permissions

Identity checking

Applicability

Product

Command type

VersionVault

general information

MultiSite

general information

Platform

UNIX

Linux

Windows

Description (non-ACL-enabled VOBs)

In general, only commands that modify (write to) a VOB or a project VOB are subjected to identity checking. The following hierarchy of identity checking is used, in a command-specific manner, to determine whether a command can proceed or be canceled:

  • All products on UNIX and Linux only: root
  • All products on Windows only: Member of the VersionVault administrators group
  • VOB owner
  • Owner of the relevant element (for modifications to branches and versions)
  • Owner of the relevant type object (for modifications to objects of that type)
  • Creator of a version or derived object
  • Owner of the object (pool, hyperlink, replica, activity, checkpoint, domain, role, state, user)
  • User associated with an event
  • Members of an object's group (same group ID)
    Note: Object in this case refers to objects in a VOB. A VOB object itself is not an object in a VOB and therefore group membership is not sufficient for commands that modify a VOB object itself. The group membership on a VOB is used to set the OS-level permissions on files and directories within the VOB storage area, not the permission to modify the VOB object itself.

Both file system and non-file-system objects have an owner and a group; this information is stored with the object. When an object is created, its owner and group are set to that of the user who created it. Use the protect command to change the owner (–chown) or group (–chgrp) of the object. The describe command displays the owner and group of the object.

The scheduler maintains its own access control list (ACL), which determines who is allowed access to the scheduler and to the ACL itself. See the schedule reference page for more information.

The reference page for a command lists the special identities (if any) required to use the command along with other restrictions on its use.

The sections below list all cleartool subcommands, categorized by their identity requirements. For information about identity checking for VersionVault commands (that is, other than cleartool subcommands), see the corresponding reference pages.

None

None

annotate

apropos

catcr

catcs

cd

chactivity

checkvob (except with –fix or –hlink)

chfolder

describe

diff

diffbl

diffcr

deliver

dospace 1

edcs

endview (except with -server)

file

find

findmerge 2

get

getcache

getlog

help

hostinfo

import 3

ln 4

ls

lsactivity

lsbl

lscheckout

lsclients

lscomp

lsdo

lsfolder

lshistory

lslocal

lslock

lsmaster

lspool

lsprivate

lsproject

lsregion

lsreplica

lssite

lsstgloc

lsstream

lstype

lsview

lsvob

lsvtree

lsws

make

man

mkactivity

mkattype 5

mkbl

mkbrtype 5

mkdir 4

mkelem 4

mkeltype 5

mkfolder

mkhltype 5

mklbtype 5

mkproject

mkregion

mkstgloc

mkstream

mktag 6

mkview 7

mkvob 7

mkws

mount 10

mv 4

mvws

put

pwd

pwv

quit

rebase

recoverview

reformatview

register

reqmaster (requesting mastership only) 9

rmname 4 8

rmregion

rmstgloc

rmtag

rmws

setactivity

setcs

setplevel

setsite

setview

setws

shell

space 1

startview

umount (public VOB)

unregister

update

winkin

wshell

1 Except with –update or –generate

2 No special identity required for "search" functionality

3 For created elements only

4 One or more directory elements must be checked out

5 Except with –replace

6 Except for private VOB tag

7 Standard UNIX and Linux or Windows permissions for creating a subdirectory required

8 Except with –nco

9 Must be on ACL at master replica

10 Only for public VOB

One of: element group member, element owner, VOB owner, root, member of the VersionVault administrators group; (for commands that operate on objects) object group member, object owner, VOB owner, root, member of the VersionVault administrators group

One of: element group member, element owner, VOB owner, root, member of the VersionVault administrators group; (for commands that operate on objects) object group member, object owner, VOB owner, root, member of the VersionVault administrators group

checkout

checkvob –hlink

import 1

merge 2

mkattr

mkbranch

mkhlink

mklabel

mktrigger

reserve

rmattr

rmhlink

rmlabel

rmmerge

rmtrigger

unreserve

1 For checked-out directories only

2 Applies to creation of merge arrows only, not to data

One of: version creator, element owner, VOB owner, root, member of the VersionVault administrators group

checkin

rmver

uncheckout

One of: element owner, VOB owner, root, member of the VersionVault administrators group

chtype (element)

lock (element)

rmelem

unlock (element)

One of: user associated with event, object owner, VOB owner, root, member of the VersionVault administrators group

chevent

One of: branch creator, element owner, VOB owner, root, member of the VersionVault administrators group

chtype (branch)

lock (branch)

chmaster (branch)

rmbranch

unlock (branch)

One of: type owner, VOB owner, root, member of the VersionVault administrators group

lock (type object)

mkattype –replace

mkbrtype –replace

mkeltype –replace

mkhltype –replace

mklbtype –replace

mktrtype –replace

rename (type object)

rmtype

unlock (type object)

One of: pool owner, VOB owner, root, member of the VersionVault administrators group

rename (pool)

rmpool

One of: DO group member, DO owner, VOB owner, root, member of the VersionVault administrators group

rmdo

Note: Only the VOB owner and root, members of the VersionVault administrators group can delete a shared derived object.

