Rolemaps

You use a rolemap to specify the principals that take on roles listed in a policy, and to apply the access controls to one or more VOB objects.

You can use the VersionVault Explorer to create, edit, and remove rolemaps. The intent is that you can define a small number of policies that determine ‘how' you apply permissions to objects. You then define a number of rolemaps for each policy describing ‘who' takes on the roles in the policy. By separating the ‘how' and the ‘who', you should be able to reuse your policies multiple times and reduce the complexity of your security administration.

For example, your policy could list what things the Developer, Manager, and TeamLead roles can do. Then you define several rolemaps, one for each team, defining the groups or users that take on the Developer, Manager or TeamLead roles. You then use each team's rolemap to protect the objects that are unique to their team (such as a collection of elements).

Each VOB gets a default rolemap, which is empty. The default rolemap controls all objects in the VOB until new objects are created with a reference to some other rolemap.

You create new rolemaps in the VersionVault Explorer by expanding the VOB node in the VersionVault Navigator, expanding the ACLs node, right-clicking on Rolemaps and selecting Create a Rolemap from the context menu. Permission to create rolemaps is controlled by the VOB object's effective ACL.

You modify rolemaps by expanding the VOB node in the VersionVault Navigator, expanding the ACLs node, selecting Rolemaps, right-clicking the rolemap in the VersionVault Detailsview and selecting Open Rolemap from the context menu.

Rolemap modifications will affect containers on disk for all elements that are using the rolemap for ACL information. This may take a long time to execute if a large number of elements are protected by the rolemap. In a replicated environment with preserving replicas, importing an oplog with a rolemap modification will modify the containers on disk, and may also take a long time to execute.

For information about permissible identities to which roles may be assigned, see Identities for policies and rolemaps.

Rolemap assignment for new objects

New VOB objects by default are assigned the same rolemap as the "parent" object, if there is a parent. For elements, that means the versioned directory in which you are making the new element.