Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
rdms:data:permissions [2026/01/14 14:15] – [Example: Permission Inheritance - Enabled] brief rephrasing giuliordms:data:permissions [2026/01/15 14:49] (current) – formatting giulio
Line 43: Line 43:
 **Important Note:** The RDMS considers a file or folder **new** if you **upload** it to the RDMS or if you **copy** it from an existing RDMS location. A file or folder is **not** considered **new** if you **move** it from an existing RDMS location. In this second case, you will need to manually modify the permissions on the file or folder. We recommend you verify the permissions assigned to a file or folder after you moved it to a new location, regardless of whether permission inheritance is enabled or disabled. **Important Note:** The RDMS considers a file or folder **new** if you **upload** it to the RDMS or if you **copy** it from an existing RDMS location. A file or folder is **not** considered **new** if you **move** it from an existing RDMS location. In this second case, you will need to manually modify the permissions on the file or folder. We recommend you verify the permissions assigned to a file or folder after you moved it to a new location, regardless of whether permission inheritance is enabled or disabled.
  
-To display things more easily, we decided to use the CLI client [[..:access:linux:icommands|iCommands]] in the screenshots below. Please note that the behavior of the RDMS regarding permission inheritance is the same if the user uploads their data another way (e.g. [[..:access:windows:cyberduck|Cyberduck]] or [[..:access:windows:winscp|WinSCP]]). If you use Cyberduck or WinSCP to upload data to the RDMS, you can check or adjust permission inheritance either via iCommands or via the RDMS web interface. +To display things more easily, we decided to use the CLI client [[..:access:linux:icommands|iCommands]] in the examples below. Please note that the behavior of the RDMS regarding permission inheritance is the same if the user uploads their data another way (e.g. [[..:access:windows:cyberduck|Cyberduck]] or [[..:access:windows:winscp|WinSCP]]). If you use Cyberduck or WinSCP to upload data to the RDMS, you can check or adjust permission inheritance either via iCommands or via the RDMS web interface. 
  
 <code> <code>
-The 'rdms-testers@rug.nl' user has an already existing folder in the home collection.  +This is the folder with enabled inheritance that we use as destination. Note the permissions set on this folder (the part after 'ACL'). 
-Please look to the 'ACL' entry to see which permission 'rdms-testers' has in this folder. +$ ils -A /rug/home/Test_Team/folder_with_inheritance 
-# In this case, the permission level is 'own'.+        ACL - teamdrive-owner@rug.nl#rug:own   rdms-testers@rug.nl#rug:modify_object   g:Test_Team#rug:modify_object    
 +        Inheritance - Enabled 
 + 
 +# First, we we will show what happens if we copy the folder to the destination with enabled inheritance 
 +$ icp -r folder_test /rug/home/Test_Team/folder_with_inheritance 
 + 
 +Checking the permission shows that the permission of the parent folder are applied/inherited. Reason: Copy counts as new  
 +data --> Inheritance is applied.  
 +$ ils -A /rug/home/Test_Team/folder_with_inheritance/folder_test 
 +/rug/home/Test_Team/folder_with_inheritance/folder_test: 
 +        ACL - teamdrive-owner@rug.nl#rug:own   rdms-testers@rug.nl#rug:modify_object   g:Test_Team#rug:modify_object    
 +        Inheritance - Enabled 
 + 
 +# Now, we look at the permission of the second folder that we want to copy/move to show the effect of inheritance
 +# In this case, it is only a single user (rdms-testers@rug.nl) who has 'own' access on the folder
 $  ils -A folder_test $  ils -A folder_test
 /rug/home/rdms-testers@rug.nl/folder_test: /rug/home/rdms-testers@rug.nl/folder_test:
Line 55: Line 69:
  
 # The folder is now moved to a RDMS destination with permission inheritance enabled. # The folder is now moved to a RDMS destination with permission inheritance enabled.
-# The 'ACL' entry for this folder is: 
-#       ACL - teamdrive-owner@rug.nl#rug:own   rdms-testers@rug.nl#rug:modify_object   g:Test_Team#rug:modify_object 
-# So other users have permissions in this folder and 'rdms-testers' does not have 'own', but write permission (modify_object). 
 $  imv folder_test /rug/home/Test_Team/folder_with_inheritance $  imv folder_test /rug/home/Test_Team/folder_with_inheritance
  
-# We list the details of the folder again. See the 'ACL' entry to verify the permission level of 'rdms-testers'+# We check now the permissions again. Even with enabled inheritance, the permissions of the original folder are kept. ReasonMoving data does not count as new data --> Inheritance is not applied. Note that only rdms-testers@rug.nl has own permission. These are the original permissions before the move!
-Even with enabled inheritance, the permissions of the original folder are kept.  +
-# MoveDoes not count as new data --> Inheritance is not applied.+
 $ ils -A /rug/home/Test_Team/folder_with_inheritance/folder_test $ ils -A /rug/home/Test_Team/folder_with_inheritance/folder_test
 /rug/home/Test_Team/folder_with_inheritance/folder_test: /rug/home/Test_Team/folder_with_inheritance/folder_test:
         ACL - rdms-testers@rug.nl#rug:own            ACL - rdms-testers@rug.nl#rug:own   
         Inheritance - Disabled         Inheritance - Disabled
- 
-# Now we will show what happens if we copy the folder to the destination with enabled inheritance.  
-$ icp -r folder_test /rug/home/Test_Team/folder_with_inheritance 
- 
-# We list the details of the folder a third time. See the 'ACL' entry to verify the permission level of 'rdms-testers'. 
-# Checking the permission now shows that the inherited permission of the parent folder are applied.  
-# Copy: Counts as new data --> Inheritance is applied.  
-$ ils -A /rug/home/Test_Team/folder_with_inheritance/folder_test 
-/rug/home/Test_Team/folder_with_inheritance/folder_test: 
-        ACL - teamdrive-owner@rug.nl#rug:own   rdms-testers@rug.nl#rug:modify_object   g:Test_Team#rug:modify_object    
-        Inheritance - Enabled 
 </code> </code>
  
