Access Management using GoCommands¶

GoCommands provides features to manage access of users and groups to data in the Data Store. The chmod and chmodinherit commands allow users to manage access permissions for data objects (files) and collections (directories). The ls -A command displays the current access levels assigned to users for a given file or directory.

List Access Permissions of Users for a Data Object or Collection¶

gocmd ls -A <data-object-or-collection>

The -A flag in ls command displays access permissions in the result.

This command will show the data objects and collections along with their access control lists (ACLs). For example:

/iplant/home/myUser/mydata:
        ACL - g:rodsadmin#iplant:own    myUser#iplant:own
        Inheritance - Disabled
    file1.bin
        ACL - g:rodsadmin#iplant:own    myUser#iplant:own
    file2.bin
        ACL - g:rodsadmin#iplant:own    myUser#iplant:own
    C- /iplant/home/myUser/mydata/subdir1

The g: prefix in the ACL username indicates that the user is a group.
The ACL is displayed in the username#zone:access_level format.
Most common access levels are:
- read_object: Allows read access to the data object or collection.
- modify_object: Allows modification (write) of the data object or collection.
- own: Grants ownership of the data object or collection.

Example Usage¶

List current access levels for a data object or collection:
```
gocmd ls -A /iplant/home/myUser/mydata
```

Change a User's or Group's Access Permission for a Data Object or Collection¶

gocmd chmod <access-level> <user-or-group(#zone)> <data-object-or-collection>

Access Levels¶

Access Level	Description
`null`	Removes all permissions
`read`	Allows reading the object or collection
`write`	Allows reading and modifying the object or collection
`own`	Grants full control, including the ability to change permissions

Example Usage¶

Grant a user read permission to a data object:

gocmd chmod read anotherUser /iplant/home/myUser/file.txt

Grant a user from a different zone read permission to a data object:

gocmd chmod read anotherUser#anotherZone /iplant/home/myUser/file.txt

Grant a user read permission to a collection and its contents:

gocmd chmod -r read anotherUser /iplant/home/myUser/dir

Grant a user write permission to a collection and its contents:

gocmd chmod -r write anotherUser /iplant/home/myUser/dir

Grant a user owner permission to a collection and its contents:

gocmd chmod -r owner anotherUser /iplant/home/myUser/dir

Remove access permission from a user to a collection and its contents:
```
gocmd chmod -r none anotherUser /iplant/home/myUser/dir
```

Enable or Disable Access Permission Inheritance for a Collection¶

When inheritance is enabled for a collection, any new data objects or subcollections created within it will automatically inherit the same access permissions as the parent collection.

gocmd chmodinherit <inheritance_option> <collection_path>

Inheritance Options¶

Flag	Description
`inherit`	Enable access inheritance. Data objects and sub-collections inherit permissions from the parent collection
`noinherit`	Disable access inheritance. Data objects and sub-collections do not inherit permissions from the parent collection

Example Usage¶

Enable inheritance for a collection:

gocmd chmodinherit inherit /iplant/home/myUser/dir

Disable inheritance for a collection:

gocmd chmodinherit noinherit /iplant/home/myUser/dir

Enable inheritance recursively for a collection and its subcollections:
```
gocmd chmodinherit -r inherit /iplant/home/myUser/dir
```
Disable inheritance recursively for a collection and its subcollections:
```
gocmd chmodinherit -r noinherit /iplant/home/myUser/dir
```