Workspace folder permissions and permission precedence

The ClearQuest workspace folder permissions model defines two types of permission categories. Each category has a set of permissions that are relevant to that category.

Folder Permissions

The Rational® ClearQuest® workspace folder permissions model defines two types of permission categories. Each category has a set of permissions that are relevant to that category. The two types of permission categories for folders are:
  • Folder content permission and folder content visibility permissions,
  • Folder permission setting ability.
A folder may have one permission per user group applied for each category. Within each category, there is a permission precedence level also, see the section.Permission precedence level

A permission is set only on a workspace folder or subfolder, not on the queries or other non-folder items it contains. A permission and the user group to which that permission applies is called an Access Control Element (ACE). The set of ACEs applied to a single folder constitutes the access control list (ACL) for the folder.

Folder content permissions and folder content visibility

Read-Limited
Users that are members of the user group associated with this Read-Limited permission (the Access Control Element consists of a permission and user group pair) can see the folder on which it is set. The contents of the folder are hidden from the user, except for subfolders that have an explicitly set corresponding ACE pair of Read-Limited, Read-Write or Read-Only permission for the ACE's user group .
Read-Write
Users with this effective permission can read and execute any item, and can save items within the folder on which it is set. This includes the right to create new items, including subfolders, and rename, modify, or delete existing items.
Read-Only
Users with this effective permission can read from any item within the folder on which it is set. No modifications are allowed to the contents of the folder.
No-Access
Users with this effective permission can neither read from nor write to the folder on which it is set. The folder name itself may be visible to a user (subject to a Read-Limited permission), but its content is not visible. The folder name itself may also be modifiable by the user if the parent folder has granted Read-Write privilege to a group to which the user belongs. It may seem counter-intuitive that a user with No-Access to the contents of a folder may change the name of the folder, but remember that a sub-folder itself is just an item in its parents folder, so it is the permissions on the parent folder that control the users ability to rename the folder.

Because the new permissions apply only to folders, if a user can read a folder, they can open or run any of the items within the folder. Thus, there is no need for an “execute” permission.

Folder permission setting ability

Change-Permissions
Users in groups which have been granted this permission on a folder can change the Read-Limited, Read-Write, Read-Only, and No-Access permissions on that folder or any of its subfolders, for the groups of which they are members (including the Everyone group). This Change-Permissions permission is independent of folder content and visibility permissions. Once granted, this permission is implicitly inherited by all subfolders. Removing or overriding an implicitly granted Change-Permission permission from a subfolder is not possible.

Permission precedence level

The concept of permission precedence level is used when evaluating a user's or group's effective permission level in accessing a folder and its contents, Many users belong to multiple ClearQuest groups and subgroups, and a subgroup itself can have many levels of parentage. If membership in those different groups, and the rules of group permission inheritance, would result in the user or group being granted multiple different permission levels for a particular folder and its contents, then the effective permission level is determined by permission precedence.

The precedence of permissions, from highest to lowest, is:
  • Read-Limited
  • Read-Write
  • Read-Only
  • No-Access


Feedback