Share your SDA data with other SDA users

On this page:

Overview
Manage permissions with ACLs
- List permissions
- Modify permissions
Elements of an ACL entry
Get help

Overview

On the Scholarly Data Archive (SDA) at Indiana University, you can use Access Control Lists (ACLs) to set file- and directory-level permissions to grant other SDA users and groups access to files and directories in your account.

Note:

On the SDA, you can share your data only with other SDA users.
If you are sharing access to data that contain PHI, you must share with individual accounts only. Do not give a group account access to a space in which data containing PHI are stored.

To create, edit, and manage ACLs on the SDA, use HSI from your account on one of IU's research supercomputers. To use HSI, you first must load the hpss module. For more about HSI, see Use HSI to access your SDA account at IU. For more about the Modules environment management package, see Use modules to manage your software environment on IU research supercomputers.

If you're familiar with the underlying concepts, proceed to the Manage permissions with ACLs section below. To learn how ACLs work on the SDA, see this document's Elements of an ACL entry section.

Manage permissions with ACLs

On the SDA, every file and directory is assigned an owner (an individual or a group), either automatically upon creation, or manually, using the chown or chgrp command (within HSI or SFTP).

Each directory has two default "initial creation" ACLs: the initial object creation ACL (for files) and the initial container creation ACL (for subdirectories).

These default ACLs determine the access permissions for any new objects created within the directory. New subdirectories automatically inherit both initial creation ACLs (for objects and containers) from the parent directory.

Note:

Changes made to a directory's initial creation ACLs do not affect existing items. Also, the directory's initial creation ACLs do not control its access permissions.

List permissions

To list the permissions set for your SDA files and directories, launch HSI from your account on an IU research supercomputer, and then, from the HSI command prompt (?), use the lsacl command to display specific ACL entries.

To list the permissions set for one or more specific objects (files and/or directories), use lsacl followed by a space-delimited list of the file and/or directory paths (wildcard characters are allowed).
For example, to view the permissions for the my_file.txt file, the my_dir directory, and all the .tar archives stored within my_dir, at the HSI command prompt, enter:
```
lsacl my_file.txt my_dir my_dir/*.tar
```
The resulting output, which lists the ACL entries for the specified objects, would look similar to this (with username being the SDA account's individual or group IU username):
```
my_file.txt
  user_obj:username:rwxcid
  group_obj:hpss:r-x---
  other_obj:r-x---
my_dir
  user_obj:username:rwxcid
  group_obj:hpss:r-x---
  other_obj:r-x---
my_dir/archive_1.tar
  user_obj:username:rwxcid
  group_obj:hpss:r-x---
  other_obj:r-x---
my_dir/archive_2.tar
  user_obj:username:rwxcid
  group_obj:hpss:r-x---
  other_obj:r-x---
my_dir/archive_3.tar
  user_obj:username:rwxcid
  group_obj:hpss:r-x---
  other_obj:r-x---
```
According to the listed ACL entries:
- The account owner (username) has the full set of access permissions for each object.
- Other SDA users, including those belonging to the owner group (hpss), are permitted only to view the files listed, and view and search the my_dir directory.
To list the default permissions set for files created in a specified directory (for example, my_dir), use lsacl to display the directory's initial object creation ACL; at the HSI command prompt, enter:
```
lsacl -io my_dir
```
To list the default permissions set for subdirectories created in a specified directory (for example, my_dir), use lsacl to display the directory's initial container creation ACL; at the HSI command prompt, enter:
```
lsacl -ic my_dir
```

Modify permissions

To control who can access and/or interact with your SDA files and directories, launch HSI from your account on an IU research supercomputer, and then, from the HSI command prompt (?), use the chacl command to create, update, or delete ACL entries.

Note:

In the following examples, replace filelist with a space-delimited list of one or more file and/or directory paths (wildcard characters are allowed); replace username_1, username_2, and any others with individual and/or group IU usernames; and replace permission_string_1 and permission_string_2, and any others with the permission characters needed to set the desired access permissions (for help with permission characters, see the "Permission string" information in this document's How ACLs work section).

To share specific files and/or directories with specific SDA users, at the HSI command prompt, enter:
```
chacl -u user:username_1:permission_string_1,user:username_2:permission_string_2 filelist
```
Note:

Make sure each user/permission entry is separated by a comma.

