CLEARCASE_PRIMARY_GROUP vs CLEARCASE_GROUPS
Posted on May 27, 2008
Below is the discription from IBM:
CLEARCASE_PRIMARY_GROUP Specifies which of the user's groups ClearCase should consider the primary group.Overrides the Windows primary group assignment for ClearCase operations.This environment variable must be a per-user variable (not a system variable) and must be set to a group that already appears in the user's group list. CLEARCASE_GROUPS Specifies a list of up to 32 groups that ClearCase considers first when determining or displaying which groups a user belongs to. Users who are members of more than 32 groups can set this environment variable to designate a subset of those groups that ClearCase considers when evaluating the user's group membership. The value of this variable is a semicolon-separated list of groups to which the user belongs.The list must not include the group that is specified in the environment variables CLEARCASE_PRIMARY_GROUP
Then what the variable CLEARCASE_PRIMARY_GROUP is used for and under what circumstances it is needed?
ClearCase objects (files, directories, metadata …) must be assigned an owner and a group at creation time.
In any given Windows environment, users are typically members of more than a single group.
If ClearCase has to create a new object, the albd server process needs to know which group should have access to that new object.
Each user has a primary group set on the Windows domain controller and by default it is set to Domain Users. ClearCase will use that primary group unless it is changed on the PDC to another group.
If another group other than Domain Users is required, then the variable CLEARCASE_PRIMARY_GROUP can be set as a user environment variable for each single user.
Note: DO NOT set this variable as a system variable. It is MANDATORY to remove the CLEARCASE_PRIMARY_GROUP when set as a system environment variable as it can cause the system to crash. This environmental variable can ONLY be set it as a user environment variable.
When the variable CLEARCASE_PRIMARY_GROUP is required
The CLEARCASE_PRIMARY_GROUP variable IS needed under the following conditions.
Note: All other scenarios assume the the primary group is not set on the domain controller.
****************************
CHECKOUT/CHECKIN
****************************
1. If the user is a member of the group to which the object is owned AND they are a member of more than 32 groups, the CLEARCASE_PRIMARY_GROUP variable can be set to that group so they can checkout/checkin.
Note: If the CLEARCASE_GROUPS variable is used instead (as number 3 above suggests), then this statement is not true.
************
MKELEM
************
2. If the VOB is owned by MORE THAN ONE group AND a user is a member of MORE THAN ONE of those groups AND the user’s group list does NOT exceed 32, they need the CLEARCASE_PRIMARY_GROUP variable set in order to create elements in that VOB.
3. If the VOB is owned by MORE THAN ONE group AND a user is a member of MORE THAN ONE of those groups AND the user’s group list DOES exceed 32, they need the CLEARCASE_PRIMARY_GROUP & CLEARCASE_GROUPS variable set in order to create elements in that VOB.
To view or change environment variables:
- Right-click My Computer, and then click Properties.
- Click the Advanced tab.
- Click Environment variables.
- Click one the following options, for a user variable:
• Click New to add a new variable name and value.
• Click an existing variable, and then click Edit to change its name or value.
• Click an existing variable, and then click Delete to remove it.
When the variable CLEARCASE_PRIMARY_GROUP is not required
The CLEARCASE_PRIMARY_GROUP variable IS NOT needed under the following conditions:
****************************
CHECKOUT/CHECKIN
****************************
1. If the users have their primary group defined on the domain controller.
Note: All other scenarios assume the the primary group is not set on the domain controller.
2. If the user is a member of the group to which an object is owned AND they are NOT a member of more than 32 groups, they can checkout/checkin without the CLEARCASE_PRIMARY_GROUP variable set.
3. If the user is a member of the group to which an object is owned AND if the VOB is owned by MORE THAN ONE group AND the user is a member of MORE THAN ONE of the groups in the VOBs group list, ClearCase will still have no problem (upon checkin the correct group will be used); hence, the CLEARCASE_PRIMARY_GROUP variable does not need to be set.
4. If the user is a member of the group to which an object is owned AND they are a member of more that 32 groups, the CLEARCASE_GROUPS variable must be set to that group so they can checkout/checkin; hence, the CLEARCASE_PRIMARY_GROUP variable does not need to be set.
************
MKELEM
************
5. If the users have their primary group defined on the domain controller.
Note: All other scenarios assume the the primary group is not set on the domain controller.
6. If the VOB is owned by ONE group AND a user is a member of that one group AND the user’s group list does NOT exceed 32, they can create elements in that VOB without the CLEARCASE_PRIMARY_GROUP variable set.
7. If the VOB is owned by MORE THAN ONE group AND a user is ONLY a member of ONE of those groups AND the user’s group list does NOT exceed 32, they can create elements in that VOB without the CLEARCASE_PRIMARY_GROUP variable set.
Introduction to variable CLEARCASE_GROUPS
This variable is used to counteract a limitation to the MVFS whereby any user who is a member of more than 32 Microsoft Windows groups (domain or local) can run into access problems.
Users should set CLEARCASE_GROUPS as a Windows User variable in order to specify which subset of those groups Rational ClearCase should consider when checking the user’s access rights.
If the user environment variable CLEARCASE_GROUPS exists for any user, ClearCase will consider the semicolon-separated list of groups specified in the value of this variable first when determining (or displaying) which groups a user belongs.
In essence, when you log in to Windows, you receive an Access Token. ClearCase will process these tokens in the order Windows provides them (which is completely random and cannot be configured in any way). ClearCase will stop processing the tokens after 32 groups have been reached. The CLEARCASE_GROUPS variable is the only way to work around this behavior. When the variable is set, ClearCase will look at each group name in CLEARCASE_GROUPS list in the order the list was written and compare that to the Windows Access Tokens provided. If the group name matches a group in the Windows Access Token, then ClearCase will create a ClearCase Access Token for that group to use.
Note: If a group is listed in the variable to which the user is no longer a member, that group will be ignored, and the others will all be used in sequence.
When the CLEARCASE_GROUPS variable is exhausted, ClearCase will go back to the Windows Access Token list, and any group that has not already been added to the ClearCase token, will be added from the remaining list in the order provided, until all groups in the Windows token are used (if below 32) or the 32 group limit is reached.
Example:
CLEARCASE_GROUPS=DOMAIN\ClearCase Users;DOMAIN\group1;DOMAIN\group5
Note: Review the APAR below for the work around and solution to the problem related to creating a semi-colon separated list.
The list can contain domain or local groups, and need not contain the group specified in CLEARCASE_PRIMARY_GROUP.
If the user is a member of additional groups not specified in CLEARCASE_GROUPS, ClearCase will consider those groups after it has considered the groups listed in CLEARCASE_GROUPS, up to a limit of 32 groups.
Log off Microsoft Windows and log back on to enable the CLEARCASE_GROUPS variable.
Popularity: 5% [?]
Related Posts:
» Filed Under Clearcase
Comments
Leave a Reply