defaria.com/blogs/Status/2004/07/permissions-tri.html

   1 <!DOCTYPE html>
   2 <html lang="en-us" itemscope itemtype="http://schema.org/Article">
   3   <head>
   4     <meta charset="utf-8">
   5     <meta name="description" content="I've given the "permissions trigger" some thought and would like to formalize the requirements a bit. The new trigger will have the following characteristics: Since multiple groups will be allowed write access to the vob they will need to be...">
   6     <meta name="generator" content="Movable Type 5.2.3">
   7     <title>Permissions Trigger - Status</title>
   8     <link rel="alternate" type="application/atom+xml" title="Recent Entries" href="http://defaria.com/blogs/Status/atom.xml">
   9     <link rel="canonical" href="http://defaria.com/blogs/Status/2004/07/permissions-tri.html">
  10     <meta name="viewport" content="width=device-width,initial-scale=1">
  11     <link rel="stylesheet" href="http://defaria.com/blogs/Status/styles.css">
  12     <!--[if lt IE 9]>
  13     <link rel="stylesheet" href="http://defaria.com/blogs/Status/styles_ie.css">
  14     <script src="/mt/mt-static/support/theme_static/rainier/js/html5shiv.js"></script>
  15     <![endif]-->
  16
  17     <link rel="start" href="http://defaria.com/blogs/Status/">
  18
  19     <link rel="prev" href="http://defaria.com/blogs/Status/2004/07/ttebucs.html" title="TTE/BUCS">
  20     <link rel="next" href="http://defaria.com/blogs/Status/2004/07/permissions-tri-1.html" title="Permissions Trigger">
  21     <!-- Open Graph Protocol -->
  22     <meta property="og:type" content="article">
  23     <meta property="og:locale" content="en-us">
  24     <meta property="og:title" content="Permissions Trigger">
  25     <meta property="og:url" content="http://defaria.com/blogs/Status/2004/07/permissions-tri.html">
  26     <meta property="og:description" content="I've given the &quot;permissions trigger&quot; some thought and would like to formalize the requirements a bit. The new trigger will have the following characteristics: Since multiple groups will be allowed write access to the vob they will need to be...">
  27     <meta property="og:site_name" content="Status">
  28     <meta property="og:image" content="/mt/mt-static/support/theme_static/rainier/img/siteicon-sample.png">
  29     <!-- Metadata -->
  30     <meta itemprop="description" content="I've given the "permissions trigger" some thought and would like to formalize the requirements a bit. The new trigger will have the following characteristics: Since multiple groups will be allowed write access to the vob they will need to be...">
  31     <link itemprop="url" href="http://defaria.com/blogs/Status/2004/07/permissions-tri.html">
  32     <link itemprop="image" href="/mt/mt-static/support/theme_static/rainier/img/siteicon-sample.png">
  33
  34   </head>
  35   <body>
  36     <div id="container">
  37       <div id="container-inner">
  38         <header id="header" role="banner">
  39           <div id="header-inner">
  40             <div id="header-content">
  41               <h1>
  42                 <a href="http://defaria.com/blogs/Status/">
  43
  44                   Status
  45
  46                 </a>
  47               </h1>
  48
  49             </div>
  50
  51             <nav role="navigation">
  52           <ul>
  53             <li><a href="http://defaria.com/blogs/Status/">Home</a></li>
  54
  55
  56           </ul>
  57         </nav>
  58
  59           </div>
  60         </header>
  61         <div id="content">
  62           <div id="content-inner">
  63             <ul class="breadcrumb breadcrumb-list">
  64               <li class="breadcrumb-list-item"><a href="http://defaria.com/blogs/Status/">Home</a></li>
  65               <li class="breadcrumb-list-item">Permissions Trigger</li>
  66             </ul>
  67             <div id="individual-main" class="main" role="main">
  68               <article id="entry-1489" class="entry entry-asset asset hentry">
  69                 <div class="asset-header">
  70                   <h2 itemprop="name" class="asset-name entry-title">Permissions Trigger</h2>
  71                   <footer class="asset-meta">
  72                     <ul class="asset-meta-list">
  73                       <li class="asset-meta-list-item">Posted on <time datetime="2004-07-19T15:07:12-08:00" itemprop="datePublished">July 19, 2004</time></li>
  74                       <li class="asset-meta-list-item">by <span class="author entry-author vcard"></span></li>
  75
  76
  77                       <li class="asset-meta-list-item">in <a itemprop="articleSection" rel="tag" href="http://defaria.com/blogs/Status/ameriquest/">Ameriquest</a></li>
  78
  79
  80                    </ul>
  81                 </footer>
  82                 </div>
