Manage the protected data and its access

Keep protected data in proper locations

Protected data must be stored in predetermined locations. The only locations at OSC to store protected data are /fs/ess/PDEXXXX and /fs/scratch/PDEXXXX directories.
(Only with prior approval from OSC may a protected data service project not have a project prefix of PDE).

There are other storage locations at OSC, but none of the follwing locations can be used to store protected data because they do not have the proper controls and requirements to safely store it:

  • /users/<project-code>
  • /fs/ess/<non-PDS-project>
  • /fs/scratch/<non-PDS-project>
PDS is the acronym for Protected Data Service.

Project space access controls and permissions should not be altered

The directory permissions where protected data are stored are setup to prevent changing the permissions or access control entries on the top-level directories by regular users. Only members of the project are authorized to access the data; users are not permitted to attempt to share data with unauthroized users. 

The protected data environment will be monitored for unauthorized changes to permissions and access control.

Grant and remove user access to protected data

Protected data directoires will be set with permissions to restrict access to only project users. Project users are determined by group membership. For example, project PDE1234 has a protected data location at /fs/ess/PDE1234 and only users in the group PDE1234 may access data in that directory. 

Adding a user to a project in OSC client portal adds the group to their user account, likewise removing the user from the project, removes their group. See our page for invite, add, remove users.

A user's first project cannot be the secure data project. If a user's first project was the secure data project, then removing them from the project in client portal will not take away their group for that project.

Keep accounts secure

Do not share accounts/passwords, ever. 

A user that logs in with another person's account is able to perform actions on behalf of that person, including unauthorized actions mentioned above.