The NAS file storage system uses a combination of technologies from Active Directory and the EPFL integrated NAS provider.
EPFL
Each EPFL user is accredited to a unit at the top level of the institution’s hierarchy.
This accreditation has two properties:
- The user has an Active Directory account
If the user has several accreditations, the first one is the main one. - Active Directory
Active Directory
- Each Active Directory user has a unique ID.
- Every file that is modified inherits this unique ID.
- The only process to change the ID of a file is to take ownership of it by an administrator account, after this operation all files have the ID of the administrator account.
NAS
All the content of the NAS belongs to EPFL under the responsibility of the unit head.
The NAS is organized with one share per unit at the last level.
This share is organized with two automatically created structures:
- unit-common
All accredited users in the unit have the possibility to modify the content. - unit-administration
Reserved for the administration of the unit, the addition and deletion of members is done by a request to the NAS Administrators.
Nominative files are also automatically created, they follow the main accreditation.
According to Swiss law, the content of the “private” or “private” folder is considered as personal data.
Each user has a quota linked to his account independent of the location of the data: 30 GB per user, 50 GB for the secretary, 100 GB for the professor.
The management of these quotas is done by the NAS administrators.
Each laboratory has a volume of 1 TB which is offered by EPFL.
The increase of this volume is at the charge of the units.
On the technical side
- By design, Windows allows only one Active Directory account to be connected (you cannot connect the NAS with two different accounts at the same time from the same computer).
- On the NAS, for each Active Directory account, we need to define an explicit (or implicit) quota.
- In the case of implicit quotas, they are the same for all users, but they do not replace explicit quotas.
Project management
It is possible to create groups and link them to specific folders. But this is time consuming and error prone (we always add users, but never delete them).
I strongly recommend to make a simple path (have / don’t have access) to the folder and not to try to make a complex management structure.
The NAS managers in the units manage the day-to-day operation, adding and removing users manually!
This is a tedious and error-prone task.
On the NAS, simplicity is the key to success.
Creating an additional share for a unit for a function
There are two ways to create a share for a unit
- Inside the unit’s folder
- Constraints:
- The members of the share must be accredited in the unit.
- The name of the folder must correspond to unit-function.
- The folder name is in lower case.
- The name of the groups must match the name of the folder.
- Advantage:
- There is no need to manage the quota of each member.
- Constraints:
- Outside the unit folder
- Constraints:
- The share name must match unit-function.
- The share name is in lower case.
- The name of the groups must match the name of the share.
- The default quota of the unit must be changed to the maximum necessary value per user.
- As only a global quota can be defined, it corresponds to the maximum size of all shares outside the unit’s folder.
- Advantage:
- It is possible to create shares for accredited members in several units.
- Constraints:
NAS administrators
The NAS administrators are Laurent Kling and David Desscan