When you develop workspace folder permission policies for a Rational® ClearQuest® environment,
the most important considerations are who has authority to set policies for
the entire installation; who can set and change permissions on individual
folders; and what levels of access to set on different folders for different
groups of users.
Workspace folder permissions are controlled by two types of administrators:
- Security administrators, who set policy and have control over all folder
permissions for all groups
- Public folder administrators, who control folder permissions for groups
to which they belong
These administrators can delegate permission control for specified folders
for a specified user group by assigning the Change-Permission permission.
Users in these groups can set permissions only on subfolders in their accessible
folders.
Setting the overall policy: security administrator
The
security administrator is responsible for managing folder permissions and
setting up access control lists (ACLs) for the environment. The security administrator
sets workspace folder permissions directly under the Public Queries folder
to correspond to the needs of the user groups that access each folder.
Implementing policy: public folder administrators
The
security administrator selects the public folder administrators to manage
folder permissions for specified groups. Each public folder administrator
might be a member of one or more functional groups. For example, a public
folder administrator might be a member of the dev (development) group, as
well as the subgroup dev-gui.
Each public folder administrator sets
up the folder permissions for their groups. Public folder administrators have
access to any folder under the Public Queries folder,
but can assign permissions only for groups to which they belong. In this way,
public folder administrators take on some work for the security administrator,
by managing the folder permissions of their own groups.
Delegated permission setting: the Change-Permission permission
The
security administrator or public folder administrator can grant the Change-Permission
permission to a specific user group on a specified set of folders. This enables
a small set of users to manage their subfolder permission hierarchy. Members
of this Change-Permission user group cannot access or set permissions
outside of the specific subfolder hierarchy that the security administrator
or public folder administrator has established for them.
Factors to consider when setting folder permissions
When
setting up folders and assigning folder permissions, the security administrator
and public folder administrators should consider the following factors:
- Which groups need access to a folder, and what kind of access do they
need
- Folder and subfolder permission inheritance
- Group and subgroup permission inheritance
- Which folders must be accessible to everyone