SnapshotCM Tips and Tricks

Q: What options does SnapshotCM provide to restrict access to certain files?

A: SnapshotCM provides a couple of options, depending on how the restricted files are organized. But first, a primer on file access control in SnapshotCM.

File Access Control Primer

File read and write access is primarily controled by the file ACL and the snapshot ACL together. Only when both grant an access (read or write) is the access granted to the user. Since the file ACL defaults to granting everyone:RW, the default is to effectively delegate access control to the snapshot. This allows high-level control for the most common situations.

In addition, all file accesses must go through a project and one or more snapshots, all of which must enable view access. The administrator ACL also grants override access, but that fact will be ignored for the remainder of this article.

File Access Control Options

1. If the files to be controlled can be placed into their own project, then you can use the project and/or snapshot ACLs to control access to the project contents:

   1. To prevent users from viewing (and thus reading or writing) files, restrict view access to the project using the project ACL. This provides a single point of control to restrict who is allowed to view the contents of the project.

   2. To allow viewing the project contents, but restrict reading or writing access, enable view access to the project and snapshots, but also set the read and write permissions on all snapshots within the project.

      The easiest way to set the project and its snapshots' ACLs is by using the cmacl command with the recursive option. You can achieve the same effect using the GUI by setting the project and initial snapshot ACLs at create time before creating additional snapshots. Then new snapshots will inherit their ACL from their parent and automatically be set appropriately.

   Important note: In both of these options, be certain to restrict who can create child snapshots, because a newly created child snapshot grants all access to the user creating it. If you don't want users to be able to see project files, then don't allow them to create a child snapshot!

2. If the files to be restricted are part of a larger project which cannot be restricted as a whole, then use the file ACL to control access. A file's ACL controls who is allowed to read or write the contents of that file. It applies to all revisions of the file, and is independent of the snapshot through which the access is requested.

   The easiest way to set the ACLs on a large number of files is to use the cmacl command. Otherwise, a file ACL can be viewed and modified by selecting File->Properties in the Workspace Browser.

   If the files to be restricted are isolated to one or more directories which contain only restricted files, the directory ACL can be set to provide an access control default for new items created in that directory.

   Note: If a file cannot be read, but is included in the working set, a workspace update will give read errors. To avoid this, simply exclude the item from the working set.

We recommend creating groups for the desired accesses, and using those groups in the file, project and snapshot ACLs. Then group membership controls access and avoids the need to edit many ACLs to add or remove users as roles change.

The best solution for you will depend on your particular situation. Generally, options 1a and 2 have the fewest pitfalls where unexpected access might be granted. We recommend testing your configuration for compliance to ensure you have not missed something.