It's all about the answers!

Ask a question

how to limit write permissions to streams


1
1
Steffen Kriese (381821) | asked Dec 09 '13, 4:30 a.m.
retagged Dec 10 '13, 11:11 a.m. by David Lafreniere (4.6k7)
to support our process I need to implement some kind of cherry picking for change sets.

The cherry picking implementation looks like this:
The developer will deliver change sets to a so called delivery stream. From this stream the release engineer can selectively accept changes sets to an integration workspace and build the binaries. If the binaries are successfully tested the change sets are moved to the integration stream and a snap shot will be created.     
To make sure a developer can't deliver change sets to the integration workspace or the integration stream by mistake I need make the integration workspace and the integration stream read only for developers. The release engineer has read / write access to the integration workspace or the integration stream .







Is there a best practice how to configure this in RTC?

4 answers



permanent link
Aradhya K (1.4k44345) | answered Dec 09 '13, 4:45 a.m.
JAZZ DEVELOPER
In our RTC development we also have similar configuration.
For Work items, we have something called "Work Items Stream" owned by the Work items team.
Then we have the "RTC Integration" stream owned by  "RTC Development" Team.
So only the member for the work items stream with necessary approvals will be able to deliver to "Work Items Stream". Then we have a Build Miester who is responsible to push the changes from the "work Items Stream" to "RTC Integration" stream as baselines and also pull in the baseline to other components from Integration steam to work items stream.
The Build Miester will be part of "RTC Development" team and can have permissions set up.

Coming to your case create 2 team areas one for delivery stream and one for Integration stream.
Based on this you will be able to control the permissions you are expecting.

Comments
1
Andy Jewell commented Dec 09 '13, 11:09 a.m. | edited Dec 09 '13, 11:11 a.m.

 To expound on Aradhya's explanation, this configuration is done through the Project Area configuration.  Depending on what you need to manage, you could set preconditions for every role, or just a single role.  As you see in the example below, I put the precondition for "Everyone" but then tweak only the permission by role for the team.  Note depending on how you want to configure it, I don't think necessarily you need to set up using different teams, you could do it all through roles.


First go to the project area configuration:
Project Area

Then configure the stream.  I believe (not 100% of this) that the team you are configuring access to must own the stream otherwise it won't appear in the stream list:
Configuring permissions


Hth!

- Andy


permanent link
Arun K Sriramaiah (3.2k12045) | answered Dec 09 '13, 11:28 a.m.
Hi Steffen,

Please find the link below.

https://jazz.net/library/article/1075#com.ibm.team.process.definitions.server.componentPermissions

Regards,
Arun.

permanent link
Steffen Kriese (381821) | answered Dec 10 '13, 5:16 a.m.
Hello,

many thanks for the help. The proposed solution works fine for the integration stream. I have added 2 team areas to the project area one for the developers and a second one for the release engineers. The release engines are members of both team areas. The delivery stream is owned by the developers team area and the integration stream stream is owned by the release engineer team area. I added a new role which has privileges to do code changes and removed the source code privileges from all other roles.  The new role is not assigned on project area level only in the team areas.  Quite a complex setup, but it allows to limit the developers write permissions to the delivery stream. From a stream point of view this is what I was looking for.
However the integration workspace is still writable for a developer. The problem here is I can't specify a team area as owner for a workspace. I could make the workspace private but then only one release engineer could see this workspace but we need to share the workspace with all release engineers.
As a circumvention I replaced the integration workspace with an "integration build stream". This solves the write access problem.  But I get a warning on the build definition complaining a Steam should not be used for a build.
Any Idea how to solve this?

Kind Regards, Steffen  
       



permanent link
Arun K Sriramaiah (3.2k12045) | answered Dec 10 '13, 5:49 a.m.
Hi Steffan,

Since the Stream is just a logical separation of the stream, you cant set the stream in place of Repository workspace in build definition.

Please create a separate RWS on the stream with right permission and set the same RWS in Build defnition.

Regards,
Arun

Your answer


Register or to post your answer.