IBM® Rational® Change supports user-defined rules
to create, modify, and transition change requests based on user privileges
and CR attribute values. Additional security features are provided
through a combination of lifecycle and read/write security settings.
These security features provide a method to grant
or deny read and write access to a CR based on the group membership
of a user.
- Lifecycle security
- Lifecycle security defines which users have create, modify, and
transition permissions for a CR based on attribute values set on the
CR, the privileges of the user, or both. The privileges are defined
when specifying a security rule.
- For example, the security rule that states that a user must have
the assigner privilege to transition a CR from the entered state to
the assigned state defines the assigner privilege. Security rules
can also be based on the state or a specific attribute on a CR. The
following rule is an example. If the CR state is entered and the enterer
attribute is equal to the current user, the current user can modify
the synopsis, severity, and description attributes.
- Lifecycle security rules are defined using the Lifecycle Editor
and saved within a CR process definition file. Users are assigned
a set of privileges. These privileges are mapped to a CR by the lifecycle
definition, which ultimately controls creation, attribute modification,
and transition permissions for that user.

- Read/write security
- Read/write security defines which groups or individual users have
read permissions, write permissions, or both for a CR. This definition
is based on attribute values set on the CR and the current group membership
of the user.
- Unlike lifecycle security, which controls write access to individual
attributes on the CR, the read/write security write permission controls
general write access to the CR. Users are assigned to a set of groups,
which are associated to CR permissions by rules defined in an Access
Control List (ACL). ACLs provide the specific rules that are enforced
for the groups, users, or both that you specify.
- The read/write security rules are applied first to the CR. If
the user has write access, then the lifecycle security rules are applied,
which determine whether the user can transition the CR or modify specific
attributes.
- How lifecycle and read/write security work
- Lifecycle security and read/write security are complementary in
providing a comprehensive security solution:
- Read/write security determines read access to the CR
- If a CR is readable, read/write security determines CR write access
- If a CR is writable, lifecycle security determines:
- Which creation (CR submission) forms are available
- Which attributes are modifiable
- Which transitions are available