Skip to content

HIFIS Storage Access Models

Read and/or write Access to the data in HIFIS Storage (dCache) can be fine-tuned. However, fine-granular settings require a minimum of technical knowledge of at least one responsible designated person within the using group(s). Any detailed management of the access rights must be performed by the user group(s) and possibly internal delegates.

Be aware:

The responsible persons of the user group(s) / VO(s) need to take care of the correct usage of the storage, including the corrrect access management. HIFIS can only provide very limited assistance, and it is not possible to take over any management centrally.

When applying for access, the VO manager(s) can choose one of two major models — and change later, if wanted:

The Simple Model or the Self-managed Access Model.

Simple Model

This is the default, if not explicitly requested otherwise.

The folder assigned to the requesting VO can be:

  • read from and written to by all members of the respective VO and all sub-VOs.
  • No data is accessible to the public.

Technically,

  • the top level folder is set to
    • uid=0 (root)
    • gid= group id of the requesting (Sub-)VO
    • access rights: rwxrwx---=770
  • All ownerships and rights are inherited to sub-folders and files.
  • A specific branch can be set open to public (e.g., o+rx) upon request.

Self-managed Access Model

When choosing this model, the applying (Sub-)VO manager must designate one person that is capable of managing the access rights on the highest level, the Access Manager.

The Access Manager:

  • can be the applying (Sub-)VO manager or any other person within the (Sub-)VO,
  • must be familiar with basic POSIX / UNIX access rights and their management,
  • should log in beforehand once to DESY keycloak, by clicking on “Helmholtz AAI” and selecting her/his institution, to make the uid known.

When given the respective rights, the Access Manager:

  • is responsible for managing the access rights on the highest level of the folder structure assigned to the (Sub-)VO,
  • can modify rights and ownerships of specific folders and files, by
    • using the dcache API,
    • until more readily usable handles are available: asking our support.
  • This includes:
    • creating subfolders and assign them (or any file) to (new) Sub-VOs,
    • delegating the Access Manager right to other users - denoted as Sub Access Managers for sub-folders,
    • changing access rights for the group (e.g., grant write permission, i.e., g+w), or the public (e.g., o+rx).

Technically,

  • the top level folder is set to
    • uid= user id of the top level Access Manager
    • gid= group id of the respective (Sub-)VO
    • access rights: rwxr-x---=750
  • All ownerships and rights are inherited to sub-folders and files.