File access control inside a project

Your home directory pXXX-username is private - no one else can access it. Other directories, e.g. /tsd/pxxx/data (Linux) or \\ess01\pxxx\data (Windows), and its subfolders , are shared by all project users.

Read more about UNIX permissions in this Wikipedia article.

Access is granted through permissions to files and folders. These permissions are granted on three levels:

• Permission to read - r
• Permission to write - w
• Permission to execute - x

These permissions - rwx - kan be granted to:

• User - the owner of the project area
• Groups - a group of project members
• Other - everyone with access to the project area

The main limitation is that a folder/file can only have one group, but there are ways to work around this. See use cases below.

Our general recommendation is to restrict the number of groups to a minimum.

The moderators control who has access to which files by adding users as members of  the correct group(s). The moderators will be able to do this in the Selfservice Portal: https://selfservice.tsd.usit.no.

Note: Windows user rights are updated only at login. In order to immediately update the rights they inherit through group membership (added or removed membership in group(s) by the group's moderator), it is required that users do a complete logout, and then log back in again.

Warning!  A file originating from same share (e.g. N: in Windows, or /ess/pxxx/data in Linux) being moved into a granular access folder will not inherit the intended file permissions set on the parent folder.  This is due to the move operation being a file renaming operation.  If the original file resides in same share, the file should instead be copied into its destination (the granular access folder).  The new copy will then get the file ownerships imposed by the granular access settings of the parent folder.

Mail template to request granular access in a TSD-project

The correct permissions must be granted by TSD support. The TSD project administrator must send a request to tsd-drift@usit.uio.no, with the following template text - substitute pXXX with the actual project identifier:

I, admin of project pXXX, would like to request the following granular access:

Directories:

/tsd/pXXX/data/durable/A
/tsd/pXXX/data/durable/B

Groups:

Students
PhD-candidates
Professors

Access rules:

Student has rwx on /tsd/pXXX/data/durable/A
PhD-candidates has rwx on /tsd/pXXX/data/durable/B
Professors has rwx on /tsd/pXXX/data/durable/A and /tsd/pXXX/data/durable/B

Moderators:

Professors groups

Moderators of a group are users and groups which may access the group to add and remove group members. Only moderators of a group have these privileges.

We will make the project administrators group (pXX-admin-group) moderator of all groups we create for which no moderators were specified.

Use case 1- two groups of students

Group A are students and Group B are PhD-candidates. Group A shall have access to folder A and group B shall have access to folder B. Group C are the professors, who shall have access to folders A and B and be able to moderate groups A and B.

Solution

TSD will create the specified folders and file groups and will give the authority to the moderators group to assign users to the specified groups.

Please note that in this way we are regulating access to the A and B folders. The rest of the project remains accessible to everyone.

Use case 2 - students and supervisors

The project pXXX includes a group of students - pXXX-stud1 -  that should have access only to their own project files. A group of supervisors (veiledere) should also have access to all the students files. In addition, the project has some staff members that should have access to everything, but no export permissions.

Solution

The file addresses are in windows format where N: is mounted to \\tsd-evs\pNN.

Read more about Windows shortcuts in TSD.

1. TSD creates the groups:
   • pXXX-staff-group where pXXX-admin-group is member.
   • pXXX-supervisors-group where pXXX-staff-group is member.
2. TSD restricts access to everything except file import to pXXX-staff-group.
3. TSD creates the following folders:
   • N:\data\durable\students - write protected, but accessible for everyone in the project (555).
   • N:\data\durable\students\pXXX-stud1 owned by pXXX-stud1 together with file group pXXX-supervisors-group, write protected and only accessible for user and groups (550)
   • N:\data\durable\students\pXXX-stud1\data writeable with setguid (2770) and group pXXX-member-group. The parent folder protects the access.

This will give access to N:\students\pXXX-stud1\data for members of supervisors-group and the student owning the parent directory.

Use case 3 - folder for supervisors only

The project pXXX needs two folders, one readable for both students and supervisors, and one only readable for supervisors. A staff-group should be the only ones with write access.

Solution

The file addresses are in windows format where N: is mounted to \\tsd-evs\pNN.

Read more about Windows shortcuts in TSD.

1. TSD create the groups:
   • pXXX-staff-group
   • pXXX-supervisors-group where pXXX-staff-group is member
   • pXXX-students-group where pXXX-supervisors-group is member
2. TSD creates two folders:
   • N:\data\durable\students - write protected, but accessible for pXXX-students-group (550)
   • N:\data\durable\students\data - accessible for everyone that has access to the parent folder and writable for pXXX-staff-group (775))
   • N:\data\durable\supervisors - write protected, but accessible for pXXX-supervisors-group (550)
   • N:\data\durable\supervisors\data - accessible for everyone that has access to the parent folder and writable for pXXX-supervisors-group (775).

TSD declines any responsibility for misuse of the functionality described above, for instance if a user belonging to group A moves data from folder A to a global shared area in the project filesystem.