CryoSPARC Guide
  • About CryoSPARC
  • Current Version
  • Licensing
    • Non-commercial license agreement
  • Setup, Configuration and Management
    • CryoSPARC Architecture and System Requirements
    • CryoSPARC Installation Prerequisites
    • How to Download, Install and Configure
      • Obtaining A License ID
      • Downloading and Installing CryoSPARC
      • CryoSPARC Cluster Integration Script Examples
      • Accessing the CryoSPARC User Interface
    • Deploying CryoSPARC on AWS
      • Performance Benchmarks
    • Using CryoSPARC with Cluster Management Software
    • Software Updates and Patches
    • Management and Monitoring
      • Environment variables
      • (Optional) Hosting CryoSPARC Through a Reverse Proxy
      • cryosparcm reference
      • cryosparcm cli reference
      • cryosparcw reference
    • Software System Guides
      • Guide: Updating to CryoSPARC v4
      • Guide: Installation Testing with cryosparcm test
      • Guide: Verify CryoSPARC Installation with the Extensive Validation Job (v4.3+)
      • Guide: Verify CryoSPARC Installation with the Extensive Workflow (≤v4.2)
      • Guide: Performance Benchmarking (v4.3+)
      • Guide: Download Error Reports
      • Guide: Maintenance Mode and Configurable User Facing Messages
      • Guide: User Management
      • Guide: Multi-user Unix Permissions and Data Access Control
      • Guide: Lane Assignments and Restrictions
      • Guide: Queuing Directly to a GPU
      • Guide: Priority Job Queuing
      • Guide: Configuring Custom Variables for Cluster Job Submission Scripts
      • Guide: SSD Particle Caching in CryoSPARC
      • Guide: Data Management in CryoSPARC (v4.0+)
      • Guide: Data Cleanup (v4.3+)
      • Guide: Reduce Database Size (v4.3+)
      • Guide: Data Management in CryoSPARC (≤v3.3)
      • Guide: CryoSPARC Live Session Data Management
      • Guide: Manipulating .cs Files Created By CryoSPARC
      • Guide: Migrating your CryoSPARC Instance
      • Guide: EMDB-friendly XML file for FSC plots
    • Troubleshooting
  • Application Guide (v4.0+)
    • A Tour of the CryoSPARC Interface
    • Browsing the CryoSPARC Instance
    • Projects, Workspaces and Live Sessions
    • Jobs
    • Job Views: Cards, Tree, and Table
    • Creating and Running Jobs
    • Low Level Results Interface
    • Filters and Sorting
    • View Options
    • Tags
    • Flat vs Hierarchical Navigation
    • File Browser
    • Blueprints
    • Workflows
    • Inspecting Data
    • Managing Jobs
    • Interactive Jobs
    • Upload Local Files
    • Managing Data
    • Downloading and Exporting Data
    • Instance Management
    • Admin Panel
  • Cryo-EM Foundations
    • Image Formation
      • Contrast in Cryo-EM
      • Waves as Vectors
      • Aliasing
  • Expectation Maximization in Cryo-EM
  • Processing Data in cryoSPARC
    • Get Started with CryoSPARC: Introductory Tutorial (v4.0+)
    • Tutorial Videos
    • All Job Types in CryoSPARC
      • Import
        • Job: Import Movies
        • Job: Import Micrographs
        • Job: Import Particle Stack
        • Job: Import 3D Volumes
        • Job: Import Templates
        • Job: Import Result Group
        • Job: Import Beam Shift
      • Motion Correction
        • Job: Patch Motion Correction
        • Job: Full-Frame Motion Correction
        • Job: Local Motion Correction
        • Job: MotionCor2 (Wrapper) (BETA)
        • Job: Reference Based Motion Correction (BETA)
      • CTF Estimation
        • Job: Patch CTF Estimation
        • Job: Patch CTF Extraction
        • Job: CTFFIND4 (Wrapper)
        • Job: Gctf (Wrapper) (Legacy)
      • Exposure Curation
        • Job: Micrograph Denoiser (BETA)
        • Job: Micrograph Junk Detector (BETA)
        • Interactive Job: Manually Curate Exposures
      • Particle Picking
        • Interactive Job: Manual Picker
        • Job: Blob Picker
        • Job: Template Picker
        • Job: Filament Tracer
        • Job: Blob Picker Tuner
        • Interactive Job: Inspect Particle Picks
        • Job: Create Templates
      • Extraction
        • Job: Extract from Micrographs
        • Job: Downsample Particles
        • Job: Restack Particles
      • Deep Picking
        • Guideline for Supervised Particle Picking using Deep Learning Models
        • Deep Network Particle Picker
          • T20S Proteasome: Deep Particle Picking Tutorial
          • Job: Deep Picker Train and Job: Deep Picker Inference
        • Topaz (Bepler, et al)
          • T20S Proteasome: Topaz Particle Picking Tutorial
          • T20S Proteasome: Topaz Micrograph Denoising Tutorial
          • Job: Topaz Train and Job: Topaz Cross Validation
          • Job: Topaz Extract
          • Job: Topaz Denoise
      • Particle Curation
        • Job: 2D Classification
        • Interactive Job: Select 2D Classes
        • Job: Reference Based Auto Select 2D (BETA)
        • Job: Reconstruct 2D Classes
