At IU, how do I use ACLs to share my SDA data with other users?

On the Scholarly Data Archive (SDA) at Indiana University, you can use Access Control Lists (ACLs) to set file- and directory-level permissions to grant other SDA users and groups access to files and directories in your account.

Note:
On the SDA, you can share your data only with other SDA users.

To create, edit, and manage ACLs on the SDA, use HSI from your account on one of IU's research computing systems. To use HSI, you first must load the hpss module. For more about HSI, see At IU, how do I use HSI to access my SDA account? For more about the Modules environment management package, see On the research computing systems at IU, how do I use Modules to manage my software environment?

If you're familiar with the underlying concepts, proceed to this document's Managing SDA access permissions with ACLs section. To learn how ACLs work, see this document's How ACLs work section. To learn how to find out more about ACLs, see the Getting help section.

On this page:


Managing permissions with ACLs

On the SDA, every file and directory is assigned an owner (an individual or a group), either automatically upon creation, or manually, using the chown or chgrp command (within HSI or SFTP).

Each directory has two default "initial creation" ACLs: the initial object creation ACL (for files) and the initial container creation ACL (for subdirectories).

These default ACLs determine the access permissions for any new objects created within the directory. New subdirectories automatically inherit both initial creation ACLs (for objects and containers) from the parent directory.

Note:
Changes made to a directory's initial creation ACLs do not affect existing items. Also, the directory's initial creation ACLs do not control its access permissions.

Listing permissions

To list the permissions set for your SDA files and directories, first launch HSI from your Big Red II, Carbonate, Karst, or RDC account, and then, from the HSI command prompt (?), use the lsacl command to display specific ACL entries.

  • To list the permissions set for one or more specific objects (i.e., files and/or directories), use lsacl followed by a space-delimited list of the file and/or directory paths (wildcard characters are allowed).

    For example, to view the permissions for the my_file.txt file, the my_dir directory, and all the .tar archives stored within my_dir, at the HSI command prompt, enter:

      lsacl my_file.txt my_dir my_dir/*.tar
    

    The resulting output, which lists the ACL entries for the specified objects, would look similar to this (with username being the SDA account's individual or group Network ID username):

      my_file.txt
        user_obj:username:rwxcid
        group_obj:hpss:r-x---
        other_obj:r-x---
      my_dir
        user_obj:username:rwxcid
        group_obj:hpss:r-x---
        other_obj:r-x---
      my_dir/archive_1.tar
        user_obj:username:rwxcid
        group_obj:hpss:r-x---
        other_obj:r-x---
      my_dir/archive_2.tar
        user_obj:username:rwxcid
        group_obj:hpss:r-x---
        other_obj:r-x---
      my_dir/archive_3.tar
        user_obj:username:rwxcid
        group_obj:hpss:r-x---
        other_obj:r-x---
    

    According to the listed ACL entries:

    • The account owner (username) has the full set of access permissions for each object.
    • Other SDA users, including those belonging to the owner group ( hpss), are permitted only to view the files listed, and view and search the my_dir directory.
  • To list the default permissions set for files created in a specified directory (e.g., my_dir), use lsacl to display the directory's initial object creation ACL; at the HSI command prompt, enter:
      lsacl -io my_dir
    
  • To list the default permissions set for subdirectories created in a specified directory (e.g., my_dir), use lsacl to display the directory's initial container creation ACL; at the HSI command prompt, enter:
      lsacl -ic my_dir
    

For more on the lsacl command, see LSACL Command in the HSI Reference Manual.

Modifying permissions

To control who can access and/or interact with your SDA files and directories, first launch HSI from your Big Red II, Carbonate, Karst, or RDC account, and then, from the HSI command prompt, use the chacl command to create, update, or delete ACL entries.

Note:
In the following examples, replace filelist with a space-delimited list of one or more file and/or directory paths (wildcard characters are allowed); replace username_1, username_2, and any others with individual and/or group Network ID usernames; and replace permission_string_1 and permission_string_2, and any others with the permission characters needed to set the desired access permissions (for help with permission characters, see the "Permission string" information in this document's How ACLs work section).
  • To share specific files and/or directories with specific SDA users, at the HSI command prompt, enter:
      chacl -u user:username_1:permission_string_1,user:username_2:permission_string_2 filelist
    
    Note:
    Make sure each user/permission entry is separated by a comma.

