Friday 5 November 2010

Allowing Non-Super Users to Add User Accounts

I want to delegate responsibility for creating and managing user access, but I do not want to give too many people "super" access to Perforce. Is there any way I can limit some users to only create users? How do they deal with protections?

By creating groups and assigning group owners you can give some Perforce users the ability to create and manage users, without giving them super access. Users can modify any group they own, allowing them to add users to these groups. This allows the super users to create standard protection levels for those groups, while allowing group owners the ability to create new users.

Note: Group ownership is available in Perforce server versions 2007.3 and later.

Here is a simplified protections table for this example:

read group read_users * //...write group write_users * //...read group foo_project_reviewers * //depot/foo/...write group foo_project_devs * //depot/foo/...read group bar_project_reviewers * //depot/bar/...write group bar_project_devs * //depot/bar/...super group super_users * //...

Assume the following 4 prospective group owners:

group_admin - all groups (except super)foo_admin - foo project groupsbar_admin - bar project groups

A user needs read only access to all of Perforce. User group_admin edits the read_users group with the command:

p4 group -a read_users

Note: The -a flag allows group owners to edit the group and add a user ("bill" in this case) to the group "Users" field, and saves the group.

The same user can auto-create a user with the command:

p4 user -o bill | p4 -u bill user -i

This generates the message:

User bill not changed.

The redirect is necessary to allow the non-super user to create the user -- otherwise the user would auto-create the first time someone tried to login as that user.

To set the user's password the group_admin can simulate a login of that user:

p4 -u bill login

If the security counter is set to 0 (zero), the message returned would be:

'login' not necessary, no password set for this user.

The group_admin can use the p4 passwd command to set that users password:

p4 -u bill passwd

A more common occurrence is that the security counter is set to 1 or higher -- in this case, attempting to login a user without a password will force the user to update the password. The "group_admin" user should do this immediately to avoid anyone other than the user the account was intended for from accessing the new user account.

All of the group owners have this capability for their respective groups -- once the user has been added to all of the appropriate groups, any of the group owners can create the user using this method.

This approach allows group owners to administer the group membership, create users, and control access to their sections of the depot without ever changing, or even looking at, the protections table.

Note: Any group owner can also add any user as a group owner. However, if this is a concern, it is not difficult to put a trigger in place that prevents the group ownership from ever changing unless a member of the super_users group performs the change.


View the original article here

No comments:

Post a Comment