Controlling access

The directives xpd.allowedusers and xpd.allowedgroups can be used to control which users and groups (UNIX or PROOF) are allowed to start PROOF sessions on the cluster. The policy is described in this section.

First the general directive for groups, xpd.allowedgroups, is checked; a user of a specific group (both UNIX or PROOF groups) can be rejected by prefixing a '-'. The group check fails if active (the xpd.allowedgroups directive has entries) and at least one of the two groups (UNIX or PROOF) are explicitly denied with the other not explicitly allowed. The result of the group check is superseeded by any explicit specification in the allowedusers, either positive or negative.

In the following examples, we assume that user 'katy' has UNIX group 'alfa' and PROOF group 'student', and users 'jack' and 'john' have UNIX group 'alfa' and PROOF group 'postdoc'.

1. Users 'katy', 'jack' and 'john' are allowed because part of UNIX group 'alfa' (no 'allowedusers' directive) 

xpd.allowedgroups alfa
2. User 'katy' is allowed because part of PROOF group 'student'; users 'jack' and 'john' are denied because not part of PROOF group 'student' (no 'allowedusers' directive) 
xpd.allowedgroups student
3. User 'katy' is denied because part of PROOF group 'student' which is explicitely denied; users 'jack' and 'john' are allowed becasue part of UNIX group 'alfa' (no 'allowedusers' directive) 
xpd.allowedgroups alfa,-student
4. User 'katy' is allowed because explicitely allowed by the 'allowedusers' directive; user 'jack' is denied because explicitely denied by the 'allowedusers' directive; user 'john' is allowed because part of 'alfa' and not explicitely denied by the 'allowedusers' directive (the allowedgroups directive is in this case ignored for users 'katy' and 'jack'). 
xpd.allowedgroups alfa,-student
xpd.allowedusers katy,-jack

NB: The behavior of these directives has been reviewed for ROOT 5.32/00 and the reviewed behavior described ported back into the last patched versions of previous ROOT production versions, starting from 5.28/00f and 5.30/00c .