Share your SDA data with other SDA users
On this page:
Overview
On the Scholarly Data Archive (SDA) at Indiana University, you can use Access Control Lists (ACLs) to set file- and directory-level permissions to grant other SDA users and groups access to files and directories in your account.
- On the SDA, you can share your data only with other SDA users.
- If you are sharing access to data that contain PHI, you must share with individual accounts only. Do not give a group account access to a space in which data containing PHI are stored.
To create, edit, and manage ACLs on the SDA, use HSI from your account on one of IU's research supercomputers. To use HSI, you first must load the hpss
module. For more about HSI, see Use HSI to access your SDA account at IU. For more about the Modules environment management package, see Use modules to manage your software environment on IU research supercomputers.
If you're familiar with the underlying concepts, proceed to the Manage permissions with ACLs section below. To learn how ACLs work on the SDA, see this document's Elements of an ACL entry section.
Manage permissions with ACLs
On the SDA, every file and directory is assigned an owner (an individual or a group), either automatically upon creation, or manually, using the chown
or chgrp
command (within HSI or SFTP).
Each directory has two default "initial creation" ACLs: the initial object creation ACL (for files) and the initial container creation ACL (for subdirectories).
These default ACLs determine the access permissions for any new objects created within the directory. New subdirectories automatically inherit both initial creation ACLs (for objects and containers) from the parent directory.
List permissions
To list the permissions set for your SDA files and directories, launch HSI from your account on an IU research supercomputer, and then, from the HSI command prompt (?
), use the lsacl
command to display specific ACL entries.
- To list the permissions set for one or more specific objects (files and/or directories), use
lsacl
followed by a space-delimited list of the file and/or directory paths (wildcard characters are allowed).For example, to view the permissions for the
my_file.txt
file, themy_dir
directory, and all the.tar
archives stored withinmy_dir
, at the HSI command prompt, enter:lsacl my_file.txt my_dir my_dir/*.tar
The resulting output, which lists the ACL entries for the specified objects, would look similar to this (with
username
being the SDA account's individual or group IU username):my_file.txt user_obj:username:rwxcid group_obj:hpss:r-x--- other_obj:r-x--- my_dir user_obj:username:rwxcid group_obj:hpss:r-x--- other_obj:r-x--- my_dir/archive_1.tar user_obj:username:rwxcid group_obj:hpss:r-x--- other_obj:r-x--- my_dir/archive_2.tar user_obj:username:rwxcid group_obj:hpss:r-x--- other_obj:r-x--- my_dir/archive_3.tar user_obj:username:rwxcid group_obj:hpss:r-x--- other_obj:r-x---
According to the listed ACL entries:
- The account owner (
username
) has the full set of access permissions for each object. - Other SDA users, including those belonging to the owner group (
hpss
), are permitted only to view the files listed, and view and search themy_dir
directory.
- The account owner (
- To list the default permissions set for files created in a specified directory (for example,
my_dir
), uselsacl
to display the directory's initial object creation ACL; at the HSI command prompt, enter:lsacl -io my_dir
- To list the default permissions set for subdirectories created in a specified directory (for example,
my_dir
), uselsacl
to display the directory's initial container creation ACL; at the HSI command prompt, enter:lsacl -ic my_dir
Modify permissions
To control who can access and/or interact with your SDA files and directories, launch HSI from your account on an IU research supercomputer, and then, from the HSI command prompt (?
), use the chacl
command to create, update, or delete ACL entries.
filelist
with a space-delimited list of one or more file and/or directory paths (wildcard characters are allowed); replace username_1
, username_2
, and any others with individual and/or group IU usernames; and replace permission_string_1
and permission_string_2
, and any others with the permission characters needed to set the desired access permissions (for help with permission characters, see the "Permission string" information in this document's How ACLs work section).
