A social model of hydrologic

data protection and sharing

Alva Couch, Tufts University;
David Tarboton and Jeff Horsburgh, Utah State University;
Ray Idaszak, Hong Yi, and Michael Stealey, RENCI at UNC.

ABSTRACT

SOME USE CASES

Most researchers are used to file-based access control of research data, including
locating data by storing it on a local disk.

Researcher plus graduate assistants

researcher

In HydroShare, we are implementing a social mechanism for data access and control, in
which regular users can:
create, administer, and destroy groups of users, and
share resources to which they have access with other users or groups,
based upon a social model of data access and sharing

that spans institutions and breaks down artificial impediments to collaboration.

member
group

Change

assistant 2

own

Own

group

HydroShare
resource

researcher

assistant 1

View

GOALS

SOME COMMON PROBLEMS SOLVED

view

change

assistant 3

View

member

assistant 2

assistant 3

member

assistant 1

No waiting for administrators to set up research groups.

transitive privilege: anyone can transfer privilege to anyone else, subject to

Researcher retains ownership of resources.

access control policies: that determine what can be done and under what
conditions, and that are enforced by

Researcher can delegate management to senior assistant.

consistent access mechanisms in HydroShare and in the iRODs distributed file

system.

Can change: can change data contents and

metadata, but not other attributes.

Can view: can see all data and metadata,

but cannot change anything.

Special data resource flags control general

protection of data, including whether data is
shareable, immutable, public, and/or
published. These can only be set by owners.

SOCIAL POLICIES

group

co-PI 2

own

Own

HydroShare
resource

PI

co-PI 1

Own

member

change

own

Thus, further tuning of policies will likely be necessary.

CONCLUSIONS

co-PI 3

Own

Providing a new paradigm of file sharing requires a delicate balance between

member

Empowering the user and

Main PI delegates responsibilities to co-PIs.

Preventing social abuses.

Co-PIs delegate responsibilities to their own assistants.

This mechanism for data sharing is a bold departure from traditional data sharing
methods, and a first step toward data sharing unfettered by the limits of file-based
sharing.

co-PI 2

co-PI 3

co-PI 1

PI retains ownership of all materials, but can delegate ownership to co-PIs.

As researchers join or leave, PIs retain access to work.

Further work is necessary, however, to help users easily browse data by metadata
contents rather than traditional aids like file and folder names.

There are no institutional impediments to cross-institution sharing.

External Clients
Django REST

Django Website

Python calls

IMPLEMENTATION STATUS
Python API freely available from http://github.com/hydroshare/IrodsShare
Pursuing final integration into HydroShare

iRODS
REST

iRODS MicroServices,
REST, iCommands

iRODS

iCommands

IrodsShare API

Dynamic Policy
Enforcement
Points

iRODS

iRODS
Repository

SQL

Thus adding a user as an additional owner requires the users permission.

Thus, only the owners of a resource or group can reduce a user privilege they
didnt grant.

Can protect data from being shared with shareable flag.

group

In HydroShare, subscribing a user to a group is a way of communicating with the

user.

Removing a user from a group or resource access can be used maliciously.

Data inadvertently exposed to

others, including competitors

At this point, it is impossible to tell whether extra flexibility will aid or impede research.

member

SYSTEM ARCHITECTURE

In a similar manner, making a user another owner of a data resource creates an

implied responsibility.

Can protect published data from being changed with

immutability flag.

Researchers at multiple institutions

In any social sharing system, one must be wary of abuse, spam and unsolicited
communications.

Thus adding a user to a group requires the users permission.

Inadvertent changes made to

published, archival data.

Search for lost data via metadata, type, privilege, and other
attributes.

While these mechanisms are based upon those in google drive, dropbox, and other
products, they are considerably more flexible in some ways, especially in how groups are
formed.

Three levels of access to a thing:

Owns: can do anything with the thing.

Principal investigator can retain ownership of all files, and

delegate change permission only.
Self-service creation of user groups.

This is a new concept and we are on uncharted ground.

Own

Loss of continuity when staff

leave.
Waiting for administrators to
create user groups.
Cannot locate file due to
forgotten name and/or location.

When assistants leave or graduate, researcher retains access to work.

TRANSITIVE PRIVILEGE
owns + can view
owns

Social sharing solution

CRITIQUE

PI

owns

Problem

SQL

IrodsShare
Database

PostgreSQL database contains access control information.

Manipulated via Python Application Programming Interface (API).
External to both HydroShare and iRODs.
Used in iRODs Dynamic Policy Enforcement Points to deny access to unauthorized
parties.
Covers all paths of access to iRODs resources.

ACKNOWLEDGEMENTS

Josh Pfosi, Ilan Gray: Tufts students who contributed software.

The whole HydroShare team gave feedback on target policies.
The iRODs team at RENCI made changes to iRODs 4.1 to
accommodate this scheme.
This work was funded in part by NSF Award 1148453 (HydroShare).