout | NOTE: element ACLs are not enforced |
reserve | mod-checkout on element |
unreserve | mod-checkout on element |
checkin | mod-checkout on element |
rmelem | Delete on element, rmelem on vob |
rmelem (on symlink) | rmelem on vob |
rmver | rmver on element |
rmver on element | mod-checkout on directory element, mkelem on vob |
(un)associate a work item from VersionVault Explorer | mod-task on element |
mklabel | mod-label, read-info on element |
rmlabel | mod-label, read-info on element |
mktrigger on version | mod-trig on element |
rmtrigger on version | mod-trig on element |
mkattr on version | mod-attr on element |
rmattr on version | mod-attr on element |
mkhlink on version | mkhlink on version |
rmhlink on version | mod-hlink on element |
Operation | Required permission |
---|---|
mkpolicy -replace | mod-props on policy |
chpolicy | mod-props on policy |
rmpolicy | Delete on policy |
mkpolicy | mkpolicy on vob |
mkrolemap -replace | mod-props on rolemap |
chrolemap | mod-props on rolemap |
rmrolemap | Delete on rolemap |
mkrolemap | mkrolemap on vob |
See also
Reference pages for individual commands