by Rob Mohr
Do you have the “Admin Trigger” installed and running in your AccuRev environment? I hope so!
The “Admin Trigger” is the best way for you to restrict those non-ACE’d (AccuRev Certified Engineer) users from wreaking havoc on the process you’ve meticulously designed and implemented for your organization. Make sure you lock it down! It’s really simple to do!
Now, I’m not talking about taking flexibility away from your developers, they’ll need to control certain aspects of the process too. It’s up to you where the line is drawn in the stream hierarchy and the Admin Trigger is the chalk.
The equator is commonly established on the integration stream. Since the globe in this case is AccuRev, the line of demarcation runs north and south. To the West (upstream from integration), ACE’rs set the rules on workflow, code promotion, stream configurations, and general access control. To the East (downstream from integration), developers and development teams are free to make their own decisions to best support their process, products, projects, components, patches, bug fixing and development activities.
Have you read the private prototyping or stream-per-task blogs by Dave Thomas? These are good examples of how dev teams and developers control how their activities are organized using streams while adhering to the overall enterprise software development life cycle (SDLC).
The Admin Trigger is a simple if-then-else perl script that fires on the server whenever certain commands are executed. Out-of-the-box, the script restricts “admin type” commands such as creating users, groups, depots, etc without needing additional customization.
@cmdlist = qw/mkuser chref chdepot chslice lsacl addmember
rmmember mkgroup mkdepot mktrig rmtrig
setacl write_schema/;
# is the user command in the above list?
if (grep $_ eq $command, @cmdlist) {
...
The admin type commands are typically global in nature, meaning, that a single Admin group is granted permission for these commands. Stream creation has a more granular scope allowing different groups to control their development process and stream management capabilities.
Simply list the streams in the trigger that only Admins have the ability to “manage.” By default, other streams not listed are managed by the development teams themselves. There are 2 sections in the trigger to set this up depending upon the commands to control.
Restricts: lock, unlock, chstream, incl, excl, incldo
$admin_stream{"replace_with_admin_stream"} = 1;
$admin_stream{"replace_with_admin_stream"} = 1;
$admin_stream{"replace_with_admin_stream"} = 1;
...
Restricts: mkstream, mkws
$basis_stream_deny{"replace_with_basis_stream_to_deny"} = 1;
$basis_stream_deny{"replace_with_basis_stream_to_deny"} = 1;
$basis_stream_deny{"replace_with_basis_stream_to_deny"} = 1;
...
Inside the trigger logic, each command is evaluated and will allow the operation to complete or not.
For example, the following section validates the “mkstream” command:
if ($command eq "mkstream") {
...
# only a user listed as an administrator can create a new stream
# based on an existing stream in the "basis_stream_deny" list
if ( defined($basis_stream_deny{$stream2}) and `$::AccuRev ismember $principal "$admingrp"` == 0 ) {
print TIO "Basing a new stream on existing stream '$stream2' disallowed:\n";
print TIO "server_admin_trig: You are not in the $admingrp group.\n";
close TIO;
exit(1);
}
}
There are other facilities in AccuRev to control the process and workflow too. Stream Locks grant users/groups the ability to promote to and from streams and Access Control Lists (ACLs) grant access to entire depots and subhierarchies. Setting up these security measures combined with the Admin Trigger provide your organization with the flexible and granular security model it needs for the optimum development process.
Drop me a note and let me know the creative ways you’re using the Server Admin Trigger.
