Admin Command Permissions GUI
Release 7.1 introduced a new graphical user interface that enables the AccuRev administrator to configure which users are allowed to execute a variety of administrative level commands. This is an alternative to writing perl script in the server_admin_trig.bat or server_admin_trig.pl files installed in the <ac-install>/storage/site_slice/triggers directory.
The Command Permissions GUI looks like this:
This configuration page is accessible from the Admin menu underneath the Security option. The “Global Default” Condition allows you to configure admin command permissions for the entire site. Command permissions can apply to an individual user or to a specific group of users. You can also apply permissions broadly to the two built-in groups:
- anyuser - All users without a password
- authuser - All users with a password
In the case that permissions have been configured for both a user directly and a group that the user is a member of, the permission setting closest to the user is the one that applies. For example, if a user is a member of the qa group and the qa group is denied access to the chstream command, but the user is specifically configured to be allowed permission to the chstream command, the user’s own permission is the one that applies.
Configuring a Superuser
In order to set or remove admin command permissions, you must either be a superuser or have been granted explicit Allow permission for the setcmdacl and rmcmdacl commands. To designate a user as the superuser, the AccuRev administrator must use the maintain utility:
maintain su -a <username>
Changing Command Permissions
To edit command permissions, you must either select one of the existing conditions that you want to edit or add a new condition. The conditions are either the site-wide “Global Default” command permissions or command permissions set on a specific stream. Only commands that apply to a stream or stream hierarchy can be configured at the stream level. Examples of commands that are configurable by stream are: setting stream properties, mkstream, and chstream.
Either highlight the condition you want to edit and click the Change Command Permissions button, double-click on the condition, or right-click on the condition and choose the Change Command Permissions context menu option. The following dialog will appear:
Now you need to add the user or group whose command permissions you want to configure. Command permissions are configured for one single user or one specific group of users at a time. This is similar to how Windows file permissions can be configured. You can add multiple users to the Applies To section of the dialog, but the Command Permissions that you configure apply only to the currently highlighted user or group:
Notice that the title of the Command Permissions section identifies the user or group whose permissions are being configured.
If you add testuser1 to the Applies To section, you can see that the command permissions for testuser1 can also be configured now. Once you configure permissions for the desired set of users and groups, click OK to save your changes.
Stream-Aware Command Permissions
For commands that apply to a stream or stream hierarchy, you can add a new condition for that stream and configure command permissions that you want to apply to it only. You can also choose to make your command permission setting inheritable so that it applies to the entire stream hierarchy below the specified stream. For example, suppose you want to allow users to change the streams in the development stream hierarchy, but you don’t want anyone to change streams above that level. To accomplish this, you could deny access to chstream in the global default, but set an explicit inheritable Allow permission for the chstream command on the development stream:
Removing Command Permissions
To remove a condition entirely (except for the Global Default Condition), highlight the condition and click the Remove Command Permissions button. To remove command permissions for a specific user or group from a condition, highlight that condition and select Change Command Permissions. In the dialog that pops up, remove the users and groups that you no longer want permissions to be set for.
By default, if no permission is set for a user or any group he is a member of or the built-in group that he is a member of, the user is implicitly granted Allow permission for that command.