Security scenarios

There are many ways to configure the security permissions for your UVCS repositories. The following instructions explain how to configure permissions for specific scenarios through the Unity DevOps Version Control desktop application.

For information on how to create user groups and set permissions through the Unity Cloud Dashboard, refer to Manage users.

Change the owner of your repository server

For security, you need to remove the ALL USERS group so that not every user has all permissions granted. To remove the group, you first need to set an owner or administrator to replace it.

  1. In the repository view, right-click on the repository and select Repository server permissions.
  2. Next to the Owner, select the Change… button.
  3. Search for the user you want to be the administrator and select OK.
  4. Select the Add… button.
  5. Search for the user you want to be the administrator and select OK. This automatically gives the user all permissions.
  6. Select the ALL USERS group and select the Remove button.

This leaves the administrator as the only authenticated user in the system.

Deny permission to delete a repository

Prevent a group or user from being able to delete a repository. For example, you can ensure that any user in the Consultants group can’t delete repositories.

  1. In the Repository server permissions window, select Add….
  2. Select the group you want to prevent deleting repositories and select OK.
  3. Select the Denied checkbox for the rmrepository (remove repository) permission.
  4. Select OK to apply the new permission.

Only allow read and view access to a repository

Give a development group read access to a repository that they are not directly assigned to.

  1. In the Repositories view, right-click the repository and select Permissions.
  2. Select Add… and select the group to add to the repository.
  3. Select Deny All to remove all permissions.
  4. Select the Allowed checkbox for the read and view permissions.

Deny permission to modify specific items

Prevent a group from being able to change anything within a specific folder in a repository. For example, you can restrict access to the system source code for non-developers such as testers.

  1. In the repository view, right-click the repository and select Path permissions.
  2. Above the Path panel, select the Add… button to create a new secured path.
  3. Either type the path of the folder or select Browse to select the folder.
  4. Select OK.
  5. Above the Users and groups panel, select the Add… button.
  6. Select the group that you want to restrict access for and select OK.
  7. Select the Denied checkbox for the ci (check in) permission.
  8. Select OK.

Deny permission to modify specific items on certain branches

Prevent a group from being able to change any item in a specific folder on specific branches. For example, you might want to prevent non-developer access to any script directory on your main, development and release branches.

  1. In the repository view, right-click the repository and select Path permissions.
  2. Above the Path panel, select Add... to add a secured path.
  3. Type the relative path associated with the folder you want to restrict access to. For example, script/.
  4. Select the Configure branches after creating path checkbox and select OK.
  5. In the Branches window, select Browse to select the branches that you want the permissions to apply to.
  6. Select OK. You can optionally enter an identification tag for these branches before you select OK again to add the secured path.
  7. Above the Users and groups panel, select Add….
  8. Select the group that you want to restrict access for and select OK.
  9. Select the Denied checkbox for the ci (check in) permission.

Deny permission to modify specific branches

Prevent any user in a specific group from being able to modify any item on a specific branch. For example, your project manager might want to restrict changes in the development branch to specific approved groups.

  1. In either the Branches or Branch Explorer window, right-click the branch and select Permissions.
  2. Select the Add… button and select the group(s) that you don’t want to be able to change the branch.
  3. Select OK.
  4. Select the Denied checkbox for the ci (check in) permission and select OK.

Provide only read and view permissions for a branch

Allow a group to read a branch, but not modify it in any way. For example, you might want to allow developers read access on a release branch but prevent any breaking changes.

  1. In either the Branches or Branch Explorer window, right-click the branch and select Permissions.
  2. Select the Add… button and select the group that you don’t want to be able to change the branch.
  3. Select OK.
  4. Select Deny All to remove all permissions.
  5. Select the Allowed checkbox for the read and view permissions and override them.

Only allow users to modify items under a specific path

Ensure a user can’t modify items except those under a specific path. For example, you might not want a new team member to be able to modify anything except a specific approved path.

Grant every group read access to the root of the path

  1. In the Repositories view, right-click the repository and select Path permissions.
  2. Above the Path panel, select Add….
  3. Enter / as the path and select OK.
  4. Above the Users and groups panel, select Add….
  5. Select the groups to have read access to the root of the path and select OK.

Create secure path and grant only a specific group read access

  1. Above the Path panel, select Add….
  2. Enter the path that you want to restrict to one group and select OK.
  3. Above the Users and groups panel, select Add….
  4. Select the group you want to give read access to the path and select OK.
  5. Above the Users and groups panel, select Add….
  6. Select any groups that you don’t want to have access to this path and select OK.
  7. Deselect the Allowed checkbox for the read permission and select Override. Leave the Denied checkbox empty.

