How to restrict who can create/remove SCM component
We've had a few accidents recently such that developers accidentally removed components or streams, and also some can't add new component to a stream/team area. So we are trying to find proper permission settings to prevent this from happening again.
Our SCM environment is like below: 1. We use shadow project area to control access to the components. The shadow project area owns the components and only people on the Access list in the shadow project area can access the component; 2. In the shadow project area, the Permission is set at Team area level to allow Everyone (which is the only role defined there) to Add a component to a team/project area but not Delete one; 3. In the primary project area corresponding to the shadow ones: at project area level, no permitted actions for SCM is defined for any role at team area level, for contributor/teamlead roles, allow all actions around component except Add a component to a team/project area or Remove a component to a team/project area; at team area level, for contributor/teamlead roles, allow all actions around stream including Add a component to a stream, Remove a component to a stream, Replace a component to a stream We want to have tighter control on who can add/remove components. When one creates/adds a new component in one's own workspace, is it considered as added to team/project area one is in too? We have developers created/added new components in their own workspace without issue, but got permission error when deliver the changesets for the component creation to the stream. I first enabled Add a component to a team/project area at team area level for all roles in the primary project area as it is already enabled in the shadow project area, and still the same permission error. Then I found that the stream involved was actually owned by the primary project area which the developer is not a member. After changing the stream's ownership to a team where the developer is a member, the deliver went through. So it looks like that as we use shadow project area to own SCM component and allow allow Everyone (which is the only role defined there) to Add a component to a team/project area but not Delete one; the relevant permission setting on the primary project area is obsoleted. Now I have teams want to limit the ability to add/create component to only a few people in the team. I guess I have to do it on the shadow project area by creating a new role and grant it the permission to Add a component to a team/project area but not Delete one; and stop allowing Everyone to Add a component to a team/project area. If this is the right way to do it, I guess most developers will not be able to create/add new component to team/project area. I am not sure when it is going to happen: right from the time when they create/add new component in their workspace or when they try to deliver the relevant changeset to the stream? |
4 answers
Geoffrey Clemm (30.1k●3●30●35)
| answered Jan 27 '11, 11:53 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Comments below.
On 1/27/2011 8:08 AM, ghu wrote: We've had a few accidents recently such that developers accidentally This only affects components that are owned by the team area level, so this does not affect any of your components, since they are all owned by the shadow project area. at team area level, for contributor/teamlead roles, allow all This only needs to be set for the team/project area that owns the stream. We want to have tighter control on who can add/remove components. If you mean who can add/remove a component from a project/team area, then that is completely controlled by the permissions on your shadow project area. If you mean who can add/remove a component from a stream, that is controlled by the team area that owns that stream. When one creates/adds a new component in one's own workspace, is it No, it is initially a personal component, owned by the user that created it. We have developers created/added new components in their own workspace In order to deliver the change sets to the stream, they would have to check the box that says "add the components to the stream". For the deliver to succeed, that user would have to have permission to add components to a stream in the team area that owns the stream. I first enabled Add a The only team/project area that matters for the "add component to the stream" permission is the team/project area that owns the stream. Then I found that Yes, that is what is expected, since you have said that you have given developers that permission in that team area. So it looks like that as we use shadow project area to own SCM The only relevant permission setting for add/remove component form project/team area is the permission set on the project/team area that is the owner of that component. Now I have teams want to limit the ability to add/create component to Correct. If this is the right way to do it, I guess most developers will not Adding a component to a stream (which is what your deliver will do, if you check the appropriate box which asks whether you want to add the new component to the stream) has no effect on what the owner of that component is (i.e. no effect on the team/project area of the component). That is a separate operation (the "change owner" operation on the component). Cheers, Geoff |
|
Geoff,
Thanks for your time. If I understand correctly what you said, here are what is happening in our current environment when one create a new component in a workspace and then deliver to a stream: 1. When one creates a new component in a workspace, what is created is just personal component, owned by the user that created it; 2. If one then tries to deliver it to the stream the workspace has branched off from, then the component is added to the stream, and the owner of the component is assigned to the shdow proejct/team area as we allow all valid user to be able to add new component to the shdow proejct/team area ; Now we want to stop allowing all to be able to add new component to the shdow proejct/team area and limit that ability to a few with a new role. But what happens to a user who has not been assigned the new role on the shadow project/team area when a delive involving new component creation is done: will the deliver fail because no permisssion to add new component to the shdow proejct/team area? or it will go through but the ownership is still owned by the user that created it; and we'll need to do a ownership change then? |
|
Geoffrey Clemm (30.1k●3●30●35)
| answered Jan 28 '11, 2:08 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Adding a component to the stream via the deliver operation (or via any
other operation) does not change the owner of that component ... in your example below, it will still be owned by the user that created it. To change the owner of the component, you need to explicitly invoke a "change owner" command on the component. Cheers, Geoff On 1/28/2011 10:53 AM, ghu wrote: Geoff, |
|
Thanks, Geoff.
As we've been asking users to create new component directly owned by the shadow project area, guess that is why there has been no issue in that front. With our new and more strict permission setting, users not having the new role assigned should not be able to create and add the new component to the shadow project area, exactly what the teams want. |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.