Misieq Posted May 22, 2018 Report Share Posted May 22, 2018 Hello I'm looking for some hints how to set-up correctly following scenario. I have repository with several branches which contain different libraries (each specific branch is dedicated for library). For LibAGroup I want to grant read access to branch /LibA only For LibBGroup I want to grant read access to branch /LibB only How to properly set-up permissions (at repository level and branch level) to properly reach target? From what I recall branches "inherit" permissions from repository. I supose that granting access to branch but no access to repo will also not work. Thanks for hints. Link to comment Share on other sites More sharing options...
calbzam Posted May 23, 2018 Report Share Posted May 23, 2018 Hi, I have repository with several branches which contain different libraries (each specific branch is dedicated for library). [carlos] I guess you have a repository with different libraries and then you have independent branches where you edit each library? Why don't you use independent repositories for the libraries and then you configure the repo permissions for the different groups? You can also use Xlinks: https://www.plasticscm.com/documentation/xlinks/plastic-scm-version-control-xlinks-guide.shtml If you assign permissions at the repository level, they will be applied to all the branches of the repo and then you can also customize permissions per branch if necessary. You can neither allow nor deny permissions at the repository level and then explicitly allow the permission for the desired groups at the branch level. We have a security guide explaining those scenarios in detail: https://www.plasticscm.com/documentation/security/plastic-scm-version-control-security-guide.shtml#Preventchangesonabranch Regards, Carlos Link to comment Share on other sites More sharing options...
Misieq Posted May 23, 2018 Author Report Share Posted May 23, 2018 Hello Generally repository is not used for development but for storage of deliveries of external suppliers. Idea was to have single repository (easier to locate and manage) with dedicated top-level branch for each library. Project repositories which need to use one of libraries just xlink to proper branch (in fact label) in this central libraries repo. So your proposal is to add Group (e.g. GroupLibA) at repository level. Which permission should be allowed - supose read and view? Or there is other permission which will allow user to see and access repository? But this will grant view/read permission to all branches (inherited). So on all non-LibA branches permissions should be override and view/read should be unchecked. Am I right? Prefer result should be that user from GroupA can access repository and see only branch LibA... (of cource if user is in GroupLibA and GroupLibB he/she should see branch /libA and /libB but not /libC). Is it achivable? Link to comment Share on other sites More sharing options...
calbzam Posted May 23, 2018 Report Share Posted May 23, 2018 "Idea was to have single repository (easier to locate and manage) with dedicated top-level branch for each library." [carlos] My recommendation is to use one repository per library. If you commit the libraries code in different branches, then when running merges, you will end up with code from the different libraries in the different branches. Using a repo per library is cleaner. Also for managing the permissions, it will be easier because you will assign permissions at the repository level. If you decide to configure the permission at the branch level, you can don't either allow nor deny permissions at the repository level, then you can explicitly allow the permission for the desired groups at the branch level (this way you can overwrite permissions). In our security guide give have examples for most of the scenarios: https://www.plasticscm.com/documentation/security/plastic-scm-version-control-security-guide.shtml#Preventchangesonabranch Enabling the view/read should enough to accessing the code, but you may also want to enable the rest of the permissions to the group who is going to work in this branch: checkin, add, change, createlabel, removechangeset... "Prefer result should be that user from GroupA can access repository and see only branch LibA... (of cource if user is in GroupLibA and GroupLibB he/she should see branch /libA and /libB but not /libC)." [carlos] This requirement fits with creating one repository per library. This way, "GroupLibA" users will only see the "libA_repo" and "GroupLibB" will only see the"libB_repo". Based on your requirements, this is the cleaner and the easier to configure solution in Plastic. Best regards, Carlos. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.