| Both sides previous revision Previous revision Next revision | Previous revision |
| rdms:data:permissions [2025/12/17 11:04] – [Example: Permission Inheritance - ON (Enabled)] Added info about cp vs mv jelte | rdms:data:permissions [2026/01/15 14:49] (current) – formatting giulio |
|---|
| Permission inheritance means that the permissions set on a folder are also propagated to its subfolders and files. If permission inheritance is activated, newly created files and folders inherit the permission of the main folder. | Permission inheritance means that the permissions set on a folder are also propagated to its subfolders and files. If permission inheritance is activated, newly created files and folders inherit the permission of the main folder. |
| |
| By default, permission inheritance is active within the RDMS for [[rdms:solution:team|RDMS Team Drives]] and [[rdms:solution:projects|RDMS Projects]], but it can also be disabled by the user. To do so, you need to right-click the folder where you would like to turn permission inheritance off and select the highlighted menu item (see "future" screenshot). | By default, permission inheritance is active within the RDMS for [[rdms:solution:team|RDMS Team Drives]] and [[rdms:solution:projects|RDMS Projects]], but it can also be disabled by the user. To do so, you need to right-click the folder where you would like to turn permission inheritance off and select the highlighted menu item: |
| |
| If you decide to disable permission inheritance, you should be aware that this means that permissions on all (sub)folders and files have to be set individually. | {{ :rdms:data:set_inheritance_1.png?direct&600 |}} |
| |
| Also, it should be noted that it is also possible to modify user permissions on specific subfolders or files when permission inheritance is activated on the main folder. | If you decide to disable permission inheritance, you will have to manually set the permissions on all (sub)folders and files contained in the folder where permission inheritance is turned off. |
| |
| In order to make this concept clearer, we are going to describe a general use case and show what happens when permission inheritance are turned on or off. Please bear in mind that we will be considering a basic set up, but that for more complex cases the effect of permission inheritance might not be immediately straightforward. | Please note that you can modify user permissions on specific subfolders or files even when permission inheritance is activated on the main folder. Having permission inheritance activated is meant to help you by automatically setting the permissions of **new files and folders**. It does not prevent you from changing them afterwards, should you need different permissions on specific files or folders. |
| |
| Also note that the below examples use the CLI client [[..:access:linux:icommands|iCommands]], but the behavior is the same if the user would upload the data via another way (e.g. [[..:access:windows:cyberduck|Cyberduck]] or [[..:access:windows:winscp|WinSCP]]). We only use iCommands in this example as it allows to easily display the permission inheritance information and the permissions in the same view. For users that upload via clients like Cyberduck/WinSCP, they need to check/adjust the permissions either also via iCommands or via the RDMS web interface. | **Important Note:** The RDMS considers a file or folder **new** if you **upload** it to the RDMS or if you **copy** it from an existing RDMS location. A file or folder is **not** considered **new** if you **move** it from an existing RDMS location. In this second case, you will need to manually modify the permissions on the file or folder. We recommend you verify the permissions assigned to a file or folder after you moved it to a new location, regardless of whether permission inheritance is enabled or disabled. |
| |
| ==== Example: Permission Inheritance - ON (Enabled) ==== | To display things more easily, we decided to use the CLI client [[..:access:linux:icommands|iCommands]] in the examples below. Please note that the behavior of the RDMS regarding permission inheritance is the same if the user uploads their data another way (e.g. [[..:access:windows:cyberduck|Cyberduck]] or [[..:access:windows:winscp|WinSCP]]). If you use Cyberduck or WinSCP to upload data to the RDMS, you can check or adjust permission inheritance either via iCommands or via the RDMS web interface. |
| In the below example, assume that you are the uploading user ''rdms-testers@rug.nl''. In the present case, you upload to a Team Drive folder where the Team Drive owner gave you 'write' permissions. Also the permission inheritance is enabled. In this scenario, we assume that you upload a new file ''test.txt'' from your local system to the RDMS folder with inheritance enabled. | |
| |
| <code> | <code> |
| # In this case, the folder has inheritance enabled. | # This is the folder with enabled inheritance that we use as destination. Note the permissions set on this folder (the part after 'ACL'). |
| # The 'rdms-testers@rug.nl' user has write (modify_object) permissions. | $ ils -A /rug/home/Test_Team/folder_with_inheritance |
| $ ils -A /rug/home/Test_Team/folder_with_inheritance | ACL - teamdrive-owner@rug.nl#rug:own rdms-testers@rug.nl#rug:modify_object g:Test_Team#rug:modify_object |
| /rug/home/Test_Team/folder_with_inheritance: | |
| ACL - teamdrive-owner@rug.nl#rug:own rdms-testers@rug.nl#rug:modify_object g:Test_Team#rug:modify_object | |
