I have been asked to look at how to restrict read access on certain VOBs in ClearCase, for compliance reasons (so this needs to be auditable, etc, etc…). I have found a solution so far, that I will post here, but I still have questions, so any help would be appreciated. Especially as the devil is in the details, I think.

For ease of argument, let say we have 3 VOBs, and 3 groups:

• gA and gB are two special group, all other CC users are in gC, which is the default CC group
• VOB vA, is read/write access to group gA, and restricted to everybody else
• VOB vB, is read/write access to group gB, read access to group gA, and restricted to everybody else
• VOB vC, is read/write access to everybody

Unaswered questions:

• What is the impact in having different Domain groups for CC users ? When people log, their clearcase group is picked-up by the user variable CLEARCASE_PRIMARY_GROUP. If they are from gA and are working normally in vA, this variable will be set up to gA, but if they need to change something in vC, I bet that the group ownership of their files/versions in vC will stay gA if they don’t do anything about it. Objects in vC will end up having group-belonging to gA, gB, gC. Can that be a problem ?

• I am not even sure it is possible to set up ACLs properly on vB without in fact creating a new group, gA’ containing people from both gA and gB, am I right ?

• It seems to me the difficulty here is not technical, but rather that in the process for giving access to certain people to the proper groups, and that the CM team should stay away from this (and leave that to be decided by the Security Department and the development teams involved). Anyone has any experience in this matter ?

• It seems that it is possible to use ClearCase Regions to achieve the same effect. How would that work ?

Best regards,

Thomas