  83                 <div class="entry-content asset-content" itemprop="articleBody">
  84                   <p>I've given the "permissions trigger" some thought and would like to formalize the requirements a bit. The new trigger will have the following characteristics:</p>
  85
  86 <ul>
  87
  88 <li>Since multiple groups will be allowed write access to the vob they will need to be added as additional groups on the vob group list. </li>
  89
  90 <li>Determination of what users get additional write capability will be on Active Directory groups. IOW you can grant write access to say the CC-PMO group but not specifically to Mike Hrenko who is a member of the CC-PMO group. Additionally CC-PMO would need to appear on the vob group list in this example.</li>
  91
  92 <li>The trigger will use CLEARCASE_PRIMARY_GROUP to determine what group the user is. This avoids having to do LDAP lookups and it's the way that Clearcase does it anyway. CLEARCASE_PRIMARY_GROUP will not be used verbatim - if it were then anybody would "fake" out the trigger by merely setting CLEARCASE_PRIMARY_GROUP. Instead "creds" will be called to ascertain the effective primary group.</li>
  93
  94 <li>A permissions element will be created that will contain a list of groups, one per line, that are allowed write access from this folder downward. The vob's initial or primary group owner (CC-TTE in the case of Core_automation) will always have write permission. Furthermore the permissions element should be secured such that only vob's primary group owner can modify it. Otherwise other groups could easily modify the permissions element thus granting write permissions to arbitrary groups.</li>
  95
  96 </ul>
  97
  98 <p>Let's see an example of how this will work and how the trigger will respond. Let's assume the following directory structure:</p>
  99
 100 <blockquote>
 101   Core_automation
 102   <blockquote>
 103     Empower <font color="#eeeeee">CC-EAG-AS, CC-EAG-ESB</font>
 104     <blockquote>
 105       Functions <font color="#eeeeee">CC-EAG-VIP</font><br>
 106       Results <font color="#eeeeee">CC-EAG-VMS</font><br>
 107       Common
 108     </blockquote>
 109   </blockquote>
 110 </blockquote>
 111
 112 <p>Further let's assume that the permissions element is at the Empower level and contains the groups CC-EAG-AS and CC-EAG-ESB. This says that those two groups (as well as CC-TTE as primary group owners of the vob) have write permission (the ability to checkout) elements from Core_automation/Empower downward. Additionally let's say that we have a permissions element at Empower/Functions that lists CC-EAG-VIP and Empower/Results has a permissions element that lists CC-EAG-VMS. The following can be said:</p>
 113
 114 <ul>
 115
 116 <li>Members of CC-EAG-AS and CC-EAG-ESB have write permissions to Empower, Empower/Functions, Empower/Results and Empower/Common. Further, if new folders are created under Empower, CC-EAG-AS and CC-EAG-ESB will have write permissions to those new folders as well (IOW the write permissions are inherited by new folders that are created)</li>
 117
 118 <li>Members of CC-EAG-VIP have write permissions to Empower/Functions and any new folders created under Functions, but they do not have write permissions to Empower/Results nor Empower/Common. Similarly CC-EAG-VMS has write permissions to Empower/Results but not to Empower/Functions nor Empower/Common</li>
 119
 120 </ul>
 121
 122 <p>The pseudo code for the trigger is roughly as follows. Note that the trigger gets fired during checkout of an element only (it is assumed if the user successfully checked out the element then, at the time, he had write permissions and should be allowed to check in the element):</p>
 123
 124 <div class="code">
 125 <pre>
 126 $vob_group_owner = GetGroupOwner (vob)
 127 $current_group   = GetCurrentGroup (CLEARCASE_PRIMARY_GROUP as per "creds")
 128
 129 if (permissions element exists in the current folder) {
 130   if (IsAMember (Parse ($permissions_element), $current_group) {
 131     &lt;<i>allow checkout</i>&gt;
 132   } else {
 133     &lt;<i>recurse to check parent folder stopping at vob root</i>&gt;
 134     &lt;<i>disallow checkout</i>&gt;
 135   }
 136 }
 137 </pre>
 138 </div>
 139
 140                 </div>
 141                 <nav class="page-navigation entry-navigation pagination content-nav">
 142                   <ul class="page-navigation-list">
 143
 144                     <li class="page-navigation-list-item page-navigation-prev"><a rel="prev" href="http://defaria.com/blogs/Status/2004/07/ttebucs.html" title="TTE/BUCS">Previous entry</a></li>
 145
 146
 147                     <li class="page-navigation-list-item page-navigation-next"><a rel="next" href="http://defaria.com/blogs/Status/2004/07/permissions-tri-1.html" title="Permissions Trigger">Next entry</a></li>
