Comparison of OS-defined groups and ACL authorization

Instead of assigning users to multiple OS-defined groups, ACLs enable you to assign elements into multiple groups, which simplifies authorization administration.

OS-defined groups

Each VOB element has three protection categories: owner, group, and other. For each category, the administrator can set or clear the read and execute bits. For example, if you have a source file that should be readable to the owner and members of the element group, but not to all users in the network, then you would set owner=read, group=read, other=none. If you have an executable file for some programming tool, you might set all three to read and execute.

In practical terms, this model requires you to use a separate group for each class of elements that shares the same protection. If you do not permit all users to read elements in your VOB, then you set other=none and must control access using the owner and group categories.

The element owner has only limited usefulness in element protection, leaving only the group as an effective control. An element's owner is by default set to the user account that created the element. If you have multiple developers, then the elements' owners will vary, which is not convenient for access control. Some administrators configure a trigger to change ownership to the VOB owner account after element creation, but this is also inconvenient for access control since most users seldom assume the identity of the VOB owner

That leaves the element's group as the mechanism to control access to each element. The administrator must define a separate group for each class of element needing protection. For example, element class 1 is for developers of component A. Element class 2 is for developers of component B. Element class 3 is for all developers (shared code). If you have 25 components (A-Y) and one shared component (Z), you need 26 groups to control access. You would protect all elements in component A as readable to group A but not world readable. Likewise for components B-Y. Each developer of component A-Y would be a member of that group, plus also a member of group Z. The account used to build and integrate all the code needs to be a member of all groups A-Z.

The groups used by HCL VersionVault are defined by the operating system (Windows Domain, Linux or UNIX NIS or LDAP) and added to a user's credentials when he/she logs into a host running VersionVault. Unfortunately, due to limitations in the network protocols used in the operating system and in HCL VersionVault, a single user can only use 16 groups (UNIX and Linux) or 32 groups (Windows) at a time with VersionVault. In the example above, the build/integrate account needs to use 26 groups to complete the build – necessitating either some complex sequencing of build steps and credentials changes defining which groups are activated for HCL VersionVault (CLEARCASE_GROUPS environment on windows and setgroup-swap tool on Linux or the UNIX system), or compromising on the implementation of your element security and using fewer element classes/groups. Neither option is desirable.

ACLs on elements

You can change your access control strategy to eliminate many cases where you would hit the per-user group membership limits. It might help to think of ACLs as enabling you to put elements into multiple groups instead of having to put users into multiple groups. Because the number of groups that are allowed in an element effective ACL is not limited to the same low limits as the number of groups for a user account, this security mechanism enables some new protection use cases and simplifies others.

With ACLs on elements, you can grant access to multiple individual users, multiple groups, and a few categories of "everyone". This topic discusses ACLs on elements in terms of their effective ACLs. In this and related topics are examples of how rolemaps and policies combine to generate effective ACLs.

In the example above, there were 25 components A-Y, each to be accessed by a different team and by a build account, but nobody else should have access. With ACLs, you would protect every element in a given component with a shared effective ACL. For component A, it looks like this:

Group:domain/groupA Change
Group:domain/builders Change

Every other component B-Y would have a similar effective ACL. Component Z (the shared component) also has a similar effective ACL. In this configuration, each team member's account is in the corresponding group for their component, plus the group for Z (as before). But the builder account only needs to be in the "builders" group. You do not run into limits on simultaneous group membership for the builder account.

You also do not have to use complex strategies during a system build nor compromise on the security for components A-Y. You also gain flexibility to add additional groups and read-only access to elements. Suppose that component Z is maintained by its own team but should only be referenced by teams A-Y. You can configure component Z's element ACL like this:

Group:domain/groupZ Change
Group:domain/alldevelopers Read
Group:domain/builders Change

and put the non-Z developers into group "alldevelopers" instead of "groupZ". A developer on team A will be able to read elements in component Z but not modify them. (Without ACLs, this would require a pre-operation checkout and mkbranch trigger to check the permission to modify the element, and reject an operation if not authorized.)

You can also put individual accounts into element ACLs. This might make sense if there are a few individuals that need specific access to a component, in a case where it is not worthwhile to create a new operating system group just for this purpose. So if component B should be modifiable by its team, plus another user, the ACL might look like this:

Group:domain/groupB Change
User:domain/extrauser Change
Group:domain/builders Change

If you have some components that are maintained by multiple teams, you might even be able to eliminate some groups used previously. Suppose that component E was maintained by all the team members for components C and D. You needed group E to contain all the members of both groups C and D. With ACLs, you can set up the ACL for component E to name both groups, then abandon the use of group E (remove it from the group list for accounts on teams C and D):

Group:domain/groupC Change
Group:domain/groupD Change
Group:domain/builders Change

Example of a policy and associated rolemaps

The foregoing description talks in terms of effective ACLs. In a VOB, the effective ACL is generated by appling a rolemap to a policy. The VOB database computes and caches the effective ACL for each rolemap. Each element is associated with a rolemap (for example, by cleartool protect -chrolemap or cleartool mkelem -rolemap). To implement the above examples, you will need a distinct rolemap for each class of elements (components A - Z). You can link all these rolemaps to a single policy that describes your general protection model. Below is an example policy and set of rolemaps that yield the effective ACLs shown above. (In practice, you probably want to add an administrative user or group to have Full control over all elements, but for ease of explanation we don't show such an entry in this policy and the example effective ACLs above.)

Policy:

[element]
Role:ComponentModify Change
Role:ComponentReader Read
Group:domain/builders Change

Component A Rolemap:

Role:ComponentModify --> Group:domain/groupA

Component Z Rolemap:

Role:ComponentModify --> Group:domain/groupZ
Role:ComponentReader --> User:domain/alldevelopers

Component B Rolemap:

Role:ComponentModify --> Group:domain/groupB
Role:ComponentModify --> User:domain/extrauser

Component E Rolemap:

Role:ComponentModify --> Group:domain/groupC
Role:ComponentModify --> Group:domain/groupD