About the CLEARCASE_PRIMARY_GROUP variable

Technote (FAQ)


Question

This technote explains what the IBM® Rational® ClearCase® variable CLEARCASE_PRIMARY_GROUP is used for on Microsoft® Windows® and under what circumstances it is needed.

Answer


ClearCase objects (files, directories, metadata ...) must be assigned an owner and a group at creation time.

In any given Windows environment, users are typically members of more than a single group.

If ClearCase has to create a new object, the albd server process needs to know which group should have access to that new object.

Each user has a primary group set on the Windows domain controller and by default it is set to Domain Users. ClearCase will use that primary group unless it is changed on the PDC to another group.

  • See technote 1125331 for more information on how the primary group impacts clients using the ClearCase Web Interface (CCWeb).
  • See technote 1231082 for more information on how the primary group impacts clients using the ClearCase Remote Client (CCRC).

If another group other than Domain Users is required, then the variable CLEARCASE_PRIMARY_GROUP can be set as a user environment variable for each single user.

Note: DO NOT set this variable as a system variable. It is MANDATORY to remove the CLEARCASE_PRIMARY_GROUP when set as a system environment variable as it can cause the system to crash. This environmental variable can ONLY be set it as a user environment variable.


Refer to the IBM Rational ClearCase Information Center under the topic of Setting the Rational ClearCase primary group for further information about how to set or change the CLEARCASE_PRIMARY_GROUP environment variable.

VALUE

The value of this variable is set to any group in your Windows domain to which you are a member.


You can set value using one of three methods:

  • Domain qualified group name (recommended)

  • Group name


  • SID (only used for special circumstances involving Domain migrations)

ClearCase will use the specified group as defined by the variable but only during element creation.

For all other commands like checkout or checkin the variable is not used.

Below are some examples to help illustrate the use of the variable (when it is used and when it is not).



In a Windows ONLY environment (VOBs and views on Windows) the following is true:

See technote 1132158 for more information on how the variable requirements change when the VOBs are on UNIX®.

VARIABLE NOT REQUIRED:

The CLEARCASE_PRIMARY_GROUP variable IS NOT needed under the following conditions:


****************************
CHECKOUT/CHECKIN
****************************
1. If the users have their primary group defined on the domain controller.

Note: All other scenarios assume that the primary group is not set on the domain controller.

2. If the user is a member of the group to which an object is owned AND they are NOT a member of more than 32 groups, they can checkout/checkin without the CLEARCASE_PRIMARY_GROUP variable set.



3. If the user is a member of the group to which an object is owned AND if the VOB is owned by MORE THAN ONE group AND the user is a member of MORE THAN ONE of the groups in the VOBs group list, ClearCase will still have no problem (upon checkin the correct group will be used); hence, the CLEARCASE_PRIMARY_GROUP variable does not need to be set.



4. If the user is a member of the group to which an object is owned AND they are a member of more than 32 groups, the CLEARCASE_GROUPS variable must be set to that group so they can checkout/checkin; hence, the CLEARCASE_PRIMARY_GROUP variable does not need to be set. See technote 1124574 for more information on the CLEARCASE_GROUPS variable.

************
MKELEM
************

5. If the users have their primary group defined on the domain controller.

Note: All other scenarios assume the the primary group is not set on the domain controller.

6. If the VOB is owned by ONE group AND a user is a member of that one group AND the user's group list does NOT exceed 32, they can create elements in that VOB without the CLEARCASE_PRIMARY_GROUP variable set.



7. If the VOB is owned by MORE THAN ONE group AND a user is ONLY a member of ONE of those groups AND the user's group list does NOT exceed 32, they can create elements in that VOB without the CLEARCASE_PRIMARY_GROUP variable set.



VARIABLE REQUIRED:

The CLEARCASE_PRIMARY_GROUP variable IS needed under the following conditions.

Note: All other scenarios assume that the primary group is not set on the domain controller.


****************************
CHECKOUT/CHECKIN
****************************
1. If the user is a member of the group to which the object is owned AND they are a member of more than 32 groups, the CLEARCASE_PRIMARY_GROUP variable can be set to that group so they can checkout/checkin.

Note: If the CLEARCASE_GROUPS variable is used instead (as number 3 above suggests), then this statement is not true.

************
MKELEM
************

2. If the VOB is owned by MORE THAN ONE group AND a user is a member of MORE THAN ONE of those groups AND the user's group list does NOT exceed 32, they need the CLEARCASE_PRIMARY_GROUP variable set in order to create elements in that VOB.


3. If the VOB is owned by MORE THAN ONE group AND a user is a member of MORE THAN ONE of those groups AND the user's group list DOES exceed 32, they need the CLEARCASE_PRIMARY_GROUP & CLEARCASE_GROUPS variable set in order to create elements in that VOB.


TROUBLESHOOTING:
Here are some related technotes to problems where the CLEARCASE_PRIMARY_GROUP variable was set incorrectly:

  • Technote 1123759 describes a memory reference error caused by the CLEARCASE_PRIMARY_GROUP being set as a system variable.
  • Technote 1149989 describes an issue where users receive "access denied" errors accessing files from Windows Explorer but not from Command Prompt or ClearCase Explorer.
  • Technote 1127717 describes an MVFS audit problem while using clearmake.
  • Technote 1122432 describes a problem where the creds utility reports "can't get primary gid".
  • Technote 1148970 describes a problem creating ClearCase views or VOBs with an error "unable to translate unix gid -1 to NT SID" because the variable was not set correctly.
  • Technote 1150717 describes a problem where users can't create a new view and receive the error Unable to create security descriptor the security id structure is invalid.

Related information

About ClearCase permissions on Windows
MVFS limitation on the number of ClearCase groups
Differences for cleartool mkelem on Windows and UNIX
Incorrect syntax on pages 332 and 333
SID filtering and CLEARCASE_PRIMARY_GROUP conflict
Primary Group defaults to Domain Users
About the CLEARCASE_GROUPS variable
A Japanese translation is available
A Korean translation is available


Cross reference information
Segment Product Component Platform Version Edition
Software Development Rational ClearCase Environment Variables

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Rational ClearCase
Environment Variables

Software version:

7.0, 7.0.1, 7.1, 7.1.1, 7.1.2

Operating system(s):

Windows

Reference #:

1135509

Modified date:

2010-03-25

Translate my page

Machine Translation

Content navigation