 148
 149                   </ul>
 150                 </nav>
 151                 <!--
 152 <aside id="zenback" class="zenback feedback">
 153   Please paste Zenback script code here.
 154 </aside>
 155 -->
 156
 157
 158               </article>
 159             </div>
 160             <aside class="widgets related" role="complementary">
 161               <nav class="widget-search widget">
 162   <div class="widget-content">
 163     <form method="get" id="search" action="http://defaria.com/mt/mt-search.cgi">
 164       <div>
 165         <input type="text" name="search" value="" placeholder="Search...">
 166
 167         <input type="hidden" name="IncludeBlogs" value="8">
 168
 169         <input type="hidden" name="limit" value="20">
 170         <button type="submit" name="button">
 171           <img alt="Search" src="/mt/mt-static/support/theme_static/rainier/img/search-icon.png">
 172         </button>
 173       </div>
 174     </form>
 175   </div>
 176 </nav>
 177 <nav class="widget-archive-category widget">
 178   <h3 class="widget-header">Categories</h3>
 179   <div class="widget-content">
 180
 181
 182     <ul class="widget-list">
 183
 184
 185       <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/ameriquest/">Ameriquest (99)</a>
 186
 187
 188       </li>
 189
 190
 191
 192
 193       <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/audience/">Audience (3)</a>
 194
 195
 196       </li>
 197
 198
 199
 200
 201       <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/broadcom/">Broadcom (76)</a>
 202
 203
 204       </li>
 205
 206
 207
 208
 209       <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/gpdb/">GPDB (35)</a>
 210
 211
 212       </li>
 213
 214
 215
 216
 217       <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/general-dynamics/">General Dynamics (61)</a>
 218
 219
 220       </li>
 221
 222
 223
 224
 225       <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/general-electric/">General Electric (13)</a>
 226
 227
 228       </li>
 229
 230
 231
 232
 233       <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/hewlett-packard/">Hewlett Packard (13)</a>
 234
 235
 236       </li>
 237
 238
 239
 240
 241       <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/lynuxworks/">LynuxWorks (162)</a>
 242
 243
 244       </li>
 245
 246
 247
 248
 249       <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/pqa/">PQA (35)</a>
 250
 251
 252       </li>
 253
 254
 255
 256
 257       <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/salira/">Salira (79)</a>
 258
 259
 260       </li>
 261
 262
 263
 264
 265       <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/tellabs/">Tellabs (2)</a>
 266
 267
 268       </li>
 269
 270
 271
 272
 273       <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/texas-instruments/">Texas Instruments (31)</a>
 274
 275
 276       </li>
 277
 278     </ul>
 279
 280
 281   </div>
 282 </nav>
 283
 284
 285 <nav class="widget-archive-dropdown widget">
 286   <h3 class="widget-header">Archives</h3>
 287   <div class="widget-content">
 288     <select>
 289       <option>Select a Month...</option>
 290
 291       <option value="http://defaria.com/blogs/Status/2016/02/">February 2016</option>
 292
 293
 294
 295       <option value="http://defaria.com/blogs/Status/2014/09/">September 2014</option>
 296
 297
 298
 299       <option value="http://defaria.com/blogs/Status/2014/04/">April 2014</option>
 300
 301
 302
 303       <option value="http://defaria.com/blogs/Status/2014/03/">March 2014</option>
 304
 305
 306
 307       <option value="http://defaria.com/blogs/Status/2013/02/">February 2013</option>
 308
 309
 310
 311       <option value="http://defaria.com/blogs/Status/2012/09/">September 2012</option>
 312
 313
 314
 315       <option value="http://defaria.com/blogs/Status/2012/08/">August 2012</option>
 316
 317
 318
 319       <option value="http://defaria.com/blogs/Status/2012/05/">May 2012</option>
