permissions

Identity checking

APPLICABILITY

ProductCommand type
ClearCasegeneral information
ClearCase LTgeneral information
MultiSitegeneral information

Platform
UNIX
Windows

DESCRIPTION

In general, only commands that modify (write to) a VOB or a project VOB are subjected to identity checking. The following hierarchy of identity checking is used, in a command-specific manner, to determine whether a command can proceed or be canceled:

  • All products on UNIX only—root
  • All products except ClearCase LT on Windows only—Member of the ClearCase administrators group
  • ClearCase LT on Windows only—Local administrator of the ClearCase LT server host

    Note: We strongly recommend that you do not make ordinary ClearCase users members of the ClearCase administrators group or allow ClearCase LT users to log on as the local administrator at the ClearCase LT server host.

  • VOB owner
  • Owner of the relevant element (for modifications to branches and versions)
  • Owner of the relevant type object (for modifications to objects of that type)
  • Creator of a version or derived object
  • Owner of the object (pool, hyperlink, replica, activity, checkpoint, domain, role, state, user)
  • User associated with an event
  • Members of an object's group (same group ID)

Both file system and non-file-system objects have an owner and a group; this information is stored with the object. When an object is created, its owner and group are set to that of the user who created it. Use the protect command to change the owner (–chown) or group (–chgrp) of the object. The describe command displays the owner and group of the object.

The scheduler maintains its own access control list (ACL), which determines who is allowed access to the scheduler and to the ACL itself. See the schedule reference page for more information.

The reference page for a command lists the special identities (if any) required to use the command along with other restrictions on its use.

The sections below list all cleartool subcommands, categorized by their identity requirements. For information about identity checking for ClearCase and ClearCase LT commands (that is, other than cleartool subcommands), see the corresponding reference pages.

None

annotate

apropos

catcr

catcs

cd

chactivity

checkvob (except with –fix or –hlink)

chfolder

describe

diff

diffbl

diffcr

deliver

dospace 1

edcs

endview (except with -server)

file

find

findmerge 2

get

getcache

getlog

help

hostinfo

import 3

ln 4

ls

lsactivity

lsbl

lscheckout

lsclients

lscomp

lsdo

lsfolder

lshistory

lslocal

lslock

lsmaster

lspool

lsprivate

lsproject

lsregion

lsreplica

lssite

lsstgloc

lsstream

lstype

lsview

lsvob

lsvtree

lsws

make

man

mkactivity

mkattype 5

mkbl

mkbrtype 5

mkdir 4

mkelem 4

mkeltype 5

mkfolder

mkhltype 5

mklbtype 5

mkproject

mkregion

mkstgloc

mkstream

mktag 6

mkview 7

mkvob 7

mkws

mount 10

mv 4

mvws

put

pwd

pwv

quit

rebase

recoverview

reformatview

register

reqmaster (requesting mastership only) 9

rmname 4 8

rmregion

rmstgloc

rmtag

rmws

setactivity

setcs

setplevel

setsite

setview

setws

shell

space 1

startview

umount (public VOB)

unregister

update

winkin

wshell

1 Except with –update or –generate
2 No special identity required for “search” functionality
3 For created elements only
4 One or more directory elements must be checked out
5 Except with –replace
6 Except for private VOB tag
7 Standard UNIX/Windows NT permissions for creating a subdirectory required
8 Except with –nco
9 Must be on ACL at master replica
10 Only for public VOB

one of: element group member, element owner, VOB owner, root, member of the ClearCase administrators group, local administrator of the ClearCase LT server host; (for commands that operate on objects) object group member, object owner, VOB owner, root, member of the ClearCase administrators group, local administrator of the ClearCase LT server host

checkout

checkvob –hlink

import 1

merge 2

mkattr

mkbranch

mkhlink

mklabel

mktrigger

reserve

rmattr

rmhlink

rmlabel

rmmerge

rmtrigger

unreserve

1 For checked-out directories only

2 Applies to creation of merge arrows only, not to data

one of: version creator, element owner, VOB owner, root, member of the ClearCase administrators group, local administrator of the ClearCase LT server host

checkin

rmver

uncheckout

one of: element owner, VOB owner, root, member of the ClearCase administrators group, local administrator of the ClearCase LT server host

chtype (element)

lock (element)

rmelem

unlock (element)

one of: user associated with event, object owner, VOB owner, root, member of the ClearCase administrators group, local administrator of the ClearCase LT server host

chevent

one of: branch creator, element owner, VOB owner, root, member of the ClearCase administrators group, local administrator of the ClearCase LT server host

chtype (branch)

lock (branch)

rmbranch

unlock (branch)

one of: type owner, VOB owner, root, member of the ClearCase administrators group, local administrator of the ClearCase LT server host

lock (type object)

mkattype –replace

mkbrtype –replace

mkeltype –replace

mkhltype –replace

mklbtype –replace

mktrtype –replace

rename (type object)

rmtype

unlock (type object)

one of: pool owner, VOB owner, root, member of the ClearCase administrators group

rename (pool) rmpool

one of: DO group member, DO owner, VOB owner, root, member of the ClearCase administrators group

rmdo

Note: Only the VOB owner and root, members of the ClearCase administrators group can delete a shared derived object.

one of: view owner, root, member of the ClearCase administrators group, local administrator of the ClearCase LT server host

endview -server

rmview

setcache –view

space –view –generate

one of: owner, VOB owner, root, member of the ClearCase administrators group, local administrator of the ClearCase LT server host

protect  

one of: owner, project VOB owner, root, member of the ClearCase administrators group, local administrator of the ClearCase LT server host

chproject

chstream

rmactivity

rmbl

rmcomp

rmfolder

rmproject

rmstream

one of: owner, stream owner, root, member of the ClearCase administrators group, local administrator of the ClearCase LT server host

chbl 

one of: owner, VOB owner, root, member of the ClearCase administrators group

chmaster

one of: VOB owner, root, member of the ClearCase administrators group

checkvob –fix

chpool

dospace –generate

ln –nco

lock (pool or VOB)

mkpool

mktrtype 1

reformatvob

relocate

reqmaster (to set access controls)

rmname –nco

rmvob

space –vob –generate

umount (private VOB)

unlock (pool or VOB)

1 except with –replace

one of: VOB owner, root, member of the ClearCase administrators group, local administrator of the ClearCase LT server host

checkvob –fix

ln –nco

lock (pool or VOB)

mkcomp

mktrtype 1

reformatvob

rmname –nco

rmvob

setplevel

space –vob –generate

unlock (pool or VOB)

1 except with –replace

VOB owner

mktag (private VOB tag) mount (private VOB)

view owner

chview (can also be root on view server host)

root, member of the ClearCase administrators group, local administrator of the ClearCase LT server host

setcache –host setcache –mvfs

root, local administrator of the ClearCase VOB server host, local administrator of the ClearCase LT server host

protectvob 

same permissions as those for creating the corresponding type object

cptype

permissions controlled by the scheduler ACL

dospace –update

schedule

space –update

SEE ALSO

Reference pages for individual commands


Copyright© 2003 Rational Software. All Rights Reserved.