Guide: Multi-user Unix Permissions and Data Access Control
Tips on how to manage permissions and data access control.
This guide explains how to set up accounts when there are multiple unix users interacting with the same CryoSPARC instance. For standard instructions about how to set up unix accounts for CryoSPARC installation see the Installation Pre-requisites.
The permissions system built into Linux (and all Unix-like operating systems) can be used to make it easier for multiple users to interact with CryoSPARC's data, or to establish a degree of separation between data belonging to different research teams. This page offers some tips on how this can be done.
Changing file permissions has security implications. If you aren't familiar with how Unix permissions work, it is advisable to consult with your system administrator, consult your operating system's documentation, or do some online research into Unix permissions before running the commands in this guide.
Allowing users' Linux accounts to access CryoSPARC files
CryoSPARC should be installed under its own operating system account. Typically, individual researchers will have their own accounts for accessing the computer(s) that CryoSPARC is installed on. By default on most Linux distributions, user accounts cannot modify files created by other user accounts, so the accounts belonging to individual researchers can only read files created or owned by CryoSPARC. This can be a barrier when trying to, for example, copy exported job files into another project for import. The standard permission system built into Linux can be used to work around this problem. Below is an example of how.
For the purpose of this example, we'll assume we are working with a fresh CryoSPARC installation. We will create a cryosparc user account (all CryoSPARC processes will run as this user), and we'll create two user accounts for people who will be using CryoSPARC.
We'll add Alice and Tom's accounts to the "cryosparc" group:
Since in this example we're assuming this is a brand new CryoSPARC installation, we'll set up the directory that we will be storing our project files in. We'll then change the ownership of that directory so that it's under the control of the cryosparc account and group, and lastly we'll change the permissions on that directory. Specifically, we want g+ws, which will make anyone in the cryosparc group able to write to that directory (that's the w), and will make it so that any time new file is created in that directory, the file is owned by the cryosparc group (that's the s).
A demonstration of the result:
On some systems, the default umask variable may disable group write permissions. This would cause new files created by a user to not have group write permission unless manually changed with chmod. You can determine what the current umask is by running umask at a command prompt. If the second-to-last digit is not zero, you may run into issues. Putting umask 0002 in the ~/.bashrc file for the cryosparc account and each individual user account will correct this issue if it occurs.
Establishing teams of users, and limiting access to data owned by another team
Another area where unix permissions can help is in separating CryoSPARC users into teams that cannot interact with each other's data. Be sure to read the above section before this one, as a few important ideas are not repeated here.
While this guide can be used as a basis for limiting access to data and projects at the level of unix user accounts, the cryosparc user can still access the data from all teams. This is necessary for CryoSPARC to function correctly. As a result, users could still access another group's work by using the CryoSPARC user interface and navigating to a project directory owned by another group. One group could, for example, import raw data owned by another group. This will be addressed in a future CryoSPARC release.
This guide will proceed by example, similar to the previous.
We assume we're starting with a blank slate. Suppose we have four researchers in two separate research groups: Alice and Tom are in the 'lab1' group, Dmitri and Sonja are in the 'lab2' group.
Create the directory that will be used to store CryoSPARC projects, and establish the same permissions as in the previous guide.
To briefly recap, we're going to use "chmod g+sw", where the "s" means that files created within the folder will be associated with the folder's group. Right now, that isn't terribly useful as we haven't added any users to the cryosparc group. But that "s" setting - the "setgid" bit, will be set on any created subdirectories as well, which will become important shortly.
At this point, create some projects via the CryoSPARC UI which, will automatically create project subfolders. (e.g. "P1", "P2", "P3", etc). Decide which project subfolders should be owned by which group, and change the folder ownership appropriately as shown below. Note that the 'mkdir' lines are just simulating what the UI will do when creating a project - these don't need to actually be run.
Take a look at the output of the ls -l command. Notice that each project folder has an "s" where the group "x" would normally be. This happened because we added the "s" bit to the cryosparc_projs directory before we created the projects (it could be added with chmod if we were doing this retroactively). As a result of the presence of that "s" bit and the fact that each project folder is now owned by one of the lab groups, any files created inside the project folders will be owned by the corresponding lab group, which allows our researcher accounts to access and modify them as appropriate.
Notice also that we used chmod o-rx, meaning that users who aren't cryosparc or part of the appropriate lab group cannot even see the contents of the project directories.
The resulting configuration is demonstrated below:
Last updated