Permissions¶
Access to and the ability to read or write data from your RFS shares (and the projects within them) are controlled via permissions. To simplify permissions management we use concepts from the storage portal. These roles are assigned from data entered in the portal during the purchase procedure.
Data Owner¶
The storage portal defines the Data Owner as the person has overall ownership of the Storage Account. This will usually be the PI who purchased the storage.
Data Manager¶
In the storage portal, an account can also have a list of people who are Data Managers. These people will have the ability to create Storage Projects, and will have the ability to access and modify all Storage projects in the account. This would usually be a person within the PI’s group or a departmental system administrator.
Each Storage Project can also, additionally, have a list of people who are the Project Data Managers. These people will be able to access and modify this project only, but not other projects (unless they are Data Managers on these projects too).
The Data Owner, Data Managers and any Project Data Managers that are defined in the storage portal, are all made members of a ‘managers’ group within the University’s Active Directory (BLUE) for the project itself.
Project Data Users¶
Each project has a list of people who are the Project Data Users. By default these people will have the ability to access a share, but won’t be able to modify the project. Additional permissions to read or write to subdirectories within the project must be set by the project’s Data Managers.
These Project Data Users are made members of a ‘users’ group within the BLUE AD for the project.
Editing & Adding Users¶
User accounts for RFS are pulled from the Universities’s central authentication system. When storage is requested we create the groups in BLUE AD as part of the setup process, to which the users specified above are added to depending on their role. Further changes such as adding or removing users from these roles may be done through the self service portal. Alternatively you may get in touch and our support team will assist.
Group naming¶
Projects created since July 2022 have a standard naming convention for both the name and the groups associated with it. These contain a unique alphanumeric identifier generated by the storage portal, e.g.;
Human readable name: lab-storage-data
Identifier: zYtKx53xkfY
Project name: rfs-lab-storage-data-zYtKx53xkfY
Managers group: uis-rcs-rfs-zYtKx53xkfY-managers
Users group: uis-rcs-rfs-zYtKx53xkfY-users
Older projects will normally include the original PI’s CRSID as part of the project and group names, and have multiple ‘managers’ groups associated with them, e.g.;
Human readable name: old-storage-data
Project name: rfs-ab123-old-storage-data
Managers groups: uis-rcs-rfs-ab123-owners, uis-rcs-rfs-ab123-managers, uis-rcs-rfs-ab123-old-storage-data-managers
Users group: uis-rcs-rfs-ab123-old-storage-data-users
When setting up a new project from scratch, the Data Owner or a Manager will need to create the top level directories and set the required permissions on them to allow users access. This is normally a ‘one time’ exercise, unless further top level directories are created later on. Setting permissions is done via the standard Windows graphical tools or the equivalents for other operating systems. Permissions can be set for individual users, the dedicated ‘users’ group (which will include all current and future members) or a group defined elsewhere within BLUE such as MYDEPT-LAB-USERS or MYDEPT-LAB-SUPERVISORS, etc.