Managing the scheduler access control list

The schedule command uses a single access control list (ACL) that determines who is allowed access to the scheduler’s task and job registries and to the scheduler ACL itself.

About this task

The scheduler ACL consists of a list of entries. Each entry assigns an access type to an identity. Four types of identity exist: Everyone, Domain, Group, and User. A domain is a Windows® domain on Windows hosts and an NIS domain on hosts running Linux® or the UNIX® system. Each group and user is qualified by a domain name. In a Windows domain, a group must be a global group, and a user must be a domain account.
Note: Hosts running Linux or the UNIX system that are not part of an NIS domain can use the string <unknown> in place of the domain name in an ACL entry.
Each identity may have one of three access types. The following table shows the access types and their implications for access to the schedule and access to the ACL itself.
Table 1. Access types in scheduler ACL entries
Access type Access to schedule Access to ACL
Read Read only Read only
Change Read and write; can start jobs Read only
Full Read and write; can start jobs Read and write

Although each identity can have only one access type, access rights are inherited from Everyone to Domain to Group to User in such a way that each user has the least restrictive of all these access rights that apply to that user. For example, if a user’s ACL entry specifies Read access but the ACL entry for the user’s group specifies Change access, the user has Change access.

By default, everyone has Read access. When logged on locally, the privileged user always has Full access. On a remote host, access rights for all users (even privileged users) are determined by the scheduler ACL. Thus, to change the default ACL, you must be logged on to the host where the scheduler is running, and you must be a privileged user.

Procedure

To view or edit the scheduler ACL, you can use the DevOps Code ClearCase® Administration Console or the cleartool schedule command.
  • To use the DevOps Code ClearCase Administration Console, navigate to the Scheduled Jobs node for the host on which you want to view or edit the scheduler’s ACL and click Action > All Tasks > Edit Permissions to open a window in which you can view or edit the scheduler’s ACL.
  • To use the cleartool schedule command, type this command to view the ACL:

    cleartool schedule –get –acl

    To edit the ACL, use this command:

    cleartool schedule –edit –acl

    You can also create a text file that contains ACL entries in the scheduler’s ACL-definition syntax, and then use the following command to replace the entire ACL with the ACL in the file (acldef.txt in this example):

    cleartool schedule –set –acl acldef.txt