Example of element group assignment

In this example, we create a VOB owned by a single group. Then we create two sets of elements, each protected to be readable to a specific group not listed in the VOB's group list.

Show the list of groups for the user:

% id -a
uid=2003(tester0) gid=20(user) groups=20(user),11110(clearusers_rose) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Create the VOB and remove the unwanted group clearusers_rose:

% cleartool mkvob -nc -tag /tmp/twogroups /var/tmp/twogroups.vbs
Created versioned object base.
Host-local path: testhost:/var/tmp/twogroups.vbs
Global path:     /net/testhost/var/tmp/twogroups.vbs
VOB schema:        80
VOB feature level: 8
 VOB ownership:
  owner your.nis.domain/tester0
  group your.nis.domain/user
Additional groups:
  group your.nis.domain/clearusers_rose

VOBs have special data backup considerations.  For more information on how to
back up your VOB properly, see the documentation for administering VersionVault.
If the backups aren't done properly, you are putting your data at risk!
% sudo /opt/hcl/ccm/versionvault/bin/cleartool protectvob -f -delete_group clearusers_rose /var/tmp/twogroups.vbs
This command affects the protection on your versioned object base.
While this command is running, access to the VOB will be limited.
If you have remote pools, you will have to run this command remotely.
Pool "sdft" appears to be protected correctly.
Pool "ddft" appears to be protected correctly.
Pool "cdft" appears to be protected correctly.
Protecting "/var/tmp/twogroups.vbs/db/logs"...
Protecting "/var/tmp/twogroups.vbs/db"...
Protecting "/var/tmp/twogroups.vbs/admin/vob_space"...
Protecting "/var/tmp/twogroups.vbs/admin/do_space"...
Protecting "/var/tmp/twogroups.vbs/admin"...
Protecting "/var/tmp/twogroups.vbs/s/sdft"...
Protecting "/var/tmp/twogroups.vbs/d/ddft"...
Protecting "/var/tmp/twogroups.vbs/c/cdft"...
VOB ownership:
  owner your.nis.domain/tester0
  group your.nis.domain/user
% ls -la /var/tmp/twogroups.vbs
total 52
drwxr-xr-x.  8 tester0 user 4096 Dec  4 10:35 .
drwxrwxrwt. 29 root    root 4096 Dec  4 10:34 ..
-r--r--r--.  1 tester0 user    8 Dec  4 10:34 .hostname
drwx------.  2 tester0 user 4096 Dec  4 10:35 .identity
-rw-r--r--.  1 tester0 user    7 Dec  4 10:35 .pid
drwxr-xr-x.  4 tester0 user 4096 Dec  4 10:35 admin
drwxr-xr-x.  3 tester0 user 4096 Dec  4 10:34 c
drwxr-xr-x.  3 tester0 user 4096 Dec  4 10:34 d
drwxr-xr-x.  3 tester0 user 4096 Dec  4 10:35 db
-r--r--r--.  1 tester0 user   41 Dec  4 10:34 replica_uuid
drwxr-xr-x.  3 tester0 user 4096 Dec  4 10:34 s
-r--r--r--.  1 tester0 user   41 Dec  4 10:34 vob_oid
-rw-r--r--.  1 tester0 user  625 Dec  4 10:34 vob_server.conf

Make a policy, make two rolemaps, and grant aclgrp1 and aclgrp2 permission in their respective rolemaps:

% mkdir /tmp/twogroups
% cleartool mount /tmp/twogroups
% cleartool setview t0dyn
% cd /tmp/twogroups
% ls
lost+found
% cleartool mkpolicy -nc P1
Created policy "P1".
% cleartool chpolicy -nc -kind element -add Role:Dev -perm Change P1
Applying ACL changes to element containers for policy "P1"...
All necessary element containers were successfully reprotected.
Modified definition of policy "P1".
Completed modification of ACLs on containers protected by policy "P1".
% cleartool chpolicy -nc -kind element -add User:your.nis.domain/tester0 -perm Full P1
Applying ACL changes to element containers for policy "P1"...
All necessary element containers were successfully reprotected.
Modified definition of policy "P1".
Completed modification of ACLs on containers protected by policy "P1".
% cleartool mkrolemap -nc -policy P1 R1
Created rolemap "R1".
% cleartool mkrolemap -nc -policy P1 R2
Created rolemap "R2".
% cleartool chrolemap -nc -role Dev -add Group:your.nis.domain/aclgrp1  R1
Applying ACL changes to element containers for rolemap "R1"...
Modified definition of rolemap "R1".
Completed modification of ACLs on containers protected by rolemap "R1".
% cleartool chrolemap -nc -role Dev -add Group:your.nis.domain/aclgrp2 R2
Applying ACL changes to element containers for rolemap "R2"...
Modified definition of rolemap "R2".
Completed modification of ACLs on containers protected by rolemap "R2".

