1

we are using ClearCase here (version 7.0.1), and the ClearCase WebServer is installed on a box different from the ClearCase VOBs and Views servers.

The box used is also hosting another application and audit/IT security here have questionned the fact that the Clearcase administration account (which is a generic account, even if I am the only one knowing the password) is also a local Admin account on the Windows box (the box is a Windows 2003 SP2 Server).

I would think that as I may need to do ClearCase upgrades on the Server, I need admin rights on this box (but I am not even so sure, as everything is eclipse-based in "web" ClearCase), but that can probably be done under my own name.

OTOH, they may be ClearCase actions (Web views administration ?) that may require being the clearcase administrator with privileged access on the box.

All in all, I am not sure at all, I will probably contact IBM to ask them but I thought I would asked here as well.

Cheers,

Thomas

PS: I was not sure to ask this question on SO or SF. But as this has nothing to do with source code management, but everything to do with managing the ClearCase application servers themselves, I choose it to be my first SF question. :-D

Thomas Corriol
  • 219
  • 1
  • 5
  • 1
    Actually source code management is something I consider a perfectly valid for system administration. Overall I guess we have to deal with more source code (in terms of diversification) than most developers. All larger projects I've seen try hard to use as few languages as possible to ease up code maintenance, opposed to administration where unfortunately you often find a multitude of different scripting languages – Martin M. Jun 10 '09 at 11:02
  • could you tag your question as 'clearcase'? – VonC Aug 04 '09 at 14:29
  • There was no clearcase tag when I wrote the question. I will re-tag if I can. :) – Thomas Corriol Aug 24 '09 at 19:33

1 Answers1

2

I received the following answer from IBM today:

None of the clearcase accounts requires admin privileges. There are some ClearCase commands that need admin privileges but they can be executed by any user that has both ClearCase admin privileges and OS admin privileges.

However there are cases where machines are setup in a way that it is much easier to give certain accounts admin privileges than making sure all directories they need to access have the correct ACLS.

So if your auditers don't like the fact that the ccadmin has OS admin privileges and is known to multiple people then you can make the individual accounts of those people OS administrator and ClearCase privileged user. Of course if these users are using ClearCase on a daily basis and not just for administrative tasks then I am not sure that solution is better from a security point of view compared to having a shared admin account. Any mistake they would make during their daily work would never be stopped based on permissions.

So I will separate the two, then.

Thomas Corriol
  • 219
  • 1
  • 5