Project security

Project security is an alternative to traditional database security, where privileges are statically assigned at the database level. Instead of assigning users static privileges that apply to all CRs and tasks within a particular database, users are assigned dynamic privileges within the context of a set of related CRs. These dynamic privileges are defined in the context of a project and are applied whenever the user is in the context of the CR that belongs to the project.

For example, Tom has the privileges of a Team Leader (submitter, assigner, reviewer) when working on SystemA CRs, but only Contributor privileges (submitter) for SystemB CRs. Depending on the project he is working on, Tom has different privileges. The databases that the CRs are in does not matter. What matters is their project membership. Projects, which establish a context and the privileges, make this possible.

Note: The term project in IBM® Rational® Change has different semantics than it does in IBM Rational Synergy. A Rational Change project defines a set of related CRs and assigns roles to groups of users within that context. A Rational Synergy project is a user-defined group of related files, directories, or other projects.

Motivation

Project security addresses two main issues:
  • Insufficient granularity when assigning privileges

    People often play different roles within an organization. In the previous example, Tom is a Team Leader on one project, but only a Contributor on another. Traditional database security is limited to a single set of privileges per database. You must separate your projects into different databases to ensure the appropriate level of access. Or you must grant unwarranted privileges to the project where lesser access is wanted. Neither solution is ideal.

  • User administration

    User management is split among products. Accounts are managed through IBM Rational Directory Server, but privileges are assigned in Rational Change. Furthermore, there is no way to distribute user administration without giving people full administrative access.

Benefits

Project security offers the following benefits:
  • Privilege management

    Logically related privileges can be grouped into roles, which simplify administration.

  • Use of existing groups in Rational Directory Server

    Adding a Rational Change user becomes as easy as assigning the user the appropriate groups in Rational Directory Server. Roles and privileges are granted automatically in Rational Change through project definitions.

  • Distributed administration

    Administration of each project can be delegated to the appropriate person.

The ease of user administration that project security affords is more fully realized in central mode than in stand-alone mode. Rational Change users do not need to be defined in ccm users through Rational Synergy. Database access is governed entirely from Rational Change privileges. In stand-alone mode, a user must be defined in the database to access its CRs, unless a database has been specially designated.

Interaction with other types of security

Project security works with the security rules and privileges defined in the Managing change request processes (lifecycle security). These rules govern transitions and how individual attributes can be modified. In contrast, read/write security (through access control lists, or ACLs) governs whether the CR as a whole is visible or modifiable. If a CR can be modified through read/write security, then its transitions and individual attributes are governed by lifecycle and project security.

Components of project security

The following elements come into play with project security:
  • A set of CRs, also called the contents of the project.
  • Members of the project, namely groups or individual users.
  • Roles and privileges.

    Privileges are used in the CR process so that attributes can be modified and transitions are allowed. Roles are a set of privileges.

Any number of projects can be defined, and it is possible to create subprojects. A subproject is derived from an existing project but is more specific in scope.


Feedback