Permission inheritance

This topic describes concepts critical to understanding how folder permissions are inherited in ClearQuest

Understanding permission inheritance in IBM Rational® ClearQuest® is key to developing a robust workspace folder access control policy..

Baseline permissions; the Everyone group

In addition to user groups defined by project or location, the workspace folder permissions feature makes use of a predefined 'universal' group called Everyone, which contains every Rational ClearQuest user. This group is used to establish a baseline permission from which modifications can then be applied. For example, the default permission set by ClearQuest for the Public Queries folder is Read-Only for all users. Use the Everyone group to change default behavior without having to create and manage an explicit group.

Inheritance by group and subgroup

Just as permissions are defined for groups rather than for individuals, the permission inheritance model depends on a user's group and subgroup memberships.

It is important to note that a folder administrator can assign different permissions to a folder for a group and its subgroup. If a user is a member of both a group and its subgroup, and the group and subgroup have different access to the folder (for example, Read-Write versus Read-Only), the user's access is always determined by the subgroup access.

On the other hand, if a user is a direct member of multiple groups which are not subgroups of each other, and the groups have differing access levels, the user's access is determined by the group whose permission has the highest precedence level.

Inheritance by folder and subfolder

By default, a subfolder inherits the permissions of its parent folder. A group's Public Folder Administrator can override the inherited permissions for his or her own groups by specifically assigning different permissions to the subfolder. If the permissions on a subfolder are overridden, and the subfolder itself has subfolders, its subfolders by default inherit the permissions that were set as overrides to the default inherited permissions. The Security Administrator and Public Folder Administrator can access any folder or subfolder no matter what permission is assigned to the folder.

Effective permissions

The term effective permission can be understood in two ways, relating to either a group's access to a particular folder, or to an individual user's access.

The effective permission for a group on a particular folder is:
  1. The explicit applied permission for that group to that folder, if there is one
  2. If there is no explicit applied permission, evaluate each group parentage level for an applied permission. The closest group parentage level that has an applied permission determines the effective permission. If there is more than one applied permission at this group parentage level, the effective permission is the highest precedence applied permission. For purposes of determining parentage level, the Everyone group is considered to be the most distant parentage level.
  3. Otherwise, the effective permission is the same as the effective permission for the group on the parent folder. If there is no parent folder (for example, when dealing with the top-level Public Queries folder), the effective permission is the default (usually Read-Only).
The effective permission for a user on a particular folder is:
  1. The highest precedence applied permission to that folder among the groups the user is a member of, if there is one
  2. If there is no explicit applied permission, evaluate each of the user's group parentage levels for an applied permission. The closest group parentage level that has an applied permission determines the effective permission. If there is more than one applied permission at this group parentage level, the effective permission is the highest precedence applied permission. For purposes of determining parentage level, the Everyone group is considered to be the most distant parentage level.
  3. Otherwise, the effective permission is the same as the effective permission for the user on the parent folder. If there is no parent folder (for example, when dealing with the top-level Public Queries folder), the effective permission is the default (usually Read-Only).

Timing considerations

Updates to folder permissions for a user group or subgroup take effect within the current Rational ClearQuest session as soon as the folder administrator makes the update, even before the change is uploaded to the central user database. Within the same replica as the current session, updates take effect on all sessions started after the change has been committed in the database. In other replicas, they take effect on sessions started after the replicas have been synchronized with the replica containing the current session and the synchronization is complete.

Because of the time delay in effectivity of access changes, users may be accessing the database with less restrictive permissions than the administrator has set for them for a period of time after the permissions have been changed in the current session.



Feedback