One of: view owner, root, member of the VersionVault administrators group

endview -server

rmview

setcache –view

space –view –generate

One of: owner, VOB owner, root, member of the VersionVault administrators group

protect

One of: owner, project VOB owner, root, member of the VersionVault administrators group

chproject

chstream

rmactivity

rmbl

rmcomp

rmfolder

rmproject

rmstream

One of: owner, stream owner, root, member of the VersionVault administrators group

chbl

One of: owner, VOB owner, root, member of the VersionVault administrators group

chmaster (other than branch)

One of: VOB owner, root, member of the VersionVault administrators group

One of: VOB owner, root, member of the VersionVault administrators group

checkvob –fix

chpool

dospace –generate

ln –nco

lock (pool or VOB)

mkpool

mktrtype 1

reformatvob

relocate

reqmaster (to set access controls)

rmname –nco

rmvob

space –vob –generate

umount (private VOB)

unlock (pool or VOB)

1 except with –replace

One of: VOB owner, root, member of the VersionVaultadministrators group

One of: VOB owner, root, member of the VersionVaultadministrators group

checkvob –fix

ln –nco

lock (pool or VOB)

mkcomp

mktrtype 1

reformatvob

rmname –nco

rmvob

setplevel

space –vob –generate

unlock (pool or VOB)

1 except with –replace

VOB owner

mktag (private VOB tag) mount (private VOB)

View owner

chview (can also be root on view server host)

root, member of the VersionVault administrators group

setcache –host

setcache –mvfs

root, local administrator of the VersionVault VOB server host

protectvob

Same permissions as those for creating the corresponding type object

cptype

Permissions controlled by the scheduler ACL

dospace –update

schedule

space –update

Description of enforcement behavior (ACL-enabled VOBs)

When ACLs are enforced, the following operations require permissions be granted in the effective ACL controlling the object or its type. Rolemap and policy ACLs are always enforced, even when the protectvob settings are set to use old-style permissions for other metatypes.
Note: All operations require read-info on VOB object as well as the permissions that are specific to the operation.
Table 1. Permissions for generic operations (all object metatypes)
Operation Required permission
chmaster chmaster on object
protect AclWrite on object
describe Read (read-name and read-info) on object
describe -eacl AclRead on object
ls read-name on object
lock, unlock (on policy, rolemap, elements, VOB) lock on object
mkattr (policy,rolemap,VOB) mod-attr on object
rmattr (policy,rolemap,VOB) mod-attr on object
mkhlink (policy,rolemap,VOB) mod-attr on object
rmhlink (policy,rolemap,VOB) mod-attr on object
Table 2. Permissions for element operations
Operation Required permission
checkout mod-checkout on element
uncheckout NOTE: element ACLs are not enforced
reserve mod-checkout on element
unreserve mod-checkout on element
checkin mod-checkout on element
rmelem Delete on element, rmelem on vob
rmelem (on symlink) rmelem on vob
rmver rmver on element
rmver on element mod-checkout on directory element, mkelem on vob
(un)associate a work item from VersionVault Explorer mod-task on element
mklabel mod-label, read-info on element
rmlabel mod-label, read-info on element
mktrigger on version mod-trig on element
rmtrigger on version mod-trig on element
mkattr on version mod-attr on element
rmattr on version mod-attr on element
mkhlink on version mkhlink on version
rmhlink on version mod-hlink on element
Table 3. Policy and rolemap operations
Operation Required permission
mkpolicy -replace mod-props on policy
chpolicy mod-props on policy
rmpolicy Delete on policy
mkpolicy mkpolicy on vob
mkrolemap -replace mod-props on rolemap
chrolemap mod-props on rolemap
rmrolemap Delete on rolemap
mkrolemap mkrolemap on vob
Note: Rolemap and policy ACLs are always enforced, even when the protectvob settings are set to use old-style permissions for other metatypes.

See also

Reference pages for individual commands