ACLs on the Web

The Corral iRODS data management system utilizes Access Control Lists (ACLs) to control permissions to read, write, and modify data within the system. ACLs are a powerful tool, as they allow the data owner to provide specific, limited privileges to individuals or groups of individuals, and to add as many sets of privileges as necessary to achieve the desired accessibility, or lack thereof. This tutorial will walk you through the process of viewing and changing access permissions using the web interface to iRODS.

Prerequisites

  • You must have a Corral "iRODS" allocation, and be able to login to the web browser interface as described in the "Web Access to Corral's iRODS Repository" tutorial.

  • You must have a web browser that supports Javascript and a working network connection. Note: Google Chrome, Mozilla Firefox, and Apple's Safari have been tested and are known to work.

Steps

  1. Open the Corral iRODS URL in your web browser: https://icat.corral.tacc.utexas.edu/idrop-web/ and login using your TACC User Portal (TUP) username and password.

  2. Navigate to a file or folder you would like to control permissions for, and select the file or folder in question. You will see a screen like the one below - note that there are multiple "tabs" on the right hand side of the screen. Depending on whether you have selected a folder or a file, the third tab listed will be either "Sharing" or "Permissions".

  3. Click the "Sharing" or "Permissions" tab, and you will see a screen like the following. This screen provides an overview of current permissions on the object, and an interface to add or change the current permissions on that object. To add a new access permission, click the "Create" button.

  4. You will now see a screen where you can select the type of permissions to add and associate that permission with a user. First, select a type of permissions from the drop-down box under "Share Permission". For example, the "read" permission allows the user in question to download the file, while the "write" permission allows the user in question to overwrite the file but not to read it. Set the permission to "own" to allow the user to read, write, and add new permissions for the file. Once you have selected a level of permissions, type in the name, or partial name, of a user, and click the "search" button; if you have entered a valid user name, the user name will show up on the list, as "maria#corralZ" does in the example shown below. Click the check-box next to the names or one or more users to whom you would like to grant the permissions in question. When you are satisfied, click the "update" button to make the changes take effect.<p>Note: to remove a permission from a specific user, select the "NONE" permission from the drop-down list, then select the username as usual and click the "update" button. This will remove any active permissions entries for the user in question.

  5. In addition to users, you can also use groups to apply the same permissions to everyone within your project, or everyone in another project. In the example shown below, the "tdl" entry represents a group, while the remaining entries represent users within the group. Applying a permission to the "tdl" entry would grant that permission to all users within the group. When you create your project allocation, you will also have a group created for you consisting of all the members of your project in the TACC user portal.<p> Note: As with user permissions, you can add as many group permission entries as you like. The strength of Access Control Lists is the ability to create as many permissions entries as necessary to achieve precisely the access characteristics desired.

  6. To revoke a permission, simply delete the permissions entry by going to the "Permissions" tab as shown in step 3, selecting one or more permissions entries by clicking the checkbox next to each entry, and pressing the "Delete" button. This will revoke only the selected permissions, so for example it is possible to remove a user's write permission while leaving a read permission in place.

Reference

See also:

Last update: April 10, 2015