RTC - COBIT AUDIT
Hi,
We have implemented RTC in a customer but they have a question.
They have four streams including DEV, TEST, UAT, PROD. A build promote the change set from DEV to TEST stream periodically and automatically. However, after the code is promoted to TEST, a build engineer checks the work item which is linked to change set and if it is in a appropriate status, s/he moves change set to further stream (UAT and PROD). In that scenario, they need to be sure that there won't be any code change in TEST, UAT and PROD streams because of a Cobit (Control Objectives for Information and Related Technology) audit. Cobit audit has a question that the code is changed after development phase? I mean they have to be sure that after they delivered the code to development stream, there won't be any change in the code in further streams.
Is there any way to prove that? a report or a restriction to change code, ...
Thank you.
We have implemented RTC in a customer but they have a question.
They have four streams including DEV, TEST, UAT, PROD. A build promote the change set from DEV to TEST stream periodically and automatically. However, after the code is promoted to TEST, a build engineer checks the work item which is linked to change set and if it is in a appropriate status, s/he moves change set to further stream (UAT and PROD). In that scenario, they need to be sure that there won't be any code change in TEST, UAT and PROD streams because of a Cobit (Control Objectives for Information and Related Technology) audit. Cobit audit has a question that the code is changed after development phase? I mean they have to be sure that after they delivered the code to development stream, there won't be any change in the code in further streams.
Is there any way to prove that? a report or a restriction to change code, ...
Thank you.
Accepted answer
You can specify separately what roles are allowed to deliver to which streams, using the team configuration (in particular, the Source_Control -> Deliver(server) -> Restrict_Change_Set_Delivery_to_Components_in_a_Stream Team_Configuration Operation_Behavior operation behavior).
You can also tie the process to the current iteration (or iteration type), so that when the current iteration changes, these constraints are automatically put in place.
You can also tie the process to the current iteration (or iteration type), so that when the current iteration changes, these constraints are automatically put in place.
Comments
Hi Geoffrey,
Thank you for your answer. Actually I already implemented what you suggest and restricted deliver operation for the users except build engineers. However the question is still there, "how can I be sure that build engineers doesn't change the code?"
Thank you.
You would need to remove deliver permission from the build engineer role, such as by having a sub-iteration of a type that has the appropriate permission, and then making that sub-iteration "current" when you want to remove that permission.