Developing workspace folder permission policies

In developing workspace folder permission policies for an installation of ClearQuest, the most important items to consider are: who has authority to set policies for the entire installation; who can set and change permissions on individual folders; what access levels should be set on different folders for different groups of users.
At V7.0.1, folder access control within IBM Rational® ClearQuest® is split between two types of administrators,

In addition, these administrators can delegate permission control over only specified folders by assigning the Change-Permission permission to a specified folder for a specified user group. Users in these groups will only be able to set permissions on sub-folders of their accessible folders.

In previous versions of the product, there was only one level of privilege, Public Folder Administrator, associated with control of Public Queries folders.

Overall policy; the 'security administrator' role

A Security Administrator,' as defined within the User Administration Tool, is responsible for managing folder permissions and setting up access control lists (ACL) over the entire installation. He or she has the ability to set and/or change folder permissions for any folder within the installation, and has Read-Write access to all folders and subfolders. .

The Security Administrator sets up the original folder permissions on folders directly under the Public Queries folder root to correspond to the needs of the user groups accessing each folder. The main difference between the security administrator and the Public Folder Administrators is that the Security Administrator has the ability to modify the permissions set on any folder for any group, while a Public Folder Administrator can modify the permission set on any folder only for groups of which he or she is a member.

Policy implementation; the public folder administrators

The Security Administrator selects Public Folder Administrators to manage group level folder permissions. Each Public Folder Administrator is a member of one or more functional groups. For example, a Public Folder Administrator might be a member of the 'dev' (development) group, as well as the subgroup 'dev-gui.

Based on the ClearQuest groups they belong to, different Public Folder Administrators set up the folder permissions for their groups. The Public Folder Administrator has access to any folder under the root Public Queries folder, but can only assign permissions for groups to which they belong.

In this way, Public Folder Administrators take on some work for the Security Administrator, by managing the folder permissions of their own groups, while the Security Administrator handles site security policy and issues.

Delegated permission setting; the Change-Permission applied to a specific user group

The Security Administrator or Public Folder Administrator can grant the Change-Permission permission to a specific user group on a set of specific folders. This allows a small set of users to self-manage their subfolder permission hierarchy. Members of this specified Change-Permission user group do not have the ability to access or set permissions outside of the specific subfolder hierarchy that the Security Administrator or Public Folder Administrator has established for them.

Factors to consider when setting folder permissions

When setting up folders and assigning folder permissions, Security Administrators and Public Folder Administrators consider the following factors:
Related concepts
Introduction to workspace folder permissions
Workspace folder permission scenarios


Feedback