Display the policy and rolemaps

% cleartool lspolicy -l P1
policy "P1"
 2012-12-04T10:37:43-05:00 by Tester Tester (tester0.user@testhost)
  owner: tester0
  group: user
  contents:
    vob ACL:
# <empty acl>
    element ACL:
      Role:Dev Change
      User:your.nis.domain/tester0 Full
    policy ACL:
# <empty acl>
    rolemap ACL:
# <empty acl>
% cleartool lsrolemap -l R1 R2
rolemap "R1"
 2012-12-04T10:38:40-05:00 by Tester Tester (tester0.user@testhost)
  owner: tester0
  group: user
  implements policy: P1
  contents:
    Role:Dev
      Group:your.nis.domain/aclgrp1
  effective access control lists:
    element ACL:
    User:your.nis.domain/tester0 Full
    Group:your.nis.domain/aclgrp1 Change
rolemap "R2"
 2012-12-04T10:38:41-05:00 by Tester Tester (tester0.user@testhost)
  owner: tester0
  group: user
  implements policy: P1
  contents:
    Role:Dev
      Group:your.nis.domain/aclgrp2
  effective access control lists:
    element ACL:
    User:your.nis.domain/tester0 Full
    Group:your.nis.domain/aclgrp2 Change

Create the elements:

% cleartool co -nc .
Checked out "." from version "/main/0".
% cleartool mkdir -nc -rolemap R1 dir1
Created directory element "dir1".
Checked out "dir1" from version "/main/0".
% cleartool mkdir -nc -rolemap R2 dir2
Created directory element "dir2".
Checked out "dir2" from version "/main/0".
% cleartool mkelem -nc dir1/foo1.txt dir2/foo2.txt
Created element "dir1/foo1.txt" (type "text_file").
Checked out "dir1/foo1.txt" from version "/main/0".
Created element "dir2/foo2.txt" (type "text_file").
Checked out "dir2/foo2.txt" from version "/main/0".
% echo foo1 > dir1/foo1.txt
% echo foo2 > dir2/foo2.txt
% cleartool ci -nc . dir1 dir2 dir1/foo1.txt dir2/foo2.txt
Checked in "." version "/main/1".
Checked in "dir1" version "/main/1".
Checked in "dir2" version "/main/1".
Checked in "dir1/foo1.txt" version "/main/1".
Checked in "dir2/foo2.txt" version "/main/1".

Display the effective ACLs on the VOB root directory and the dir1/dir2 elements.

% cleartool desc -eacl . dir1 dir2
directory version ".@@/main/1"
  created 2012-12-04T10:40:54-05:00 by Tester Tester (tester0.user@qvml334)
  "Added directory element "dir1".
   Added directory element "dir2"."
  protected by rolemap: "DefaultRolemap"
  effective access for user "tester0": Full
  effective access control lists:
    Owner-User: Full
    Owner-Group: rmver,mod-label,Change
  Element Protection:
    User : tester0  : rwx
    Group: user     : rwx
    Other:          : r-x
  element type: directory
  predecessor version: /main/0
directory version "dir1@@/main/1"
  created 2012-12-04T10:40:54-05:00 by Tester Tester (tester0.user@qvml334)
  "Added file element "foo1.txt"."
  protected by rolemap: "R1"
  effective access for user "tester0": Full
  effective access control lists:
    User:at1.com/tester0 Full
    Group:at1.com/aclgrp1 Change
  Element Protection:
    User : tester0  : rwx
    Group: user     : rwx
    Other:          : r-x
  element type: directory
  predecessor version: /main/0
directory version "dir2@@/main/1"
  created 2012-12-04T10:40:54-05:00 by Tester Tester (tester0.user@qvml334)
  "Added file element "foo2.txt"."
  protected by rolemap: "R2"
  effective access for user "tester0": Full
  effective access control lists:
    User:at1.com/tester0 Full
    Group:at1.com/aclgrp2 Change
  Element Protection:
    User : tester0  : rwx
    Group: user     : rwx
    Other:          : r-x
  element type: directory
  predecessor version: /main/0

