Company ClearQuest Python

Service overview Hook problematics PeHeX Permissions on transitions Automatic queries Permissions on fields

The problem

Any ClearQuest administrator is confronted by the permissions management problem, particularly when there are several user databases associated to a single schema:

• group names must be hardcoded in the schema, which is a very bad idea.
• changing a permission requires the schema to be changed, then the user databases to be upgraded
• standard permissions are relative to an action, sometimes we need to associate them to a transition (i.e. a pair from state / action)

Particularly during the start-up of a project, permissions should be immediately changeable, preferably on a per database basis.

The solution

The solution consists in moving the permissions management at the user database level:

• a new entity named Permissions is created with an associated form, and with the fields below:
• the entity the permission relates to
• the state from which the current action is performed
• the action being performed
• a reference list that contains groups allowed performing this transition
• a global hook named CheckPermissions is created. Depending the action, the current state and the current user, it queries the Permissions table and returns a boolean that gives or not the ability to perform this transition.
• this hook must be called by access control hooks of each action of each entity that must be controlled this way (generally all actions except base ones).
• a single special group (e.g. Administrator) must be created: its members have all privileges, particularly only them may change the Permissions table. This group, and only it, must be hardcoded in the schema.

The CheckPermissions hook may handle special cases: for example, only the author of a record can change it as long as it stays at the Submitted state, only the assigned user can open a bug, etc.

All possible transitions must be referenced in the Permissions table, unless they are reserved to the administrators only: by default, permission is not granted.

No significant performance loss has been detected.

The offer

This solution is available the following way: the customer sends a dump of her schema, it is sent back with this permissions mechanism implemented, along with a script that generates default permissions. This offer is limited to Perl language.

The picture below shows the Permissions form.

Copyright albar - 2008