Despite having scoured the SAP documentation on the subject (of which there is quite a lot) I am unable to work with permissions in the DTR like suggested.
They simply do not function as expected or required. This is a JDI 7.3.08 system. This is NOT a question on HOW to set permissions in the DTR - I can do that no problem - this is question of how those permissions actually work.
For example .....
lets assume I have a structure a bit like the following ...
/
/ DC A
/ DC B
/ system
/ DC C
Now as I understand it ... for /
I need to set (as a minimum) <All Users> with read permissions. Additionally I would almost certainly like to add NWDI.Administrators with ALL access. These permissions will then be inherited down the tree as expected.
Fundamentally when I go to do development in ANY of the DCs as long as my working user ID has NWDI.Administrators group (from UME) - all is well. I can checkin / checkin / activate and so on without a problem.
This is good providing I completely ignore ANY security restrictions that might be required. Up to this point - things are pretty much as I'd expect. If I was to remove NWDI.Administrators everything becomes read only.
Now the minute I want to restrict access in a more secure way - to be honest im not sure what to do. When I remove <All.Users> from the / node - everything pretty much stops working. But this is not a problem I think because I am going to add a specific group privilege to my DC A for example to allow read / write / checkin .....
So I do that - still nothing - in fact I cannot even import a DC now - NWDS throws import errors. So I add <All.Users> with read to the /system folder - still nothing.
Surely there is something fundamentally wrong here ?
If I then revert back to <All.Users> read at / I can import DCs but cannot write / checkin and so on as before - even though my permissions should allow that.
SAP being the way they are provide no example permissions (in the real world). I have tried many combinations - 99% do not work and the other 1% are to all intents and purposes open permissions which I cannot have. I am able (in most cases) to import DCs from the SLD OK but either the SCs do not download or I cannot checkout / checkin and so on.
In fact if I simplify to having just NWDI.Administrators set at / with ALL permissions set - then I can import DCs no problem and work fine - again as expected. But assume I do the same with a "developers" UME group - then it doesn't work - even if its set at / - in fact I cannot even import a DC.
Its almost saying you MUST have All.Users with read everywhere regardless - this is no good from a security perspective obviously. I would choose not to have All.Users anywhere if I could understand with some logic how the permissions model works.
Does anyone have a model that works ? There must be something fundamental I am missing or there is a bug (that requires some workaround. The SAP doco doesn't help - it refers to bunches of folders I simply do not see in the DTR.
Thanks
Haydn