|
|
Any ClearCase community must define a group to which all users who perform routine ClearCase operations using a common set of VOBs and views belong. We refer to this group as the ClearCase users group. It can be an existing domain global group or one created specifically for this purpose. In examples throughout this document, the ClearCase users group is named clearusers.
The ClearCase users group must have the following characteristics:
It must be a domain global group or an Active Directory universal group. We recommend using a domain global group unless the group needs to include other groups.
Its name must be the same as the name of the ClearCase users group on UNIX if members of the group must access VOBs or views on a UNIX host. UNIX and Windows place different restrictions on the length of group names, as well as on the characters that are allowed in them. Be sure that the ClearCase users group name is acceptable in both environments.
NOTE: If your ClearCase community includes multiple groups that share VOBs and views among their members but do not share these VOBs and views with members of other groups, you must designate a different ClearCase users group for each of these groups.
In addition to the ClearCase users group, a ClearCase community requires two additional domain accounts:
A ClearCase administrators group. Members of this group can perform all ClearCase operations, including those that permanently destroy data. Membership in this group should be restricted to the ClearCase server process user and a few ClearCase administrators. In examples throughout this document, the ClearCase administrators group is named clearcase.
A ClearCase server process user. The albd_server program runs with this identity. In examples throughout this document, the ClearCase server process user is named clearcase_albd. The ClearCase server process user must be a member of the ClearCase administrators group. On UNIX, the ClearCase server process user is the root user.
The ClearCase server process user and ClearCase administrators group can be created by the installation process if they do not already exist. They can also be created manually. See Defining the Accounts Manually.
Although you can designate a user's primary group using various Windows domain account maintenance tools, this group name is not always returned when an application requests the name of a user's primary group. We strongly recommend that you ask each user to set the user environment variable CLEARCASE_PRIMARY_GROUP to the domain-qualified name of the ClearCase users group. For example:
This setting guarantees an unambiguous definition of the group that ClearCase considers the user's primary group.
The CLEARCASE_PRIMARY_GROUP assignment has no security or access-control implications outside the context of VOB access. Users who have not set CLEARCASE_PRIMARY_GROUP correctly are likely to have problems creating elements or otherwise accessing VOBs, especially in complex domain configurations.
Users must set the value of CLEARCASE_PRIMARY_GROUP as a user environment variable on each Windows platform from which they will access any VOB or view.
NOTE: Members of the ClearCase users group who are also members of the ClearCase administrators group must set CLEARCASE_PRIMARY_GROUP to the name of the ClearCase users group, not the name of the ClearCase administrators group.
On a computer running Windows Me or Windows 98, you must set the CLEARCASE_PRIMARY_GROUP variable in the AUTOEXEC.BAT file.
To verify that CLEARCASE_PRIMARY_GROUP has been properly set.
Click Start > Programs > Rational ClearCase Administration > ClearCase Doctor.
Click Start Analysis.
When the analysis is finished, click the Topics tab and open the User Login Account folder.
Double-click Primary Group, read the user's primary group, and verify that it is correct.
The ClearCase Site Preparation Wizard attempts to create the ClearCase administrators group and ClearCase server process user accounts if they do not exist. The account and group names specified during site preparation are presented as the defaults when users run the ClearCase Installation program on individual hosts. In addition, the account names and the ClearCase server process user's password are used as the default when you rerun the wizard to create a new release area on a host.
If the user running the ClearCase Site Preparation Wizard does not have Domain Administrator privileges, the wizard cannot create these accounts. A domain administrator must create them manually using the following procedure:
Log on as a user with domain administrator privileges.
Run the appropriate management tool:
On Windows NT, use the User Manager for Domains (Start > Programs > Administrative Tools > User Manager for Domains). Click User > New Global Group, and enter the group name.
On Windows 2000, open Control Panel. Open Administrative Tools, and then open the Active Directory Users and Computers MMC snap-in. In the console tree, open the Users node, click Action > New > Group, and enter the group name.
Create a new global group called clearcase (or another group name the community has chosen). In the Description box, type the following text:
Used exclusively by the ClearCase server process user and ClearCase administrative users.
Create a new user, clearcase_albd (or another user name the community has chosen), and put the group name defined in Step #3 in the new user's group list.
Select the Password never expires check box.
In the Description box, type the following text:
Used exclusively by ClearCase servers
On each ClearCase host that is configured to support local VOBs and views, give the clearcase_albd user the right to Log on as a service.
On Windows NT, start the User Manager for Domains and click Policies to open the User Rights Policy editor. Click Add, and select clearcase_albd from the list of users in the Add Users and Groups dialog box. Select the Show Advanced Rights check box and select Log on as a service from the list of rights. Click OK to grant the clearcase_albd user the right to log on as a service.
On Windows 2000, click Control Panel > Administrative Tools and run the Local Security Policy management console. Click Local Policies > User Rights Assignment. From the list displayed, right-click Log on as a service and select the Security task to open the local security policy setting dialog box. Click Add and select the clearcase_albd user from the list of users displayed. Click OK to grant the clearcase_albd user the right to log on as a service.
|
|
Feedback on the documentation in this site? We welcome any comments!
Copyright © 2001 by Rational Software Corporation. All rights reserved. |
