how to limit write permissions to streams
to support our process I need to implement some kind of cherry picking for change sets.
The cherry picking implementation looks like this:
The developer will deliver change sets to a so called delivery stream. From this stream the release engineer can selectively accept changes sets to an integration workspace and build the binaries. If the binaries are successfully tested the change sets are moved to the integration stream and a snap shot will be created.
To make sure a developer can't deliver change sets to the integration workspace or the integration stream by mistake I need make the integration workspace and the integration stream read only for developers. The release engineer has read / write access to the integration workspace or the integration stream .
Is there a best practice how to configure this in RTC?
The cherry picking implementation looks like this:
The developer will deliver change sets to a so called delivery stream. From this stream the release engineer can selectively accept changes sets to an integration workspace and build the binaries. If the binaries are successfully tested the change sets are moved to the integration stream and a snap shot will be created.
To make sure a developer can't deliver change sets to the integration workspace or the integration stream by mistake I need make the integration workspace and the integration stream read only for developers. The release engineer has read / write access to the integration workspace or the integration stream .
Is there a best practice how to configure this in RTC?
4 answers
In our RTC development we also have similar configuration.
For Work items, we have something called "Work Items Stream" owned by the Work items team.
Then we have the "RTC Integration" stream owned by "RTC Development" Team.
So only the member for the work items stream with necessary approvals will be able to deliver to "Work Items Stream". Then we have a Build Miester who is responsible to push the changes from the "work Items Stream" to "RTC Integration" stream as baselines and also pull in the baseline to other components from Integration steam to work items stream.
The Build Miester will be part of "RTC Development" team and can have permissions set up.
Coming to your case create 2 team areas one for delivery stream and one for Integration stream.
Based on this you will be able to control the permissions you are expecting.
Comments
To expound on Aradhya's explanation, this configuration is done through the Project Area configuration. Depending on what you need to manage, you could set preconditions for every role, or just a single role. As you see in the example below, I put the precondition for "Everyone" but then tweak only the permission by role for the team. Note depending on how you want to configure it, I don't think necessarily you need to set up using different teams, you could do it all through roles.
First go to the project area configuration:
Then configure the stream. I believe (not 100% of this) that the team you are configuring access to must own the stream otherwise it won't appear in the stream list:
Hth!
- Andy
1 vote
Hello,
many thanks for the help. The proposed solution works fine for the integration stream. I have added 2 team areas to the project area one for the developers and a second one for the release engineers. The release engines are members of both team areas. The delivery stream is owned by the developers team area and the integration stream stream is owned by the release engineer team area. I added a new role which has privileges to do code changes and removed the source code privileges from all other roles. The new role is not assigned on project area level only in the team areas. Quite a complex setup, but it allows to limit the developers write permissions to the delivery stream. From a stream point of view this is what I was looking for.
However the integration workspace is still writable for a developer. The problem here is I can't specify a team area as owner for a workspace. I could make the workspace private but then only one release engineer could see this workspace but we need to share the workspace with all release engineers.
As a circumvention I replaced the integration workspace with an "integration build stream". This solves the write access problem. But I get a warning on the build definition complaining a Steam should not be used for a build.
Any Idea how to solve this?
Kind Regards, Steffen
many thanks for the help. The proposed solution works fine for the integration stream. I have added 2 team areas to the project area one for the developers and a second one for the release engineers. The release engines are members of both team areas. The delivery stream is owned by the developers team area and the integration stream stream is owned by the release engineer team area. I added a new role which has privileges to do code changes and removed the source code privileges from all other roles. The new role is not assigned on project area level only in the team areas. Quite a complex setup, but it allows to limit the developers write permissions to the delivery stream. From a stream point of view this is what I was looking for.
However the integration workspace is still writable for a developer. The problem here is I can't specify a team area as owner for a workspace. I could make the workspace private but then only one release engineer could see this workspace but we need to share the workspace with all release engineers.
As a circumvention I replaced the integration workspace with an "integration build stream". This solves the write access problem. But I get a warning on the build definition complaining a Steam should not be used for a build.
Any Idea how to solve this?
Kind Regards, Steffen