如何在ClearCase(Windows Server)中限制VOB读取访问权限? [英] How to restrict VOB read access in ClearCase (Windows Server)?
问题描述
出于合规性的原因,我被要求研究如何限制对ClearCase中的某些VOB的读取访问(因此这需要是可审核的,等等,等等)。到目前为止,我已经找到了一种解决方案,可以在这里发布,但是我仍然有疑问,因此我们将不胜感激。
I have been asked to look at how to restrict read access on certain VOBs in ClearCase, for compliance reasons (so this needs to be auditable, etc, etc...). I have found a solution so far, that I will post here, but I still have questions, so any help would be appreciated. Especially as the devil is in the details, I think.
为了便于讨论,可以说我们有3个VOB和3个组:
For ease of argument, let say we have 3 VOBs, and 3 groups:
- gA和gB是两个特殊的组,所有其他CC用户都在gC中,这是默认的CC组
- VOB vA ,是对组gA的读/写访问权限,并且仅限于其他所有人
- VOB vB,是对组gB的读/写访问权限,对组gA的读访问权限,并且仅限于其他所有人
- VOB vC,是对所有人的读/写访问权限
- gA and gB are two special group, all other CC users are in gC, which is the default CC group
- VOB vA, is read/write access to group gA, and restricted to everybody else
- VOB vB, is read/write access to group gB, read access to group gA, and restricted to everybody else
- VOB vC, is read/write access to everybody
未回答的问题:
-
为CC用户使用不同的域组会有什么影响?人们登录时,其清除案例组将由用户变量CLEARCASE_PRIMARY_GROUP拾取。如果他们来自gA并在vA中正常工作,则此变量将设置为gA,但是如果他们需要在vC中进行某些更改,我敢打赌,如果他们不愿意,他们在vC中的文件/版本的组所有权将保持为gA对此无能为力。 vC中的对象最终将具有属于gA,gB,gC的组。这可能是一个问题吗?
What is the impact in having different Domain groups for CC users ? When people log, their clearcase group is picked-up by the user variable CLEARCASE_PRIMARY_GROUP. If they are from gA and are working normally in vA, this variable will be set up to gA, but if they need to change something in vC, I bet that the group ownership of their files/versions in vC will stay gA if they don't do anything about it. Objects in vC will end up having group-belonging to gA, gB, gC. Can that be a problem ?
我什至不确定是否可以在vB上正确设置ACL,而无需创建新组,即包含来自gA和gB的人,对吗?
I am not even sure it is possible to set up ACLs properly on vB without in fact creating a new group, gA' containing people from both gA and gB, am I right ?
在我看来,这里的困难不是技术性的,而是在提供访问权限的过程中某些人员加入适当的小组,并且CM团队应远离此问题(并由安全部门和相关的开发团队来决定)。任何人对此事都有经验吗?
It seems to me the difficulty here is not technical, but rather that in the process for giving access to certain people to the proper groups, and that the CM team should stay away from this (and leave that to be decided by the Security Department and the development teams involved). Anyone has any experience in this matter ?
似乎可以使用ClearCase Region来达到相同的效果。
It seems that it is possible to use ClearCase Regions to achieve the same effect. How would that work ?
最好的问候,
托马斯(Thomas)
Thomas
推荐答案
到目前为止,我发现了来自IBM developerWorks论坛的答案:
So far, I have found this answer from the IBM developerworks forums:
(已编辑)
-
为团队另外创建两个域组
Create two additional Domain groups for the teams
将适当的新域组添加到每个ClearCase用户的组概要文件中(除了他们已经拥有的gC组成员身份之外)。
您将希望vobadmin帐户同时成为这两个新组的成员。
Add the appropriate new Domain group to each ClearCase user's groups profile (in addition to the gC group membership they already have). You'll want the vobadmin account to be a member of both these new groups.
相应地更改VOB的组所有权:
cleartoolprotectvob -chgrp group_name< \\..vob.vbs>
适用于vA的gA
gB for vB
gC for所有其他VOB(应该已经是这样)
Change the group ownership of the VOBs accordingly:
cleartool protectvob -chgrp group_name <\\..vob.vbs>
gA for vA
gB for vB
gC for all other VOBs (it should already be the case)
删除其他组权限从va和vB VOB的根元素
中:
cleartoolprotect -chmod 770< vob-tag-name>
您也可以使用CC Explorer执行此操作:在
any视图中的VOB上单击鼠标右键,然后选择元素属性。不需要
重新保护整个VOB(注意:对我来说很重要,因为重新保护整个VOB需要很长时间,并且这里有200多个VOB)。
Remove the "other groups" permissions from the root element of
the vA and vB VOBs:
cleartool protect -chmod 770 <vob-tag-name>
You can also do this by using CC Explorer: right-click on the VOB in
any view and select "Properties of Element". There's no need to
re-protect the entire VOB (Note: this is important for me, because reprotecting the whole VOB takes a long time, and I have more than 200 VOBs here).
现在,只有gA组成员才能访问vA VOB。
每个人都是gC组的成员,因此每个人都可以访问所有
个其他VOB。
Now, only members of the gA group will have access to the vA VOB.
Only members of the gB group will have access to the vB VOB.
Everybody is a member of the gC group so everybody will have access to all
other VOBs.
请注意,如果您希望该
用户的新创建对象归与该用户不同的组所有,则需要为特定用户设置CLEARCASE_PRIMARY_GROUP环境
变量帐户的主组
(在域控制器中设置)。
Note that you will want to set the CLEARCASE_PRIMARY_GROUP environment variable for a particular user if you want newly created objects by that user to be owned by a group different from that user account's Primary Group as it is set in the Domain Controller.
这篇关于如何在ClearCase(Windows Server)中限制VOB读取访问权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