Grant read access to only a particular subdirectory

Grant a group access to a specific subdirectory, but not the entire directory tree. For example, you might want to allow a tester group to be able to read only a specific subdirectory and keep the rest of the directory private.

Deny the group all permissions for the root of the path

  1. In the Repositories view, right-click the repository and select Path permissions.
  2. Above the Path panel, select Add….
  3. Enter / as the path and select OK.
  4. Above the Users and groups panel, select Add….
  5. Select the group you want to restrict access for and select OK.
  6. Select Deny All to remove all permissions.

Override and allow the read permission for a specific subdirectory path

  1. Above the Path panel, select Add….
  2. Enter the path that you want to give read access for and select OK.
  3. Above the Users and groups panel, select Add….
  4. Select the group you want to give read access to the path and select OK.
  5. Make sure the Denied checkbox for the read permission is empty and select Override.

Deny read access to items on specific branches

Restrict read access to certain paths so some parts of your repository aren’t visible to certain users. For example, you might want to make sure the user can’t update your script folder in the dev and release branches.

  1. In the repository view, right-click the repository and select Path permissions.
  2. Above the Path panel, select Add... to add a secured path.
  3. Type the relative path associated with the folder you want to restrict access to. For example, script/.
  4. Select the Configure branches after creating path checkbox and select OK.
  5. In the Branches window, select Browse to select the branches that you want the permissions to apply to.
  6. Select OK. You can optionally enter an identification tag for these branches before you select OK again to add the secured path.
  7. Above the Users and groups panel, select Add….
  8. Select the user that you want to restrict access for and select OK.
  9. Select the Denied checkbox for the read permission and override the Allowed permission.

Deny read access to a specific path

Restrict read access to a path so that a user can’t see changes in that path. For example, you can ensure that when a user runs a diff, they can’t see changes in a secure path.

If a user doesn’t have read access to a path, and someone makes changes to a branch that they can’t see, the user can’t merge that branch.

Users can’t view the content of any revisions under a path that they don’t have read permission for.

  1. In the repository view, right-click the repository and select Path permissions.
  2. Above the Path panel, select Add... to add a secured path.
  3. Type the relative path that you want to restrict access to and select OK.
  4. Above the Users and groups panel, select Add….
  5. Select the user that you want to remove read access for and select OK.
  6. Select the Denied checkbox for the read permission and override the Allowed permission.

Deny permission to add new lock rules to a repository

Ensure that a group can’t add new lock rules to a specific repository. For example, you can make sure that a tester group can’t change lock rules to prevent errors in a repository.

Note: The configlocks permission controls access to the Lock and Checkout feature in UVCS and Gluon. You need server version 8.0.16.3361 or higher.

Remove repository server permission to edit lock rules

  1. In the repository view, right-click on the repository and select Repository server permissions.
  2. Select Add… and select the group that you don’t want to add lock rules.
  3. Select OK.
  4. Select the Denied checkbox for the configlocks permission.

Add permission to edit lock rules for a specific repository

  1. In the repository view, right-click on the repository and select Permissions.
  2. Select the group that you want to allow to edit lock rules.
  3. Select the Allowed checkbox for the configlocks permission and override the Denied checkbox.

Use the command line to secure repositories

You have multiple repositories in your organization and allow a different group permissions to view and use each one. For example, you might have a core group, an art group, and a doc group, that you only want to be able to access the corresponding repositories: Core, Art and Doc.

In the web portal, you need to add the groups that you want to use. For example, Core_group, Art_group, and Doc_group. You can then add users to their corresponding groups.

Note: For information on how to create a group, refer to Manage users.

In the command line:

  1. Set a valid Owner for your repository server.
    cm setowner -user=<Username> repserver:<example_uvcs_server@cloud>
  2. Remove the Developers group from the remote Access Control List (ACL) to prevent default access to all repositories for new developers.
    cm acl -group=Developers -allowed=-all -denied=-all repserver:<example_uvcs_server@cloud>
  3. Allow a specific group access to a specific repository.
    cm acl -group=<GroupName> -allowed=+all rep:<Core@example_uvcs_server@cloud>

For example, you can set the following permissions:

  • cm acl -group=Core_group -allowed=+all rep:Core@example_uvcs_server@cloud
  • cm acl -group=Art_group -allowed=+all rep:Art@example_uvcs_server@cloud
  • cm acl -group=Doc_group -allowed=+all rep:Doc@example_uvcs_server@cloud

These permissions ensure that the Core_group users can access and use the Core repository, can’t view the Art or Doc repositories. The same applies to the Art_group and Doc_group accordingly.