Privilege security allows the transition when the user has the required privilege. For example, if the entered2review transition requires the verifier privilege and the user sam has the verifier privilege, Sam can perform the transition.
Attribute security allows the transition when the value of the specified attribute matches the user ID (that is, resolver="sam"). For attribute security to work, the selected attribute must contain a user ID as its value. That is, the attribute has the type CCM_USER.
Attribute security can be defined on an attribute, or on a combination of an attribute and a user's privilege.
For example, a rule states that only a user who submitted the CR (the value for the submitter attribute on the CR must be equal to the logged in user ID) and who has the developer privilege can transition the CR to the entered2assigned state. Therefore, if user sam submitted a CR and he has the developer privilege, he can transition the CR to the entered2assigned state.
Branch security allows a transition only when an attribute has a specific value. For example, the request_type attribute can be set to either Defect or Enhancement. You can allow the fix_defect transition only when request_type is set to Defect, and allow the make_enhancment transition when request_type is set to Enhancement.
If a privilege is specified, then both of these conditions must be met to transition the CR:
If either attribute security or privilege security rules are satisfied and branch security is not set, the transition can occur.
That is, the ANDed branch security rules are ANDed with the ORed privilege and attribute security rules:
( (Privilege security rules) OR (Attribute security rules) ) AND (Branch Security rules)
Consider this example. You set the following rules for CRs to be transitioned to the in_review2assigned state.
Rule 1 - privilege level security
Only users with the assigner privilege can perform the in_review2assigned transition.
Rule 2 - attribute level security
Only the user who submitted the CR (the value for the submitter attribute on the CR must be equal to the logged in user ID) and who has the developer privilege can perform the in_review2assigned transition.
Rule 3 - branch level security
The in_review2assigned transition can be performed only when the reviewed_by_mgr attribute is set to TRUE. You do not assign the privilege a value.
Rule 4 - branch level security
The in_review2assigned transition can be performed only when the need_approval attribute is set to FALSE and the user has the reviewer privilege.
Scenario:
You give user sam the developer privilege, user john the assigner and reviewer privileges, and user joe the developer and reviewer privileges.
sam submits a CR and assigns it to john. So, sam is the submitter and john is the resolver. Then, you set the reviewed_by_mgr attribute to TRUE and the need_approval attribute to FALSE.
Therefore, for the transition to occur, all of the branch rules must be satisfied and at least one of the privilege or attribute rules that are specified must be satisfied:
(RULE 1 OR RULE 2) AND (RULE 3 AND RULE 4)