- To share specific files and/or directories with specific SDA users, at the HSI command prompt, enter:
chacl -u user:username_1:permission_string_1,user:username_2:permission_string_2 filelist
Note:Make sure each user/permission entry is separated by a comma.For example, to grant users
darvader
anddartmaul
permission to read and modify yourdeath_star.xls
andgalactic_empire.ppt
files, at the HSI command prompt, enter:chacl -u user:darvader:rw,user:dartmaul:rw death_star.xls galactic_empire.ppt
To grant the same users full access to your
darkside
andsith_revenge
directories, but prevent them from altering their permissions, at the HSI command prompt, enter:chacl -u user:darvader:rwxid,user:dartmaul:rxid darkside sith_revenge
- To grant specific users special permissions for all new files created in a specified directory (for example,
my_dir
), create or update the directory's initial object creation ACL; at the HSI command prompt, enter:chacl -io -u user:username_1:permission_string_1,user:username_2:permission_string_2 my_dir
Note:To do the same for all new subdirectories, add or update the directory's initial container creation ACL. To do so, replace the-io
option with-ic
. - To clear all access permissions except the default owner/user/group permissions for one or more files and/or directories, at the HSI command prompt, enter:
chacl -c filelist
- To remove a specific user (and any special permissions granted that user) from the ACLs for one or more files and/or directories, at the HSI command prompt, enter:
chacl -r user:username_1 filelist
Note:Removing an ACL entry does not require specifying the permissions.
Elements of an ACL entry
ACLs control permissions for objects (files and directories) in your SDA account. Each ACL contains entries that grant different levels of access permission to the object's owner and owner groups, and other users and groups on the SDA.
The general format of an ACL entry is:
type username permission_string
Username
The username
element in an ACL entry is used to specify a particular user or group account. On the SDA, you'll replace username
with the IU username of an individual or group account.
Entry type
The type
element in an ACL entry is used to specify a particular type of user or group, allowing you to grant separate permissions for object owner, users in the owner group, users in other specific groups, and any other users with SDA account:
Entry type | Description |
---|---|
user_obj |
Establishes permissions for the individual owner of a file or directory |
group_obj |
Establishes permissions for the group owning a file or directory |
user |
Establishes permissions for a specific user |
group |
Establishes permissions for a specific group |
other_obj |
Establishes permissions for any other user or group not explicitly named in a user , user_obj , or group_obj entry, or affiliated with a group named in a group entry |
mask_obj |
Establishes the maximum permissions allowed for all entry types except the user_obj and other_obj (similar in concept to umask in Unix-like operating systems) |
any_other
and foreign
) are not fully supported on the SDA (for example, on the SDA, the any_other
and other_obj
entry types are identical). As a result, you can share your SDA data only with other SDA users.
Permission string
The permission_string
element in an ACL entry specifies the ways a user or group is permitted to interact with the object. The permission string will contain either a permission character or a dash ( -
) for each possible permission.
- For files:
Character Permission r
Read; permission to view the file w
Write; permission to modify the file x
Execute; informational only (programs cannot be executed on the SDA) c
Control; permission to modify the file's permissions (the ACL); the file owner always has control permission - For directories:
Character Permission r
Read; permission to view the directory contents w
Write; permission to change filenames within the directory x
Search; permission to enter the directory i
Insert; permission to add files to the directory d
Delete; permission to remove files from the directory c
Control; permission to modify the directory's permissions (the ACL); the directory owner always has control permission
Permissions are cumulative (unless a user or group is explicitly denied access) and are granted as follows:
- The owner (an individual or a group) is granted permissions specified in the
owner_obj
orgroup_obj
entry. - A user or group explicitly named in a
user
orgroup
entry is granted the permissions specified in that entry. - A user who is a member of either the owner group (named in the
group_obj
entry) or a group named by agroup
entry inherits the permissions granted to those groups. - Users and groups that are not owners, not explicitly named in a
user
orgroup
entry, and not affiliated with a group named in agroup
entry is granted the permissions specified in theother_obj
entry.
Example ACL entry
For example, the ACL for a directory on the SDA belonging to user pamidala
may look similar to this:
user_obj:pamidala:rwxcid group_obj:hpss:r-x--- other_obj:r-x---
In this example:
- The owner (
pamidala
) is granted full control of the directory: permission to view the contents (r
), change filenames (w
), search the directory (x
), change permissions (c
), and add (i
) and delete (d
) files. - Other SDA users, including those in the owner group (
hpss
), are granted permissions that allow them only to view the contents (r
) and search the directory (x
).
Get help
For help with HSI commands and options, see the HSI Reference Manual. If you have questions or need help managing ACLs in your SDA account, email the UITS Research Storage team (store-admin@iu.edu
).
This is document auxq in the Knowledge Base.
Last modified on 2023-10-03 09:54:42.