 320
 321
 322
 323       <option value="http://defaria.com/blogs/Status/2012/04/">April 2012</option>
 324
 325
 326
 327       <option value="http://defaria.com/blogs/Status/2012/02/">February 2012</option>
 328
 329
 330
 331       <option value="http://defaria.com/blogs/Status/2012/01/">January 2012</option>
 332
 333
 334
 335       <option value="http://defaria.com/blogs/Status/2011/10/">October 2011</option>
 336
 337
 338
 339       <option value="http://defaria.com/blogs/Status/2011/07/">July 2011</option>
 340
 341
 342
 343       <option value="http://defaria.com/blogs/Status/2010/09/">September 2010</option>
 344
 345
 346
 347       <option value="http://defaria.com/blogs/Status/2010/08/">August 2010</option>
 348
 349
 350
 351       <option value="http://defaria.com/blogs/Status/2010/04/">April 2010</option>
 352
 353
 354
 355       <option value="http://defaria.com/blogs/Status/2010/03/">March 2010</option>
 356
 357
 358
 359       <option value="http://defaria.com/blogs/Status/2010/02/">February 2010</option>
 360
 361
 362
 363       <option value="http://defaria.com/blogs/Status/2009/05/">May 2009</option>
 364
 365
 366
 367       <option value="http://defaria.com/blogs/Status/2009/04/">April 2009</option>
 368
 369
 370
 371       <option value="http://defaria.com/blogs/Status/2008/07/">July 2008</option>
 372
 373
 374
 375       <option value="http://defaria.com/blogs/Status/2008/05/">May 2008</option>
 376
 377
 378
 379       <option value="http://defaria.com/blogs/Status/2008/04/">April 2008</option>
 380
 381
 382
 383       <option value="http://defaria.com/blogs/Status/2008/03/">March 2008</option>
 384
 385
 386
 387       <option value="http://defaria.com/blogs/Status/2008/02/">February 2008</option>
 388
 389
 390
 391       <option value="http://defaria.com/blogs/Status/2008/01/">January 2008</option>
 392
 393
 394
 395       <option value="http://defaria.com/blogs/Status/2007/12/">December 2007</option>
 396
 397
 398
 399       <option value="http://defaria.com/blogs/Status/2007/11/">November 2007</option>
 400
 401
 402
 403       <option value="http://defaria.com/blogs/Status/2007/10/">October 2007</option>
 404
 405
 406
 407       <option value="http://defaria.com/blogs/Status/2007/09/">September 2007</option>
 408
 409
 410
 411       <option value="http://defaria.com/blogs/Status/2007/08/">August 2007</option>
 412
 413
 414
 415       <option value="http://defaria.com/blogs/Status/2007/07/">July 2007</option>
 416
 417
 418
 419       <option value="http://defaria.com/blogs/Status/2007/06/">June 2007</option>
 420
 421
 422
 423       <option value="http://defaria.com/blogs/Status/2007/05/">May 2007</option>
 424
 425
 426
 427       <option value="http://defaria.com/blogs/Status/2007/04/">April 2007</option>
 428
 429
 430
 431       <option value="http://defaria.com/blogs/Status/2007/03/">March 2007</option>
 432
 433
 434
 435       <option value="http://defaria.com/blogs/Status/2007/01/">January 2007</option>
 436
 437
 438
 439       <option value="http://defaria.com/blogs/Status/2006/12/">December 2006</option>
 440
 441
 442
 443       <option value="http://defaria.com/blogs/Status/2006/11/">November 2006</option>
 444
 445
 446
 447       <option value="http://defaria.com/blogs/Status/2006/10/">October 2006</option>
 448
 449
 450
 451       <option value="http://defaria.com/blogs/Status/2006/09/">September 2006</option>
 452
 453
 454
 455       <option value="http://defaria.com/blogs/Status/2006/07/">July 2006</option>
 456
 457
 458
 459       <option value="http://defaria.com/blogs/Status/2006/06/">June 2006</option>
 460
 461
 462
 463       <option value="http://defaria.com/blogs/Status/2006/05/">May 2006</option>
 464
 465
 466
 467       <option value="http://defaria.com/blogs/Status/2006/04/">April 2006</option>
 468
 469
 470
 471       <option value="http://defaria.com/blogs/Status/2006/03/">March 2006</option>
