SnapshotCM Tips and Tricks

In the last month's column we discussed access control in SnapshotCM. We suggested in passing that a directory ACL could provide defaults for items newly created in a directory.

Let's expand on that a bit. To make effective use of directory ACL inheritance, it is helpful to have a deeper understanding of file and directory ACLs than we covered last time.

In SnapshotCM, file and directory ACLs control access to all versions and all instances of an object. This is key. If you restrict access to a file using the file's ACL, access to that file is restricted in all snapshots no matter which version of the file a snapshot references. This provides straightforward access control on a file. You set the ACL, access is controlled. Everywhere. All the time. It is simple.

The same is true for directory ACLs. If you set a directory ACL, it controls access to the directory's attributes no matter which snapshot they are viewed through. Directories can also affect file access by providing a default for newly created child items.

What is important to note is the interaction between inheritance and the reality that all instances of a directory are affected by an ACL, whether in the current snapshot, or any other snapshot or project.

Typically, projects do not share directories, while all the snapshots within a given project are shared. Thus, if you set access control on a directory, it typically affects only the snapshots of one project.

The universal exception is the root directory, which is shared by all projects (this is necessary to allow copying between projects, when that is desired). As a consequence, if you change the root directory ACL, you are affecting the root directory in all snapshots of all projects in the database. And that is not a good thing. Changes to one project should not normally affect other projects.

To resolve this issue, we strongly suggest that you not edit the root directory ACL. In fact, the next SnapshotCM server release will reset the root directory ACL to the default value and disallow further ACL editing. None of the other root directory attributes can be modified, and this change treats the root directory ACL consistently with the root directory attributes, which also cannot be changed.