For example, to grant users darvader and dartmaul permission to read and modify your death_star.xls and galactic_empire.ppt files, at the HSI command prompt, enter:
```
chacl -u user:darvader:rw,user:dartmaul:rw death_star.xls galactic_empire.ppt
```
To grant the same users full access to your darkside and sith_revenge directories, but prevent them from altering their permissions, at the HSI command prompt, enter:
```
chacl -u user:darvader:rwxid,user:dartmaul:rxid darkside sith_revenge
```
To grant specific users special permissions for all new files created in a specified directory (for example, my_dir), create or update the directory's initial object creation ACL; at the HSI command prompt, enter:
```
chacl -io -u user:username_1:permission_string_1,user:username_2:permission_string_2 my_dir
```
Note:

To do the same for all new subdirectories, add or update the directory's initial container creation ACL. To do so, replace the -io option with -ic.
To clear all access permissions except the default owner/user/group permissions for one or more files and/or directories, at the HSI command prompt, enter:
```
chacl -c filelist
```
To remove a specific user (and any special permissions granted that user) from the ACLs for one or more files and/or directories, at the HSI command prompt, enter:
```
chacl -r user:username_1 filelist
```
Note:

Removing an ACL entry does not require specifying the permissions.

Elements of an ACL entry

ACLs control permissions for objects (files and directories) in your SDA account. Each ACL contains entries that grant different levels of access permission to the object's owner and owner groups, and other users and groups on the SDA.

The general format of an ACL entry is:

type username permission_string

Username

The username element in an ACL entry is used to specify a particular user or group account. On the SDA, you'll replace username with the IU username of an individual or group account.

Note:

Not every ACL entry type requires a username.

Entry type

The type element in an ACL entry is used to specify a particular type of user or group, allowing you to grant separate permissions for object owner, users in the owner group, users in other specific groups, and any other users with SDA account:

Entry type	Description
`user_obj`	Establishes permissions for the individual owner of a file or directory
`group_obj`	Establishes permissions for the group owning a file or directory
`user`	Establishes permissions for a specific user
`group`	Establishes permissions for a specific group
`other_obj`	Establishes permissions for any other user or group not explicitly named in a `user`, `user_obj`, or `group_obj` entry, or affiliated with a group named in a `group` entry
`mask_obj`	Establishes the maximum permissions allowed for all entry types except the `user_obj` and `other_obj` (similar in concept to `umask` in Unix-like operating systems)

Note:

Two other ACL entry types (any_other and foreign) are not fully supported on the SDA (for example, on the SDA, the any_other and other_obj entry types are identical). As a result, you can share your SDA data only with other SDA users.

Permission string

The permission_string element in an ACL entry specifies the ways a user or group is permitted to interact with the object. The permission string will contain either a permission character or a dash ( - ) for each possible permission.

For files:

Character	Permission
`r`	Read; permission to view the file
`w`	Write; permission to modify the file
`x`	Execute; informational only (programs cannot be executed on the SDA)
`c`	Control; permission to modify the file's permissions (the ACL); the file owner always has control permission

For directories:

Character	Permission
`r`	Read; permission to view the directory contents
`w`	Write; permission to change filenames within the directory
`x`	Search; permission to enter the directory
`i`	Insert; permission to add files to the directory
`d`	Delete; permission to remove files from the directory
`c`	Control; permission to modify the directory's permissions (the ACL); the directory owner always has control permission

Permissions are cumulative (unless a user or group is explicitly denied access) and are granted as follows:

The owner (an individual or a group) is granted permissions specified in the owner_obj or group_obj entry.
A user or group explicitly named in a user or group entry is granted the permissions specified in that entry.
A user who is a member of either the owner group (named in the group_obj entry) or a group named by a group entry inherits the permissions granted to those groups.
Users and groups that are not owners, not explicitly named in a user or group entry, and not affiliated with a group named in a group entry is granted the permissions specified in the other_obj entry.

Example ACL entry

For example, the ACL for a directory on the SDA belonging to user pamidala may look similar to this:

user_obj:pamidala:rwxcid
group_obj:hpss:r-x---
other_obj:r-x---

In this example:

The owner (pamidala) is granted full control of the directory: permission to view the contents (r), change filenames (w), search the directory (x), change permissions (c), and add (i) and delete (d) files.
Other SDA users, including those in the owner group (hpss), are granted permissions that allow them only to view the contents (r) and search the directory (x).

Get help

For help with HSI commands and options, see the HSI Reference Manual. If you have questions or need help managing ACLs in your SDA account, email the UITS Research Storage team (store-admin@iu.edu).