This topic describes concepts critical to understanding how folder
permissions are inherited in ClearQuest
Understanding permission inheritance in IBM Rational® ClearQuest® is key
to developing a robust workspace folder access control policy..
Baseline permissions; the Everyone group
In addition
to user groups defined by project or location, the workspace folder permissions
feature makes use of a predefined 'universal' group called Everyone, which
contains every Rational ClearQuest user.
This group is used to establish a baseline permission from which modifications
can then be applied. For example, the default permission set by ClearQuest
for the Public Queries folder is Read-Only for all users. Use the Everyone
group to change default behavior without having to create and manage an explicit
group.
Inheritance by group and subgroup
Just as permissions
are defined for groups rather than for individuals, the permission inheritance
model depends on a user's group and subgroup memberships.
It is important to note that a folder administrator can assign
different permissions to a folder for a group and its subgroup. If a user
is a member of both a group and its subgroup, and the group and subgroup have
different access to the folder (for example, Read-Write versus Read-Only),
the user's access is always determined by the subgroup access.
On the
other hand, if a user is a direct member of multiple groups which are not
subgroups of each other, and the groups have differing access levels, the
user's access is determined by the group whose permission has the highest
precedence level.
Inheritance by folder and subfolder
By default, a subfolder
inherits the permissions of its parent folder. A group's Public Folder Administrator
can override the inherited permissions for his or her own groups by specifically
assigning different permissions to the subfolder. If the permissions on a
subfolder are overridden, and the subfolder itself has subfolders, its subfolders
by default inherit the permissions that were set as overrides to the default
inherited permissions. The Security Administrator and Public Folder Administrator
can access any folder or subfolder no matter what permission is assigned to
the folder.
Effective permissions
The term effective permission can
be understood in two ways, relating to either a group's access to a particular
folder, or to an individual user's access.
The effective permission
for a group on a particular folder is:
- The explicit applied permission for that group to that folder, if there
is one
- If there is no explicit applied permission, evaluate each group parentage
level for an applied permission. The closest group parentage level that has
an applied permission determines the effective permission. If there is more
than one applied permission at this group parentage level, the effective permission
is the highest precedence applied permission. For purposes of determining
parentage level, the Everyone group is considered to be the most distant parentage
level.
- Otherwise, the effective permission is the same as the effective permission
for the group on the parent folder. If there is no parent folder (for example,
when dealing with the top-level Public Queries folder), the effective
permission is the default (usually Read-Only).
The effective permission for a user on a particular folder is:
- The highest precedence applied permission to that folder among the groups
the user is a member of, if there is one
- If there is no explicit applied permission, evaluate each of the user's
group parentage levels for an applied permission. The closest group parentage
level that has an applied permission determines the effective permission.
If there is more than one applied permission at this group parentage level,
the effective permission is the highest precedence applied permission. For
purposes of determining parentage level, the Everyone group is considered
to be the most distant parentage level.
- Otherwise, the effective permission is the same as the effective permission
for the user on the parent folder. If there is no parent folder (for example,
when dealing with the top-level Public Queries folder), the effective
permission is the default (usually Read-Only).
Timing considerations
Updates to folder permissions
for a user group or subgroup take effect within the current Rational ClearQuest session
as soon as the folder administrator makes the update, even before the change
is uploaded to the central user database. Within the same replica as the current
session, updates take effect on all sessions started after the change has
been committed in the database. In other replicas, they take effect on sessions
started after the replicas have been synchronized with the replica containing
the current session and the synchronization is complete.
Because of
the time delay in effectivity of access changes, users may be accessing the
database with less restrictive permissions than the administrator has set
for them for a period of time after the permissions have been changed in the
current session.