Line 94: Line 92:
         Inheritance - Enabled         Inheritance - Enabled
  
-# The 'rdms-testers@rug.nl' user uploads a new file from the local system to the RDMS folder+# The 'rdms-testers@rug.nl' user uploads a new file from the local system to the RDMS folder.
 $ iput test.txt /rug/home/Test_Team/folder_with_inheritance   $ iput test.txt /rug/home/Test_Team/folder_with_inheritance  
  
-# See the 'ACL' entry to verify the permission level of 'rdms-testers' +# See the 'ACL' entry to verify the permission level of 'rdms-testers'. 
-# Permissions on the newly uploaded file show that it inherited the permission from the parent collection automatically+# Permissions on the newly uploaded file show that it inherited the permission from the parent collection automatically.
 $ ils -A /rug/home/Test_Team/folder_with_inheritance/test.txt $ ils -A /rug/home/Test_Team/folder_with_inheritance/test.txt
   /rug/home/Test_Team/folder_with_inheritance/test.txt   /rug/home/Test_Team/folder_with_inheritance/test.txt
Line 110: Line 108:
 ==== Example: Permission Inheritance - Disabled ==== ==== Example: Permission Inheritance - Disabled ====
  
-In this example, we now assume the same scenario: You are ''rdms-testers@rug.nl'' and you upload a new file ''test.txt'' to a RDMS Team Drive folder. The permissions on the Team Drive folder are exactly the same as in the scenario mentioned above with the exception that permission inheritance is disabled for the destination folder. +In this other example, we now assume that permission inheritance is disabled. The user ''rdms-testers@rug.nl'' uploads a new file ''test.txt'' to a RDMS Team Drive folder. The only difference in this case from the example above is that permission inheritance is disabled for the destination folder. The permissions on the Team Drive folder are exactly the same as before.
  
 <code> <code>
 # In this case, the folder has inheritance disabled. # In this case, the folder has inheritance disabled.
 # The 'rdms-testers@rug.nl' user has write (modify_object) permissions.  # The 'rdms-testers@rug.nl' user has write (modify_object) permissions. 
 +# Please look to the 'ACL' entry to see which permission 'rdms-testers' has in this folder.
 $ ils -A /rug/home/Test_Team/folder_without_inheritance        $ ils -A /rug/home/Test_Team/folder_without_inheritance       
 /rug/home/Test_Team/folder_without_inheritance: /rug/home/Test_Team/folder_without_inheritance:
Line 120: Line 119:
         Inheritance - Disabled         Inheritance - Disabled
  
-# The 'rdms-testers@rug.nl' user uploads a new file from the local system to the RDMS folder +# The 'rdms-testers@rug.nl' user uploads a new file from the local system to the RDMS folder.
 $ iput test.txt /rug/home/Test_Team/folder_without_inheritance   $ iput test.txt /rug/home/Test_Team/folder_without_inheritance  
  
-# Permissions on the newly uploaded file show that it only has one permission: own for the uploading user+# See the 'ACL' entry to verify the permission level of 'rdms-testers'
 +# Permissions on the newly uploaded file show that it only has one permission: 'ownfor the uploading user (creator).
 $ ils -A /rug/home/Test_Team/folder_without_inheritance/test.txt $ ils -A /rug/home/Test_Team/folder_without_inheritance/test.txt
   /rug/home/Test_Team/folder_without_inheritance/test.txt   /rug/home/Test_Team/folder_without_inheritance/test.txt
Line 129: Line 129:
 </code> </code>
  
-As you can see, the uploaded file now has only a single permission: Ownership for the creator (uploader), so 'own' for ''rdms-testers@rug.nl''. **There are no permissions for the team drive owner in this case. The file will be not accessible or even visible for this user.** +As you can see, the uploaded file now has only a single permission: Ownership for the creator (uploader), so 'own' for ''rdms-testers@rug.nl''. **There are no permissions for the team drive owner in this case. The file will be not accessible or even visible for this user**. This means that ''rdms-testers'' will need to set the permission manually to the desired value, if they want the Team Drive owner to also see and/or modify the file.
- +
-In these case, you will need to set the permission by hand to the desired value. This can be done by yourself or also by the owner of the parent folder. If this is not working out, please contact [[rdms-support@rug.nl]]+
  
 **Note**: A good reason to have permission inheritance disabled in the top-level of a Team Drive is to allow for easy permission management when the permissions are not the same in all Team Drive locations. For instance, if User 1 should only have permissions in Folder 1 and User 2 should only have permissions in Folder 2, with permission inheritance disabled, you can then simply add the Users without having to remove other Users first when creating new folders. Permission inheritance can then be enabled again inside Folder 1 and Folder 2, to help keep track of the right permissions.  **Note**: A good reason to have permission inheritance disabled in the top-level of a Team Drive is to allow for easy permission management when the permissions are not the same in all Team Drive locations. For instance, if User 1 should only have permissions in Folder 1 and User 2 should only have permissions in Folder 2, with permission inheritance disabled, you can then simply add the Users without having to remove other Users first when creating new folders. Permission inheritance can then be enabled again inside Folder 1 and Folder 2, to help keep track of the right permissions.