    For example, to grant users darvader and dartmaul permission to read and modify your death_star.xls and galactic_empire.ppt files, at the HSI command prompt, enter:

      chacl -u user:darvader:rw,user:dartmaul:rw death_star.xls galactic_empire.ppt
    

    To grant the same users full access to your darkside and sith_revenge directories, but prevent them from altering their permissions, at the HSI command prompt, enter:

      chacl -u user:darvader:rwxid,user:dartmaul:rxid darkside sith_revenge
    
  • To grant specific users special permissions for all new files created in a specified directory (e.g., my_dir), create or update the directory's initial object creation ACL; at the HSI command prompt, enter:
      chacl -u -io user:username_1:permission_string_1,user:username_2:permission_string_2 my_dir
    
    Note:
    To do the same for all new subdirectories, add or update the directory's initial container creation ACL. To do so, replace the -io option with -ic.
  • To clear all access permissions except the default owner/user/group permissions for one or more files and/or directories, at the HSI command prompt, enter:
      chacl -c filelist
    
  • To remove a specific user (and any special permissions granted that user) from the ACLs for one or more files and/or directories, at the HSI command prompt, enter:
      chacl -r user:username_1 filelist
    
    Note:
    Removing an ACL entry does not require specifying the permissions.

For more on the chacl command, see CHACL Command in the HSI Reference Manual.

Elements of an ACL entry

ACLs control permissions for objects (i.e., files and directories) in your SDA account. Each ACL contains entries that grant different levels of access permission to the object's owner and owner groups, and other users and groups on the SDA.

The general format of an ACL entry is:

  type username permission_string

Username

The username element in an ACL entry is used to specify a particular user or group account. On the SDA, you'll replace username with the Network ID username of an individual or group account.

Note:
Not every ACL entry type requires a username.

Entry type

The type element in an ACL entry is used to specify a particular type of user or group, allowing you to grant separate permissions for object owner, users in the owner group, users in other specific groups, and any other users with SDA account:

Entry type Description
user_obj Establishes permissions for the individual owner of a file or directory
group_obj Establishes permissions for the group owning a file or directory
user Establishes permissions for a specific user
group Establishes permissions for a specific group
other_obj Establishes permissions for any other user or group not explicitly named in a user, user_obj, or group_obj entry, or affiliated with a group named in a group entry
mask_obj Establishes the maximum permissions allowed for all entry types except the user_obj and other_obj (similar in concept to umask in Unix-like operating systems)
Note:
Two other ACL entry types (any_other and foreign) are not fully supported on the SDA (e.g., on the SDA, the any_other and other_obj entry types are identical). As a result, you can share your SDA data only with other SDA users.

Permission string

The permission_string element in an ACL entry specifies the ways a user or group is permitted to interact with the object. The permission string will contain either a permission character or a dash ( - ) for each possible permission.

  • For files:
    Character Permission
    r Read; permission to view the file
    w Write; permission to modify the file
    x Execute; informational only (programs cannot be executed on the SDA)
    c Control; permission to modify the file's permissions (the ACL); the file owner always has control permission
  • For directories:
    Character Permission
    r Read; permission to view the directory contents
    w Write; permission to change filenames within the directory
    x Search; permission to enter the directory
    i Insert; permission to add files to the directory
    d Delete; permission to remove files from the directory
    c Control; permission to modify the directory's permissions (the ACL); the directory owner always has control permission

Permissions are cumulative (unless a user or group is explicitly denied access) and are granted in the following manner:

  1. The owner (an individual or a group) is granted permissions specified in the owner_obj or group_obj entry.
  2. A user or group explicitly named in a user or group entry is granted the permissions specified in that entry.
  3. A user who is a member of either the owner group (named in the group_obj entry) or a group named by a group entry inherits the permissions granted to those groups.
  4. Users and groups that are not owners, not explicitly named in a user or group entry, and not affiliated with a group named in a group entry is granted the permissions specified in the other_obj entry.

Example ACL entry

For example, the ACL for a directory on the SDA belonging to user pamidala may look similar to this:

  user_obj:pamidala:rwxcid
  group_obj:hpss:r-x---
  other_obj:r-x---

In this example:

  • The owner (pamidala) is granted full control of the directory: permission to view the contents (r), change filenames (w), search the directory (x), change permissions (c), and add (i) and delete (d) files.
  • Other SDA users, including those in the owner group ( hpss), are granted permissions that allow them only to view the contents (r) and search the directory ( x).

Getting help

ACLs used on HPSS systems (e.g., the SDA) are based on ACLs developed for IBM's Distributed Computing Environment (DCE). For more about them, see ACL Entries and Masks in IBM's DCE system administration documentation.

Additionally, see Access Control Lists (ACLs) in the HSI Reference Manual.

If you have question, or need help managing ACLs in your SDA account, email the UITS Research Storage team.

This is document auxq in the Knowledge Base.
Last modified on 2017-11-28 15:46:07.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.