 472
 473
 474
 475       <option value="http://defaria.com/blogs/Status/2006/02/">February 2006</option>
 476
 477
 478
 479       <option value="http://defaria.com/blogs/Status/2006/01/">January 2006</option>
 480
 481
 482
 483       <option value="http://defaria.com/blogs/Status/2005/12/">December 2005</option>
 484
 485
 486
 487       <option value="http://defaria.com/blogs/Status/2005/11/">November 2005</option>
 488
 489
 490
 491       <option value="http://defaria.com/blogs/Status/2005/10/">October 2005</option>
 492
 493
 494
 495       <option value="http://defaria.com/blogs/Status/2005/09/">September 2005</option>
 496
 497
 498
 499       <option value="http://defaria.com/blogs/Status/2005/08/">August 2005</option>
 500
 501
 502
 503       <option value="http://defaria.com/blogs/Status/2005/07/">July 2005</option>
 504
 505
 506
 507       <option value="http://defaria.com/blogs/Status/2005/06/">June 2005</option>
 508
 509
 510
 511       <option value="http://defaria.com/blogs/Status/2005/05/">May 2005</option>
 512
 513
 514
 515       <option value="http://defaria.com/blogs/Status/2005/04/">April 2005</option>
 516
 517
 518
 519       <option value="http://defaria.com/blogs/Status/2005/03/">March 2005</option>
 520
 521
 522
 523       <option value="http://defaria.com/blogs/Status/2005/02/">February 2005</option>
 524
 525
 526
 527       <option value="http://defaria.com/blogs/Status/2005/01/">January 2005</option>
 528
 529
 530
 531       <option value="http://defaria.com/blogs/Status/2004/12/">December 2004</option>
 532
 533
 534
 535       <option value="http://defaria.com/blogs/Status/2004/09/">September 2004</option>
 536
 537
 538
 539       <option value="http://defaria.com/blogs/Status/2004/08/">August 2004</option>
 540
 541
 542
 543       <option value="http://defaria.com/blogs/Status/2004/07/">July 2004</option>
 544
 545
 546
 547       <option value="http://defaria.com/blogs/Status/2004/06/">June 2004</option>
 548
 549
 550
 551       <option value="http://defaria.com/blogs/Status/2004/05/">May 2004</option>
 552
 553
 554
 555       <option value="http://defaria.com/blogs/Status/2004/04/">April 2004</option>
 556
 557
 558
 559       <option value="http://defaria.com/blogs/Status/2004/03/">March 2004</option>
 560
 561
 562
 563       <option value="http://defaria.com/blogs/Status/2004/02/">February 2004</option>
 564
 565
 566
 567       <option value="http://defaria.com/blogs/Status/2004/01/">January 2004</option>
 568
 569
 570
 571       <option value="http://defaria.com/blogs/Status/2003/12/">December 2003</option>
 572
 573
 574
 575       <option value="http://defaria.com/blogs/Status/2003/11/">November 2003</option>
 576
 577     </select>
 578   </div>
 579 </nav>
 580
 581
 582
 583 <div class="widget-syndication widget section">
 584   <div class="widget-content">
 585     <p><img src="http://defaria.com/mt/mt-static/images/status_icons/feed.gif" alt="Subscribe to feed" width="9" height="9" /> <a href="http://defaria.com/blogs/Status/atom.xml">Subscribe to this blog's feed</a></p>
 586
 587   </div>
 588 </div>
 589
 590             </aside>
 591           </div>
 592         </div>
 593         <footer id="footer" role="contentinfo">
 594           <div id="footer-inner">
 595             <div id="footer-content">
 596   <nav role="navigation">
 597           <ul>
 598             <li><a href="http://defaria.com/blogs/Status/">Home</a></li>
 599
 600
 601           </ul>
 602         </nav>
 603
 604   <p class="license">&copy; Copyright 2016.</p>
 605   <p class="poweredby">Powered by <a href="http://www.movabletype.org/">Movable Type</a></p>
 606 </div>
 607           </div>
 608         </footer>
 609       </div>
 610     </div>
 611     <script src="http://defaria.com/mt/mt-static/jquery/jquery.min.js"></script>
 612     <script src="http://defaria.com/blogs/Status/mt-theme-scale2.js"></script>
 613   </body>
 614 </html>