Note: To grant users in groups aclgrp1 and aclgrp2 access to the elements in dir1 and dir2, you need to change protection on the VOB root element to allow such access, either by protecting it with a different rolemap, or modifying the DefaultRolemap or DefaultPolicy, or changing the VOB root directory's group so that the Owner-Group entry applies to these users. You must also ensure authorized users have read-info access to the VOB object (by default, such access is granted to Everyone).

Display the effective ACLs on the text elements:

% cleartool desc -eacl dir1/foo1.txt dir2/foo2.txt
version "dir1/foo1.txt@@/main/1"
  created 2012-12-04T10:40:54-05:00 by Tester Tester (tester0.user@testhost)
  protected by rolemap: "R1"
  effective access for user "tester0": Full
  effective access control lists:
    User:your.nis.domain/tester0 Full
    Group:your.nis.domain/aclgrp1 Change
  Element Protection:
    User : tester0  : r--
    Group: user     : r--
    Other:          : r--
  element type: text_file
  predecessor version: /main/0
version "dir2/foo2.txt@@/main/1"
  created 2012-12-04T10:40:55-05:00 by Tester Tester (tester0.user@testhost)
  protected by rolemap: "R2"
  effective access for user "tester0": Full
  effective access control lists:
    User:your.nis.domain/tester0 Full
    Group:your.nis.domain/aclgrp2 Change
  Element Protection:
    User : tester0  : r--
    Group: user     : r--
    Other:          : r--
  element type: text_file
  predecessor version: /main/0

Display the file system ACL on the version cleartext containers (Linux local file system example). Note that even though the mode bits above show group user has read and "other" has read, the file system ACL is governed by the effective ACL instead, and group user and other have no access (group::---, other::---)).

% getfacl `/opt/hcl/ccm/versionvault/etc/mvfsstorage  dir1/foo1.txt dir2/foo2.txt`
getfacl: Removing leading '/' from absolute path names
# file: net/testhost/var/tmp/twogroups.vbs/c/cdft/3c/1d/e99390873e2911e295b300505698729d
# owner: tester0
# group: user
user::r--
user:tester0:r--
group::---
group:aclgrp1:r--
mask::r--
other::---

# file: net/testhost/var/tmp/twogroups.vbs/c/cdft/40/20/ec63908f3e2911e295b300505698729d
# owner: tester0
# group: user
user::r--
user:tester0:r--
group::---
group:aclgrp2:r--
mask::r--
other::---

Examples of protection commands to add access to the VOB root directory (and all other elements protected by the DefaultRolemap); this is necessary if the VOB root element's group is not one of the user's groups:

% cleartool chpolicy -nc -add Role:Readers -perm Read -kind element DefaultPolicy
Modified definition of policy "DefaultPolicy".
% cleartool chrolemap -nc -role Readers -add Group:at1.com/aclgrp1 DefaultRolemap
Applying ACL changes to element containers for rolemap "DefaultRolemap"...
Modified definition of rolemap "DefaultRolemap".
Completed modification of ACLs on containers protected by rolemap "DefaultRolemap".
% cleartool chrolemap -nc -role Readers -add Group:at1.com/aclgrp2 DefaultRolemap
Applying ACL changes to element containers for rolemap "DefaultRolemap"...
Modified definition of rolemap "DefaultRolemap".
Completed modification of ACLs on containers protected by rolemap "DefaultRolemap".
% cleartool desc -eacl /tmp/twogroups
directory version "/tmp/twogroups/.@@/main/1"
  created 2012-12-04T10:40:54-05:00 by Tester Tester (tester0.user@qvml334)
  "Added directory element "dir1".
   Added directory element "dir2"."
  protected by rolemap: "DefaultRolemap"
  effective access for user "tester0": Full
  effective access control lists:
    Owner-User: Full
    Owner-Group: rmver,mod-label,Change
    Group:at1.com/aclgrp2 Read
    Group:at1.com/aclgrp1 Read
  Element Protection:
    User : tester0  : rwx
    Group: user     : rwx
    Other:          : r-x
  element type: directory
  predecessor version: /main/0