skip to content

Regional Computing Centre (RRZK)

How to administer permissions in NFS web projects

For web projects that use the NFS filesystem (as a rule of thumb: web projects created after March of 2018), the permissions concerning access to the file system and permissions to administer the access permissions are handled through the  identity management system uniKIM.

Different Roles in Groups

Permissions are granted by assigning roles to certain accounts. There are two different roles that you need to distinguish when dealing with groups: The Business Role GroupManager and the Permission Role Group.

  • Group Managers can administer a group, that is, they can add people to a group and remove other people. There can be several group managers for one group at a time. As the initial group manager, you can pass these privileges to your deputies or to your successor.
    Please remember to only assign the role of group manager to those who should be able to decide who will receive write permissions or not. The role of group manager does not grant write permissions. Write privileges have to be assigned separately.

  • The actual write permissions are a granted through the Permission Role “Group”. As a group manager, you should assign this role to all persons responsible for updating the website through the project directory. Members of this permission role cannot add new members to the group themselves—that’s a task that only group managers can do (see above).

Of course, one person can hold both of the above roles, if they should be able to both assign write permissions to others and have write permissions for themselves.

Accessing privilege assignment

expand:

1. Login to the uniKIM system.
To administer group privileges, you have to log in from within the University’s campus network. You may use a VPN connection to meet this criterion.

2. When using the uniKIM system, choose Roles and Resources from the top menu. There will be a note about having reached the “maximum number of rows allowed”. Click OK to close it. You will now see your own role assignments.

Granting write permissions

Please follow the detailed procedures to assign write permissions (by adding an account to a group) or revoking write permissions (by removing an account from a group):

Unlike write permissions for actual people, which are assigned by adding their accounts to groups, write permissions for the special web server account are assigned another way. Please follow the following procedure to grant write permissions to the web service user:

This permission is granted outside of uniKIM. It is usually required when using a  content management system, which requires the web service user to create new files at least in certain areas of the web project file space. In more general terms, this kind of write permission for the web service user is required if the web project allows external users to upload their own files (e.g. photos).

Contact
If you have any questions or problems, please contact the RRZK-Helpdesk