Xorcist Posted June 26, 2014 Report Share Posted June 26, 2014 I need a little assistance setting up permissions. Basically I would like to setup a repository with a main branch that can not be commited to or merged to by anyone but a single user. We work distributed, but have a main repo on our company server which we sync to. I'm trying to have it so that developers pull from the main repo, yet don't have rights on their local machine to commit or merge to the main branch. However, users should be able to start branches off of main, and merge within those branches. I've already created an integrator user on my domain, and assigned him to the repo, But I want to make sure I'm doing this right. Does this look correct? Everytime a user syncs to get the main repo, they have full access locally? Is there any way to prevent that? Link to comment Share on other sites More sharing options...
manu Posted June 27, 2014 Report Share Posted June 27, 2014 Hi! setting distributed security is hard, you can setup the central security and then do the same for the rest of distributed clients of course but it take time, it's not impossible but.... Look at git, you can do whatever you want with your local repository but at the central one I make sure that everything you deliver is OK. I think it's worth to focus on the central server, and I would (IMHO): 0) Set the repository owner to an admini user/group, add the same admin user/group into the repository server ACL 1) For the repository server remove the "chperm", "chowner", "changecomment", "rmrepository", "makerepository" , "rmlabel", "rmtrigger", "rmattribute" permission for the ALL_USERS entry (Just remove the permission, don't actively deny it) 2) Remove the replicationwrite permission for the top level branches (main, integration...). 3) Remove the ci permission for the top level branches. Then you can programatically/scripting perform the same for each distributed installation, but as your central server is secure you don't need to worry about the distributed, if they fail creating changesets on the main branch they will need to manually remove them to continue working... you can fail once but then you'll learn not to do it wrong... Link to comment Share on other sites More sharing options...
nqramjets Posted July 1, 2014 Report Share Posted July 1, 2014 Sorry to piggy-back into this thread, but I'm trying to do exactly what Xorcist describes here: ...user should be able to start branches off of main, and merge within those branches. We have the main branch secured, but I would like for the owner of the branch to be the one who has explicit access to checkin into their branch. If I try to restrict the "ci" permission to the OWNER it applies only at the file level, which is not what I'm trying to do. Obviously setting the checkin permission on every single branch is not reasonable since we're following branch-per-task approach, but is there something I'm missing? We would like to have the following: Developers branch off of main (or their own branches) and can only checkin to branches of which they're the owner. Is something like this possible natively with the existing permissions? Link to comment Share on other sites More sharing options...
manu Posted July 1, 2014 Report Share Posted July 1, 2014 Hi! You will need to setup an after-mkbranch trigger (server side trigger). 1) Create the trigger: cm maketrigger after-mkbranch "SecureBranch" C:\trigger\location\secureBranch.exe 2) Trigger actions Environment.GetEnvironmentVariable("PLASTIC_BRANCH_NAME"); -> Get the branch name Environment.GetEnvironmentVariable("PLASTIC_REPOSITORY_NAME"); -> Get the repository name cm find branch where name='branchName' on repositories '[RepositoryName]@localhost:8087' --format="{owner}#{name}" --nototal -> Get the owner and branch full name cm acl -user=[Owner] -allowed=+all br:[branchFullName]@[RepositoryName]t@localhost:8087 -> Set the owner full permissions. cm acl -group=all -allowed=-ci -overrideallowed=+ci br:[branchFullName]@[RepositoryName]@localhost:8087 -> Remove the ci permission for the ALL_USERS group. or (depending in your repserver acl config) cm acl -group=all -denied=+ci br:[branchFullName]@[RepositoryName]@localhost:8084 That will automatically set the right permissions for the new branches, no one except the branch owner and the Plastic SCM root user will be able to commit in the branch. Link to comment Share on other sites More sharing options...
nqramjets Posted July 1, 2014 Report Share Posted July 1, 2014 Thanks manu, that's very helpful! Link to comment Share on other sites More sharing options...
manu Posted July 1, 2014 Report Share Posted July 1, 2014 You are welcome! If you have any question let me know it. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.