| Inheritance - Enabled | Inheritance - Enabled |
| |
| # The 'rdms-testers@rug.nl' user uploads a new file from the local system to the RDMS folder | # First, we we will show what happens if we copy the folder to the destination with enabled inheritance. |
| $ iput test.txt /rug/home/Test_Team/folder_with_inheritance | $ icp -r folder_test /rug/home/Test_Team/folder_with_inheritance |
| |
| # Permissions on the newly uploaded file show that it inherited the permission from the parent collection automatically | # Checking the permission shows that the permission of the parent folder are applied/inherited. Reason: Copy counts as new |
| $ ils -A /rug/home/Test_Team/folder_with_inheritance/test.txt | data --> Inheritance is applied. |
| /rug/home/Test_Team/folder_with_inheritance/test.txt | $ ils -A /rug/home/Test_Team/folder_with_inheritance/folder_test |
| ACL - teamdrive-owner@rug.nl#rug:own rdms-testers@rug.nl#rug:modify_object g:Test_Team#rug:modify_object | /rug/home/Test_Team/folder_with_inheritance/folder_test: |
| </code> | ACL - teamdrive-owner@rug.nl#rug:own rdms-testers@rug.nl#rug:modify_object g:Test_Team#rug:modify_object |
| | Inheritance - Enabled |
| |
| As can be seen above, the newly uploaded file now has exactly the same permissions as where set on the parent folder, for example you have 'write' access while the owner of the team drive still has 'own' permissions. This is the effect of inheritance. | # Now, we look at the permission of the second folder that we want to copy/move to show the effect of inheritance. |
| | # In this case, it is only a single user (rdms-testers@rug.nl) who has 'own' access on the folder |
| **Important Note:** It should be mentioned that **permission inheritance only counts for newly created files/folder**. If you move a file/folder from another location to a folder with permission inheritance enabled, it will still keep its original permissions! | $ ils -A folder_test |
| To work around that, you can create a copy of the file/folder that you want to transfer and delete the original data after successful copy. The reason is that a copy is counted as a new file/folder and the inheritance then applies. | |
| | |
| <code> | |
| # The 'rdms-testers@rug.nl' user has an already existing folder in the home collection. | |
| ils -A folder_test | |
| /rug/home/rdms-testers@rug.nl/folder_test: | /rug/home/rdms-testers@rug.nl/folder_test: |
| ACL - rdms-testers@rug.nl#rug:own | ACL - rdms-testers@rug.nl#rug:own |
| Inheritance - Disabled | Inheritance - Disabled |
| |
| # The folder is now moved to a RDMS destination with enabled inheritance. | # The folder is now moved to a RDMS destination with permission inheritance enabled. |
| imv folder_test /rug/home/Test_Team/folder_with_inheritance | $ imv folder_test /rug/home/Test_Team/folder_with_inheritance |
| |
| # Even with enabled inheritance, the permissions of the original folder are kept. Move: Not counted as new data --> Inheritance is not applied. | # We check now the permissions again. Even with enabled inheritance, the permissions of the original folder are kept. Reason: Moving data does not count as new data --> Inheritance is not applied. Note that only rdms-testers@rug.nl has own permission. These are the original permissions before the move! |
| $ ils -A /rug/home/Test_Team/folder_with_inheritance/folder_test | $ ils -A /rug/home/Test_Team/folder_with_inheritance/folder_test |
| /rug/home/Test_Team/folder_with_inheritance/folder_test: | /rug/home/Test_Team/folder_with_inheritance/folder_test: |
| ACL - rdms-testers@rug.nl#rug:own | ACL - rdms-testers@rug.nl#rug:own |
| Inheritance - Disabled | Inheritance - Disabled |
| | </code> |
| |
| # Now the user, does not move, but copies the folder to the destination with enabled inheritance. | In order to make this concept clearer, we are going to describe two examples and show what happens when permission inheritance are either turned on or off. We also point out when enabling or disabling permission inheritance can be advantageous. Please bear in mind that we will be considering a basic set up, but that for more complex cases the effect of permission inheritance might not be immediately straightforward. |
| $ icp -r folder_test /rug/home/Test_Team/folder_with_inheritance | ==== Example: Permission Inheritance - Enabled ==== |
| |
| # Checking the permission now shows that the inherited permission of the parent folder are applied. Copy: Counted as new data --> Inheritance is applied. | In this example, we show what happens when the user ''rdms-testers@rug.nl'' uploads new data to a Team Drive. The user has 'write' permissions in the Team Drive and permission inheritance is enabled. The user is uploading the new file ''test.txt'' from their local system to the RDMS Team Drive folder. |
| $ ils -A /rug/home/Test_Team/folder_with_inheritance/folder_test | |
| /rug/home/Test_Team/folder_with_inheritance/folder_test: | <code> |
| ACL - teamdrive-owner@rug.nl#rug:own rdms-testers@rug.nl#rug:modify_object g:Test_Team#rug:modify_object | # In this case, the folder has inheritance enabled. |
| | # The 'rdms-testers@rug.nl' user has write (modify_object) permissions. |
| | # Please look to the 'ACL' entry to see which permission 'rdms-testers' has in this folder. |
| | $ ils -A /rug/home/Test_Team/folder_with_inheritance |
| | /rug/home/Test_Team/folder_with_inheritance: |
| | ACL - teamdrive-owner@rug.nl#rug:own rdms-testers@rug.nl#rug:modify_object g:Test_Team#rug:modify_object |
