Rules definition

Once you have identified the groups and attributes, map out a set of rules, or access control lists (ACLs), that correspond to your security needs. An ACL is a collection of rules that control read and write permissions. Using ACLs, you can define specific rules for a group or groups of users.

Each ACL has three components:

Scope

Each rule must define the scope for the rule. In other words, to which CRs, tasks, or objects is this rule applicable? Unlike other applications that define an ACL on a specific object, IBM® Rational® Change defines one global ACL for all CRs, one for tasks, and one for objects.

However, each rule within the ACL applies to a subset of each. The scope is set by a simple equality statement: attribute = value. All CRs, tasks, or objects that meet this condition are governed by this rule.

A default rule denies read/write access to all CRs, tasks, or objects that do not match any of the rules. The default rule can be modified as needed.

Permissions

Each rule must define the type of permission and whether to grant or deny this permission. If a user qualifies for both a grant and a deny rule, the deny rule is enforced. The available permissions are:

Users or groups

After defining the scope and permission, each rule must specify one or more users, groups, or both to which this rule applies.

For example, the following table shows a CR ACL for a company with five products. Four of the products are within two product lines, and one product spans two product lines (integrations). In this example, the DOORS® product line has the most restrictive security, followed by IBM Rational Synergy, and integrations, which has the least security.

Table 1. CR ACL example
Scope Attribute Value Access Permission Users, Groups
Product_Line Synergy Grant Read {everyone}
Product_Line Synergy Deny Read Contractor, Guest
Product_Line DOORS Grant Read DOORS, CCB
Product CM Grant Write Synergy Dev, CCB
Product Change Grant Write Synergy Dev, CCB
Product RM Grant Write RM Dev Leads, CCB
Product XT Grant Write XT Dev Leads, CCB
Product Integrations Grant Read/Write Development, Contractor, CCB
All unmatched change requests Deny Read/Write N/A

Feedback