To share data within an institute or a research group (both ETH/ITET internal only) in a safe manner a so called project account is the easiest way.
A project account is associated with storage space (including backup) and a list of project members that can access this data. All files at this location allow read+write access to all project members by default. Right access is handled through UNIX rights: the location of the storage space and sub folders belong to this dedicated project UNIX account and to its dedicated group all project members are a member of. By default the user's umask of all members is set so that all new files are accessible for group members and closed to others.
Some facts about project accounts:
- an independent UNIX account in the D-ITET/TARDIS environment
- main attributes:
- expiry date
- person in charge
distinct group (itet-isg-<projectname>)
- data access via group membership
- D-ITET/TARDIS account needed for membership
Each project is owned by a personal D-ITET/TARDIS account. The owner, as person in charge, is our contact person.
Each project account has its own group, i.e. itet-isg-<projectname>. To access the project's data a group membership is necessary. The project's owner determines who is permitted to become a project member. Only valid D-ITET/TARDIS accounts can become a member of a project account. To share data with people from other ETH organization a D-ITET guest account must be ordered first by the technical contact (IT coordinator) of the D-ITET institute involved.
As a standard setup the project data can be accessed read/write by all project members via NFS and Samba (in parallel). Since the access is permitted via each members credential (i.e. username and password) the project's account password must not be known. If needed the project account's password is handed over to the project owner. The password must not be shared.
A different access setup is also possible. Details must be arranged individually.
Using itet-stor is the easiest way to find the project's data. For each project one is a member of, a link is available in the personal link list.
Keep in mind a project account never has a link list, therefore neither
Usage and Quota
The the data usage and quota of a project can be checked by any project member by
Remark: The command does work for already migrated projects only
To order a new project account just send an email (Subject: New project account <projectname>) to email@example.com containing these specifications:
- project name
- contact name and email (in general the requester)
- expiry date (default 1 to 2 years)
The project owner can ask for addition of new members or removal of existing members by sending a request to firstname.lastname@example.org
Subject: Adding/Remove user to/from project <projectname>
- Content: list of users
If a user does not have a valid D-ITET/TARDIS account, a guest account can be requested by the technical contact (IT coordinator) of the lab/institute.
Storage space allocated by a project is charged by an annual fee (contract between ISG.EE and institute).
Data Sharing with Students
Data sharing between institute staff members and students is best achieved by an individual project account. The project account is owned by an institute member and is named as follows: <staffmember>-stud. The project owner itself and all students (entitled for sharing) must be member of the corresponding project group. All data are shared read/write among all project members.
Doctoral Thesis, Master Thesis, Semester Work etc.
For any or student work (incl. Ph.D.) that belongs to an institute that exceeds the default quota considerably or requests data sharing a project account is required. The project account is owned by an institute member (adviser) and is named as follows: <student>-<phd|msc|sem>, depending on the type of work. At least the student must be a member of the corresponding project group.
Personal Storage Increase
If a staff user should need an extraordinary amount of storage space which can not be solved by other means a personal project account (as an exception) might be a solution. The project account is owned by the user an is named <staffmember>-data. Typically, the staff user is the only member of this project.