| Inheritance - Enabled | Inheritance - Enabled |
| | |
| | # The 'rdms-testers@rug.nl' user uploads a new file from the local system to the RDMS folder. |
| | $ iput test.txt /rug/home/Test_Team/folder_with_inheritance |
| | |
| | # See the 'ACL' entry to verify the permission level of 'rdms-testers'. |
| | # Permissions on the newly uploaded file show that it inherited the permission from the parent collection automatically. |
| | $ ils -A /rug/home/Test_Team/folder_with_inheritance/test.txt |
| | /rug/home/Test_Team/folder_with_inheritance/test.txt |
| | ACL - teamdrive-owner@rug.nl#rug:own rdms-testers@rug.nl#rug:modify_object g:Test_Team#rug:modify_object |
| </code> | </code> |
| ==== Example: Permission Inheritance - OFF (Disabled) ==== | |
| |
| In this example, we now assume the same scenario: You are ''rdms-testers@rug.nl'' and you upload a new file ''test.txt'' to a RDMS Team Drive folder. The permissions on the Team Drive folder are exactly the same as in the scenario mentioned above with the exception that permission inheritance is disabled for the destination folder. | As you can see above, the newly uploaded file now has exactly the same permissions as the Team Drive folder it was uploaded to. In this case, ''rdms-testers@rug.nl'' has 'write' permission, while the owner of the team drive still has 'own' permission on the file. If inheritance had been turned off, only ''rdms-testers@rug.nl'' would have had 'own' permission on the file. The other users in the Team Drive would not even see the file being uploaded, as they would not have any kind of permission on it. |
| | |
| | **Note**: A good reason to have permission inheritance enabled in a Team Drive is to make sure that all new data is provided with the correct permissions, no matter who does the upload. It also makes sure that data does not remain 'invisible' for certain users in a Team Drive simply because the permissions on it were not updated after the upload. |
| | |
| | ==== Example: Permission Inheritance - Disabled ==== |
| | |
| | In this other example, we now assume that permission inheritance is disabled. The user ''rdms-testers@rug.nl'' uploads a new file ''test.txt'' to a RDMS Team Drive folder. The only difference in this case from the example above is that permission inheritance is disabled for the destination folder. The permissions on the Team Drive folder are exactly the same as before. |
| |
| <code> | <code> |
| # In this case, the folder has inheritance disabled. | # In this case, the folder has inheritance disabled. |
| # The 'rdms-testers@rug.nl' user has write (modify_object) permissions. | # The 'rdms-testers@rug.nl' user has write (modify_object) permissions. |
| | # Please look to the 'ACL' entry to see which permission 'rdms-testers' has in this folder. |
| $ ils -A /rug/home/Test_Team/folder_without_inheritance | $ ils -A /rug/home/Test_Team/folder_without_inheritance |
| /rug/home/Test_Team/folder_without_inheritance: | /rug/home/Test_Team/folder_without_inheritance: |
| Inheritance - Disabled | Inheritance - Disabled |
| |
| # The 'rdms-testers@rug.nl' user uploads a new file from the local system to the RDMS folder | # The 'rdms-testers@rug.nl' user uploads a new file from the local system to the RDMS folder. |
| $ iput test.txt /rug/home/Test_Team/folder_without_inheritance | $ iput test.txt /rug/home/Test_Team/folder_without_inheritance |
| |
| # Permissions on the newly uploaded file show that it only has one permission: own for the uploading user | # See the 'ACL' entry to verify the permission level of 'rdms-testers'. |
| | # Permissions on the newly uploaded file show that it only has one permission: 'own' for the uploading user (creator). |
| $ ils -A /rug/home/Test_Team/folder_without_inheritance/test.txt | $ ils -A /rug/home/Test_Team/folder_without_inheritance/test.txt |
| /rug/home/Test_Team/folder_without_inheritance/test.txt | /rug/home/Test_Team/folder_without_inheritance/test.txt |
| </code> | </code> |
| |
| As you can see, the uploaded file now has only a single permission: Ownership for the creator (uploader), so 'own' for ''rdms-testers@rug.nl''. **There are no permissions for the team drive owner in this case. The file will be not accessible or even visible for this user.** | As you can see, the uploaded file now has only a single permission: Ownership for the creator (uploader), so 'own' for ''rdms-testers@rug.nl''. **There are no permissions for the team drive owner in this case. The file will be not accessible or even visible for this user**. This means that ''rdms-testers'' will need to set the permission manually to the desired value, if they want the Team Drive owner to also see and/or modify the file. |
| |
| In these case, you will need to set the permission by hand to the desired value. This can be done by yourself or also by the owner of the parent folder. If this is not working out, please contact [[rdms-support@rug.nl]] | **Note**: A good reason to have permission inheritance disabled in the top-level of a Team Drive is to allow for easy permission management when the permissions are not the same in all Team Drive locations. For instance, if User 1 should only have permissions in Folder 1 and User 2 should only have permissions in Folder 2, with permission inheritance disabled, you can then simply add the Users without having to remove other Users first when creating new folders. Permission inheritance can then be enabled again inside Folder 1 and Folder 2, to help keep track of the right permissions. |