        • Job: Rebalance 2D Classes
        • Job: Class Probability Filter (Legacy)
        • Job: Rebalance Orientations
        • Job: Subset Particles by Statistic
      • 3D Reconstruction
        • Job: Ab-Initio Reconstruction
      • 3D Refinement
        • Job: Homogeneous Refinement
        • Job: Heterogeneous Refinement
        • Job: Non-Uniform Refinement
        • Job: Homogeneous Reconstruction Only
        • Job: Heterogeneous Reconstruction Only
        • Job: Homogeneous Refinement (Legacy)
        • Job: Non-uniform Refinement (Legacy)
      • CTF Refinement
        • Job: Global CTF Refinement
        • Job: Local CTF Refinement
        • Job: Exposure Group Utilities
      • Conformational Variability
        • Job: 3D Variability
        • Job: 3D Variability Display
        • Job: 3D Classification
        • Job: Regroup 3D Classes
        • Job: Reference Based Auto Select 3D (BETA)
        • Job: 3D Flexible Refinement (3DFlex) (BETA)
      • Postprocessing
        • Job: Sharpening Tools
        • Job: DeepEMhancer (Wrapper)
        • Job: Validation (FSC)
        • Job: Local Resolution Estimation
        • Job: Local Filtering
        • Job: ResLog Analysis
        • Job: ThreeDFSC (Wrapper) (Legacy)
      • Local Refinement
        • Job: Local Refinement
        • Job: Particle Subtraction
        • Job: Local Refinement (Legacy)
      • Helical Reconstruction
        • Helical symmetry in CryoSPARC
        • Job: Helical Refinement
        • Job: Symmetry search utility
        • Job: Average Power Spectra
      • Utilities
        • Job: Exposure Sets Tool
        • Job: Exposure Tools
        • Job: Generate Micrograph Thumbnails
        • Job: Cache Particles on SSD
        • Job: Check for Corrupt Particles
        • Job: Particle Sets Tool
        • Job: Reassign Particles to Micrographs
        • Job: Remove Duplicate Particles
        • Job: Symmetry Expansion
        • Job: Volume Tools
        • Job: Volume Alignment Tools
        • Job: Align 3D maps
        • Job: Split Volumes Group
        • Job: Orientation Diagnostics
      • Simulations
        • Job: Simulate Data (GPU)
        • Job: Simulate Data (Legacy)
    • CryoSPARC Tools
    • Data Processing Tutorials
      • Case study: End-to-end processing of a ligand-bound GPCR (EMPIAR-10853)
      • Case Study: DkTx-bound TRPV1 (EMPIAR-10059)
      • Case Study: Pseudosymmetry in TRPV5 and Calmodulin (EMPIAR-10256)
      • Case Study: End-to-end processing of an inactive GPCR (EMPIAR-10668)
      • Case Study: End-to-end processing of encapsulated ferritin (EMPIAR-10716)
      • Case Study: Exploratory data processing by Oliver Clarke
      • Tutorial: Tips for Membrane Protein Structures
      • Tutorial: Common CryoSPARC Plots
      • Tutorial: Negative Stain Data
      • Tutorial: Phase Plate Data
      • Tutorial: EER File Support
      • Tutorial: EPU AFIS Beam Shift Import
      • Tutorial: Patch Motion and Patch CTF
      • Tutorial: Float16 Support
      • Tutorial: Particle Picking Calibration
      • Tutorial: Blob Picker Tuner
      • Tutorial: Helical Processing using EMPIAR-10031 (MAVS)
      • Tutorial: Maximum Box Sizes for Refinement
      • Tutorial: CTF Refinement
      • Tutorial: Ewald Sphere Correction
      • Tutorial: Symmetry Relaxation
      • Tutorial: Orientation Diagnostics
      • Tutorial: BILD files in CryoSPARC v4.4+
      • Tutorial: Mask Creation
      • Case Study: Yeast U4/U6.U5 tri-snRNP
      • Tutorial: 3D Classification
      • Tutorial: 3D Variability Analysis (Part One)
      • Tutorial: 3D Variability Analysis (Part Two)
      • Tutorial: 3D Flexible Refinement
        • Installing 3DFlex Dependencies (v4.1–v4.3)
      • Tutorial: 3D Flex Mesh Preparation
    • Webinar Recordings
  • Real-time processing in cryoSPARC Live
    • About CryoSPARC Live
    • Prerequisites and Compute Resources Setup
    • How to Access cryoSPARC Live
    • UI Overview
    • New Live Session: Start to Finish Guide
    • CryoSPARC Live Tutorial Videos
    • Live Jobs and Session-Level Functions
    • Performance Metrics
    • Managing a CryoSPARC Live Session from the CLI
    • FAQs and Troubleshooting
  • Guides for v3
    • v3 User Interface Guide
      • Dashboard
      • Project and Workspace Management
      • Create and Build Jobs
      • Queue Job, Inspect Job and Other Job Actions
      • View and Download Results
      • Job Relationships
      • Resource Manager
      • User Management
    • Tutorial: Job Builder
    • Get Started with CryoSPARC: Introductory Tutorial (v3)
    • Tutorial: Manually Curate Exposures (v3)
  • Resources
    • Questions and Support
Powered by GitBook
On this page
  • Allowing users' Linux accounts to access CryoSPARC files
  • Establishing teams of users, and limiting access to data owned by another team
  1. Setup, Configuration and Management
  2. Software System Guides

Guide: Multi-user Unix Permissions and Data Access Control

Tips on how to manage permissions and data access control.

PreviousGuide: User ManagementNextGuide: Lane Assignments and Restrictions

Last updated 2 years ago

This guide explains how to set up accounts when there are multiple unix users interacting with the same CryoSPARC instance. For standard instructions about how to set up unix accounts for CryoSPARC installation see the .

The permissions system built into Linux (and all Unix-like operating systems) can be used to make it easier for multiple users to interact with CryoSPARC's data, or to establish a degree of separation between data belonging to different research teams. This page offers some tips on how this can be done.

Changing file permissions has security implications. If you aren't familiar with how Unix permissions work, it is advisable to consult with your system administrator, consult your operating system's documentation, or do some online research into Unix permissions before running the commands in this guide.

Allowing users' Linux accounts to access CryoSPARC files

CryoSPARC should be installed under its own operating system account. Typically, individual researchers will have their own accounts for accessing the computer(s) that CryoSPARC is installed on. By default on most Linux distributions, user accounts cannot modify files created by other user accounts, so the accounts belonging to individual researchers can only read files created or owned by CryoSPARC. This can be a barrier when trying to, for example, copy exported job files into another project for import. The standard permission system built into Linux can be used to work around this problem. Below is an example of how.

For the purpose of this example, we'll assume we are working with a fresh CryoSPARC installation. We will create a cryosparc user account (all CryoSPARC processes will run as this user), and we'll create two user accounts for people who will be using CryoSPARC.

root@host:~# useradd cryosparc
root@host:~# useradd alice
root@host:~# useradd tom

We'll add Alice and Tom's accounts to the "cryosparc" group:

root@host:~# usermod -aG cryosparc alice
root@host:~# usermod -aG cryosparc tom

Since in this example we're assuming this is a brand new CryoSPARC installation, we'll set up the directory that we will be storing our project files in. We'll then change the ownership of that directory so that it's under the control of the cryosparc account and group, and lastly we'll change the permissions on that directory. Specifically, we want g+ws, which will make anyone in the cryosparc group able to write to that directory (that's the w), and will make it so that any time new file is created in that directory, the file is owned by the cryosparc group (that's the s).

root@host:~# mkdir -p /data/cryosp_projs
root@host:~# chown cryosparc:cryosparc /data/cryosp_projs
root@host:~# chmod g+ws /data/cryosp_projs/

A demonstration of the result:

# the cryosparc user creates a bunch of files

root@host:~# su cryosparc
cryosparc@host:/root$ touch /data/cryosp_projs/file1
cryosparc@host:/root$ touch /data/cryosp_projs/file2
cryosparc@host:/root$ touch /data/cryosp_projs/file3
cryosparc@host:/root$ ls -l /data/cryosp_projs/
total 0
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file1
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file2
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file3
cryosparc@host:/root$ exit


# alice logs in, and also creates a file in that directory

root@host:~# su alice
alice@host:/root$ touch /data/cryosp_projs/file4
alice@host:/root$ ls -l /data/cryosp_projs/
total 0
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file1
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file2
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file3
-rw-rw-r-- 1 alice     cryosparc 0 Jun 18 17:06 file4
alice@host:/root$ exit

# notice how the file alice made is owned by the cryosparc group.
#
# now tom can log in and is able to modify the files created by...
# ... both alice and cyosparc

root@host:~# su tom
tom@host:/root$ rm /data/cryosp_projs/file2 
tom@host:/root$ rm /data/cryosp_projs/file4
tom@host:/root$ ls -l /data/cryosp_projs/
total 0
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file1
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file3
tom@host:/root$ touch /data/cryosp_projs/file
tom@host:/root$ ls /data/cryosp_projs/ -l
total 0
-rw-rw-r-- 1 tom       cryosparc 0 Jun 18 17:07 file
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file1
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file3

On some systems, the default umask variable may disable group write permissions. This would cause new files created by a user to not have group write permission unless manually changed with chmod. You can determine what the current umask is by running umask at a command prompt. If the second-to-last digit is not zero, you may run into issues. Putting umask 0002 in the ~/.bashrc file for the cryosparc account and each individual user account will correct this issue if it occurs.

Establishing teams of users, and limiting access to data owned by another team

Another area where unix permissions can help is in separating CryoSPARC users into teams that cannot interact with each other's data. Be sure to read the above section before this one, as a few important ideas are not repeated here.

While this guide can be used as a basis for limiting access to data and projects at the level of unix user accounts, the cryosparc user can still access the data from all teams. This is necessary for CryoSPARC to function correctly. As a result, users could still access another group's work by using the CryoSPARC user interface and navigating to a project directory owned by another group. One group could, for example, import raw data owned by another group. This will be addressed in a future CryoSPARC release.

This guide will proceed by example, similar to the previous.

We assume we're starting with a blank slate. Suppose we have four researchers in two separate research groups: Alice and Tom are in the 'lab1' group, Dmitri and Sonja are in the 'lab2' group.

root@host:~# useradd tom
root@host:~# useradd alice
root@host:~# useradd dmitri
root@host:~# useradd sonja
root@host:~# groupadd lab1
root@host:~# groupadd lab2
root@host:~# usermod -aG lab1 tom
root@host:~# usermod -aG lab1 alice
root@host:~# usermod -aG lab2 dmitri
root@host:~# usermod -aG lab2 sonja 

# add the cryosparc user account to both lab1 and lab2

root@host:~# useradd cryosparc
root@host:~# usermod -aG lab1 cryosparc
root@host:~# usermod -aG lab2 cryosparc

Create the directory that will be used to store CryoSPARC projects, and establish the same permissions as in the previous guide.

