Posts Tagged ‘AccuRev triggers’

Security Primer – Anatomy of the AccuRev Admin Trigger

March 27th, 2009 by rmohr
Share|

by Rob Mohr

Do you have the “Admin Trigger” installed and running in your AccuRev environment?  I hope so!

The “Admin Trigger” is the best way for you to restrict those non-ACE’d (AccuRev Certified Engineer) users from wreaking havoc on the process you’ve meticulously designed and implemented for your organization.  Make sure you lock it down!  It’s really simple to do!

Now, I’m not talking about taking flexibility away from your developers, they’ll need to control certain aspects of the process too.  It’s up to you where the line is drawn in the stream hierarchy and the Admin Trigger is the chalk.

The equator is commonly established on the integration stream.  Since the globe in this case is AccuRev, the line of demarcation runs north and south.  To the West (upstream from integration), ACE’rs set the rules on workflow, code promotion, stream configurations, and general access control.  To the East (downstream from integration), developers and development teams are free to make their own decisions to best support their process, products, projects, components, patches, bug fixing and development activities.

Have you read the private prototyping or stream-per-task blogs by Dave Thomas?  These are good examples of how dev teams and developers control how their activities are organized using streams while adhering to the overall enterprise software development life cycle (SDLC).

The Admin Trigger is a simple if-then-else perl script that fires on the server whenever certain commands are  executed.  Out-of-the-box, the script restricts “admin type” commands such as creating users, groups, depots, etc without needing additional customization.

 @cmdlist = qw/mkuser chref chdepot chslice lsacl addmember
                  rmmember mkgroup mkdepot mktrig rmtrig
                  setacl write_schema/;
    # is the user command in the above list?
    if (grep $_ eq $command, @cmdlist) {
    ...

The admin type commands are typically global in nature, meaning, that a single Admin group is granted permission for these commands.  Stream creation has a more granular scope allowing different groups to control their development process and stream management capabilities.

Simply list the streams in the trigger that only Admins have the ability to “manage.”  By default, other streams not listed are managed by the development teams themselves.  There are 2 sections in the trigger to set this up depending upon the commands to control.

Restricts: lock, unlock, chstream, incl, excl, incldo

    $admin_stream{"replace_with_admin_stream"} = 1;
    $admin_stream{"replace_with_admin_stream"} = 1;
    $admin_stream{"replace_with_admin_stream"} = 1;
    ...

Restricts: mkstream, mkws

    $basis_stream_deny{"replace_with_basis_stream_to_deny"} = 1;
    $basis_stream_deny{"replace_with_basis_stream_to_deny"} = 1;
    $basis_stream_deny{"replace_with_basis_stream_to_deny"} = 1;
    ...

Inside the trigger logic, each command is evaluated and will allow the operation to complete or not.

For example, the following section validates the “mkstream” command:

if ($command eq "mkstream") {
...
 # only a user listed as an administrator can create a new stream
 # based on an existing stream in the "basis_stream_deny" list
 if ( defined($basis_stream_deny{$stream2}) and `$::AccuRev ismember $principal "$admingrp"` == 0 ) {
   print TIO "Basing a new stream on existing stream '$stream2' disallowed:\n";
   print TIO "server_admin_trig: You are not in the $admingrp group.\n";
   close TIO;
   exit(1);
  }
}

There are other facilities in AccuRev to control the process and workflow too. Stream Locks grant users/groups the ability to promote to and from streams and Access Control Lists (ACLs) grant access to entire depots and subhierarchies.  Setting up these security measures combined with the Admin Trigger provide your organization with the flexible and granular security model it needs for the optimum development process.

Drop me a note and let me know the creative ways you’re using the Server Admin Trigger.

No comments »

Posted in AccuRev, Best Practices, Tips and Tricks

Tags:

AccuRev admin tricks – SCM law enforcement

March 12th, 2008 by jtalbott
Share|

Here’s an AccuRev Tech Tip you might not have been aware of to help with your software configuration management law enforcement. As you know, the AccuRev TimeSafe architecture guarantees that every single transaction ever executed is going to be fully traceable, a blessing to those who care about auditing, perhaps regulatory compliance, or even just wanting to be able to see who has been up to what.

But what if you want to know what has *not* been done? Huh? What the heck am I talking about? I’m actually referring to commands that are not executed because you’ve put security in place to prevent them. So even though the offending users don’t get their way, perhaps someone might want to know who is trying to upset the apple cart or merely have the ability to apprise the user of organizational best practices.

One way to do this is through email. Let’s say you’re implementing the default set of commands that AccuRev limits to Administrative users, and someone unauthorized tries to create a new user. Put the following into the proper place in the server_admin_trig trigger:


  if ( `$::AccuRev ismember $principal "$admingrp"` == 0 ) {
       print TIO "Execution of '$command' disallowed:\n";
       print TIO "You are not in the $admingrp group.\n";
       system("simple_email", $arg1, $arg2);  # insert this line #
       close TIO;
       exit(1);
  }

Now, whenever someone who isn’t allowed tries to create a user, you can get a nice email that says:

To: anyone_who_cares
Subject: AccuRev alert
Body: User “jtalbott” tried to run the “mkuser” command. That’s 10 demerits. Put him on double-secret probation!

…or something similarly amusing. What you’re basically doing is sending your desired parameters into the simple_email script. You can write your simple_email script using whatever language you want, as long as it’s accessible in the local path, and naturally it would be reusable. Now, for virtually any operation in AccuRev that you want to know about, whether you want to know if it succeeds or fails, you can get notified about it. You’re certainly not limited to email either. simple_email could send text messages, page someone, basically any form of communication you prefer that can be coded.

It really is that easy. I highlighted a certain example, but there are many practical applications. How do you think you would be able to take advantage of this in your organization? Or if you’re already doing it, what kind of things are you communicating?

1 comment »

Posted in Tips and Tricks

Tags: