protectvob

Changes owner or groups of a VOB

APPLICABILITY

ClearCase (cleartool subcommand)

SYNOPSIS

protectvob [ -f·orce ] [ -cho·wn user ] [ -chg·rp group ]

[ -add·_group group[,...] [ -del·ete_group group[,...] ]
vob-storage-pname ...

DESCRIPTION

Before executing this command, log in to the host where the VOB storage directory resides, as local administrator, VOB owner, or a member of the ClearCase group. Execute this command only when there are no active users of the VOB; it stops and restarts the associated vob_server process, which prevents access to storage pools.

protectvob manages the ownership and group membership of the files and directories in a VOB, by changing the OS-level permissions on files and directories within the VOB storage area.

VOB Owner and VOB Group List

A new VOB, created with mkvob, takes the following permission settings:

• The creator becomes the VOB owner.
• The creator's principal group becomes the VOB's principal group.
• The VOB's supplementary group list is empty.

The VOB owner can perform almost any operation involving that VOB. The VOB owner owns all the VOB's data containers and storage pools. All data container manipulations are performed by a vob_server process, which runs with the identity of the albd_server. All files and directories in a VOB are assigned the ACL that grants full access rights to the clearcase group.

NOTE: The albd_server runs as domain-name\clearcase_albd, a member of the domain-name\clearcase group. For more information, see Administering ClearCase.

The VOB's supplementary group list simulates a Windows feature that enables a user to belong to several groups.

Groups and Access Control

The VOB's set of groups controls write access on the VOB; a user's principal group must be one of the VOB's groups-principal or supplementary-for the user to create an element or derived object.

Access Control at the Individual Object Level

A VOB's owner and group list are VOB-wide settings. Similar settings are maintained at the individual object level:

• Each element in a VOB has POSIX access attributes:
  • User (that is, the element's owner)
  • Group (only one, not several)
  • Read-write-execute permissions (access mode)

    These attributes control access by standard Windows programs to the element's data. For example, some elements may be made readable by anyone, while others are made readable only by group members. An element's POSIX attributes apply to all of its versions.

• Similarly, POSIX access attributes are maintained for each shared derived object in the VOB (whose data container is in a VOB storage pool).

The protect command controls the POSIX access attributes of elements and shared derived objects. An element's access attributes apply to all its source containers and (if applicable) cleartext containers.

The identity.sd File

The cleartool describe vob:vob-tag command lists a VOB's owner and its group list. This information is recorded in the Security Descriptor on the VOB storage directory root (on NTFS only), the identity.sd file, and the groups.sd file in the VOB storage directory. See the vob reference page for a description of the contents of the identity.sd and groups.sd files.

CAUTION: Do not manipulate these files by any means other than the protectvob command. Inconsistent settings cause ClearCase errors.

Pool Protections

Each storage pool directory (sdft, ddft, cdft, and each user-defined pool) typically has a large number of subdirectories. protectvob can verify and/or change the protections of each such subdirectory, but this can be time consuming. To save time, you can have protectvob check only the top-level directory of each pool; if no change is required to this directory, protectvob does not process the pool's entire directory tree. To disable this feature, answer yes at the prompt:

Do you wish to protect the pools that appear not to need protection?

PERMISSIONS AND LOCKS

Permissions Checking: For each object processed, you must be local administrator, VOB owner, or a member of the ClearCase group. See the permissions reference page.

Locks: An error occurs if the VOB is locked.

OPTIONS AND ARGUMENTS

CONFIRMATION STEP.  Default: protectvob asks for confirmation before changing the permissions in one or more storage pools.

-for·ce

Suppresses the confirmation step.

CHANGING VOB OWNERSHIP.  Default: None. You can use -chown by itself, or in combination with -chgrp.

NOTE: A member of the Backup Operators or Administrators group can change ownership of any VOB with protectvob -chown. If you are the VOB owner, you can change ownership of that VOB by running protectvob -chown user as yourself, andthen logging in as user and running protectvob -force vob-storage-pname with no other options.

-cho·wn user

Specifies a new VOB owner. user can be either a login name or the numeric user-ID displayed by ccase-home-dir\etc\utils\creds username (this is not the same as the Windows NT Security Identifier). That user becomes the owner of all the VOB's storage pools and all of the data containers in them.

protectvob rebuilds the Security Descriptor on the VOB root directory (on NTFS only) and the identity.sd and group.sd files in the VOB storage directory, reflecting the new VOB owner's user-ID, group-ID, and additional groups (if any).

-ch·grp group

Specifies a new principal group for the VOB. group can be either a group name or the numeric group-ID displayed by ccase-home-dir\etc\utils\creds -g groupname.

MAINTAINING THE SECONDARY GROUP LIST.  Default: None. You can use -add_group and -delete_group singly, or together.

-add·_group group[,...]

Adds one or more groups to the VOB's secondary group list. group can be either a group name or the numeric group-ID displayed by ccase-home-dir\etc\utils\creds -g groupname. You must enclose group names that contain spaces in double quotes.

-del·ete_group group[,...]

Deletes one or more groups from the VOB's secondary group list. group can be either a group name or the numeric group-ID displayed by ccase-home-dir\etc\utils\creds -g groupname. You must enclose group names that contain spaces in double quotes.

SPECIFYING THE VOB. Default: None.

vob-storage-pname

Local pathname of a VOB storage directory.

EXAMPLES

Examples including wildcards or quoting are written for use in cleartool interactive mode. If you use cleartool single-command mode, you may need to change the wildcards and quoting to make your command interpreter process the command appropriately.

In cleartool single-command mode, cmd-context represents the command interpreter prompt. In cleartool interactive mode, cmd-context represents the interactive cleartool prompt. In Attache, cmd-context represents the workspace prompt.

• Make user smg the owner of the VOB whose storage area is c:\vobs\docs.vbs.

cmd-context protectvob -chown smg c:\vobs\docs.vbs
This command affects the protection on your versioned object base.
While this command is running, access to the VOB will be limited.
Pool "sdft" appears to be protected correctly.
Pool "ddft" appears to be protected correctly.
Pool "cdft" appears to be protected correctly.
Protect versioned object base "c:\vobs\docs.vbs"? [no] yes
Do you wish to protect the pools that appear not to need protection? [no] no
VOB ownership:
  owner smg
  group user
Additional groups:
  group Backup Operators

• Add the group Doc Group to a VOB's group list.

cmd-context protectvob -add_group "Doc Group" c:\vobs\docs.vbs
This command affects the protection on your versioned object base.
While this command is running, access to the VOB will be limited.
Pool "sdft" appears to be protected correctly.
Pool "ddft" appears to be protected correctly.
Pool "cdft" appears to be protected correctly.
Protect versioned object base "c:\vobs\docs.vbs"? [no] yes
Do you wish to protect the pools that appear not to need protection? [no] no
VOB ownership:
  owner smg
  group user
Additional groups:
  group Backup Operators
  group Doc Group

SEE ALSO

chpool, mkpool, mkvob, protect, albd_server, vob, vob_server