To briefly recap, we're going to use "chmod g+sw", where the "s" means that files created within the folder will be associated with the folder's group. Right now, that isn't terribly useful as we haven't added any users to the cryosparc group. But that "s" setting - the "setgid" bit, will be set on any created subdirectories as well, which will become important shortly.

root@host:~# mkdir -p /data/cryosp_projs
root@host:~# chmod g+ws /data/cryosp_projs/
root@host:~# chown cryosparc:cryosparc /data/cryosp_projs/

At this point, create some projects via the CryoSPARC UI which, will automatically create project subfolders. (e.g. "P1", "P2", "P3", etc). Decide which project subfolders should be owned by which group, and change the folder ownership appropriately as shown below. Note that the 'mkdir' lines are just simulating what the UI will do when creating a project - these don't need to actually be run.

root@host:~# su cryosparc
cryosparc@host:/root$ cd /data/cryosp_projs/
cryosparc@host:/data/cryosp_projs$ mkdir P1
cryosparc@host:/data/cryosp_projs$ mkdir P2
cryosparc@host:/data/cryosp_projs$ mkdir P3
cryosparc@host:/data/cryosp_projs$ chgrp lab1 P1
cryosparc@host:/data/cryosp_projs$ chgrp lab2 P2
cryosparc@host:/data/cryosp_projs$ chgrp lab2 P3
cryosparc@host:/data/cryosp_projs$ chmod o-rx *
cryosparc@host:/data/cryosp_projs$ ls -l
total 12
drwxrws--- 2 cryosparc lab1 4096 Jun 18 17:12 P1
drwxrws--- 2 cryosparc lab2 4096 Jun 18 17:12 P2
drwxrws--- 2 cryosparc lab2 4096 Jun 18 17:12 P3
cryosparc@host:/data/cryosp_projs$ exit

Take a look at the output of the ls -l command. Notice that each project folder has an "s" where the group "x" would normally be. This happened because we added the "s" bit to the cryosparc_projs directory before we created the projects (it could be added with chmod if we were doing this retroactively). As a result of the presence of that "s" bit and the fact that each project folder is now owned by one of the lab groups, any files created inside the project folders will be owned by the corresponding lab group, which allows our researcher accounts to access and modify them as appropriate.

Notice also that we used chmod o-rx, meaning that users who aren't cryosparc or part of the appropriate lab group cannot even see the contents of the project directories.

The resulting configuration is demonstrated below:

root@host:~# su tom
tom@host:/root$ cd /data/cryosp_projs/
tom@host:/data/cryosp_projs$ ls
P1  P2	P3
tom@host:/data/cryosp_projs$ cd P1/
tom@host:/data/cryosp_projs/P1$ touch file1
tom@host:/data/cryosp_projs/P1$ cd ..
tom@host:/data/cryosp_projs$ cd P2
bash: cd: P2: Permission denied
tom@host:/data/cryosp_projs$ exit


root@host:~# su sonja
sonja@host:/root$ cd /data/cryosp_projs/
sonja@host:/data/cryosp_projs$ ls P1
ls: cannot open directory 'P1': Permission denied
sonja@host:/data/cryosp_projs$ touch P3/file
sonja@host:/data/cryosp_projs$ ls -l P3
total 0
-rw-rw-r-- 1 sonja lab2 0 Jun 18 17:14 file
sonja@host:/data/cryosp_projs$ exit


root@host:~# su cryosparc
cryosparc@host:/root$ cd /data/cryosp_projs/
cryosparc@host:/data/cryosp_projs$ ls
P1  P2	P3
cryosparc@host:/data/cryosp_projs$ find
.
./P3
./P3/file
./P1
./P1/file1
./P2
cryosparc@host:/data/cryosp_projs$ rm P3/file
cryosparc@host:/data/cryosp_projs$ rm P1/file1
Installation Pre-requisites