Once you have identified the groups and attributes, map
out a set of rules, or access control lists (ACLs), that correspond
to your security needs. An ACL is a collection of rules that control
read and write permissions. Using ACLs, you can define specific rules
for a group or groups of users.
Each ACL has three components:
Scope
Each rule must define
the scope for the rule. In other words, to which CRs, tasks, or objects
is this rule applicable? Unlike other applications that define an
ACL on a specific object, IBM® Rational® Change defines one
global ACL for all CRs, one for tasks, and one for objects.
However,
each rule within the ACL applies to a subset of each. The scope is
set by a simple equality statement: attribute = value.
All CRs, tasks, or objects that meet this condition are governed by
this rule.
A default rule denies read/write access to all CRs,
tasks, or objects that do not match any of the rules. The default
rule can be modified as needed.
Permissions
Each rule must
define the type of permission and whether to grant or deny this permission.
If a user qualifies for both a grant and a deny rule, the deny rule
is enforced. The available permissions are:
- Read: the ability to view
the CR, task, or object. If the user does not have read access, the
user is informed that the CR or task does not exist when doing a show.
For reports and search, the CR or task is removed from the result
set.
- Write: the ability to edit
the CR. However, granting write access does not necessarily mean the
CR is modifiable. Other factors can ultimately prevent write access:
- The CR Show form (dialog box) can be defined using
read-only controls.
- The CR is not modifiable in this database because
of rules enforced by IBM Distributed Rational Change. For example,
control of CR C#123 has been transferred from the C database
to the W database. It is no longer modifiable in
the C database.
- Lifecycle security did not grant any attribute
modification privileges for the user. For example, the CR is modifiable
by the IBM Rational Synergy group and the user is in
the Synergy group. However, the lifecycle security states that the
user must have assigner privileges to modify attributes x, y,
and z on a CR in the assigned state. The user does
not have the assigner privilege.
- Read/Write: the ability
to read and write the CR. This combination permission reduces ACL
maintenance by not requiring separate rules for read and write when
all other components are equal.
Users or groups
After defining
the scope and permission, each rule must specify one or more users,
groups, or both to which this rule applies.
- Groups: rules generally apply to one or
more groups.
- Users: rules can be specific to a particular
user. These rules are useful when you need to temporarily grant or
deny permissions to a user who does not belong to an applicable group.
For example, you might need to grant rights to a short-term consultant.
Rules can contain a mixture of both users and groups.
- {everyone}: a special purpose identifier
used to represent all Rational Change
users. This identifier is useful when implementing a deny security
model. That is, grant {everyone} and then list a few users, groups,
or both to deny.
For example, the following table shows a CR
ACL for a company with five products. Four of the products are within
two product lines, and one product spans two product lines (integrations).
In this example, the DOORS® product
line has the most restrictive security, followed by IBM Rational Synergy,
and integrations, which has the least security.
Table 1. CR
ACL example Scope Attribute Value |
Access |
Permission |
Users, Groups |
Product_Line |
Synergy |
Grant |
Read |
{everyone} |
Product_Line |
Synergy |
Deny |
Read |
Contractor, Guest |
Product_Line |
DOORS |
Grant |
Read |
DOORS, CCB |
Product |
CM |
Grant |
Write |
Synergy Dev, CCB |
Product |
Change |
Grant |
Write |
Synergy Dev, CCB |
Product |
RM |
Grant |
Write |
RM Dev Leads, CCB |
Product |
XT |
Grant |
Write |
XT Dev Leads, CCB |
Product |
Integrations |
Grant |
Read/Write |
Development, Contractor, CCB |
All unmatched change requests |
Deny |
Read/Write |
N/A |