When a mapped collection is configured to allow users to create guest collections, there are policies that restrict which users can create guest collections, as well as policies which restrict which paths available on the mapped collection can be accessed from the guest collections, and with what permissions.
Sharing policies provide a way to restrict sharing of data to certain paths for certain users, even if their account would otherwise have access to the data. Each sharing policy contains information on which collection it applies to, what storage-gateway specific usernames it applies to, and which paths it applies to. Sharing policies are new in v5.4.18.
The commands in this section allow administrators with sufficient permissions to create, delete, list, and show sharing policies.
When a user creates or accesses a guest collection, the values of the mapped collection’s sharing_restrict_paths and the sharing_policies that relate to the user who created the collection are combined. The resulting set of sharing path restrictions are passed to the GridFTP server which will enforce that only files which match the sharing path restrictions and policies are visible.
It is important to remember that the default sharing_restrict_paths policy is to allow accessing any path visible to the mapped collection in a guest collection. This can be changed by updating the collection using the --sharing-restrict-paths command-line option. If you want to use only user-specific sharing policies, you can set the sharing restrict paths to disallow all accesses with this policy:
and then create user specific sharing policies.
If you want to allow some sharing by default, you can specify those paths in the sharing_restrict_paths policy, and then add additional allowed paths in the user-specific sharing paths policy.