#30 Do You Have Permission?

October 01, 2015 01:46:18
#30 Do You Have Permission?
The Workflow Show
#30 Do You Have Permission?

Oct 01 2015 | 01:46:18

/

Show Notes

 

The Workflow Show is back for its fourth season! After a brief hiatus, hosts Nick Gold and Jason Whetstone continue talking about important aspects of the video production technologies industry, but make sure you ask yourself, "Do you have permission?"

Have you ever run into an issue where you are trying to edit a project and whatever you try to do to access the files you need on the storage volume, it just isn't cooperating? Most likely, your headaches are being caused by file system permissions!

File system permissions are how we assign access rights to files, folders, and applications for specific users and groups of users. They control the ability of the users to view or make changes to the contents of the file system. Permissions play a major role in being able to support editors using shared storage. If you don't have permission to a file or folder on the storage volume, what do you do then?

After listening to this episode, you will begin to appreciate that having permission is a pretty good thing, and you might even begin to understand how to untangle the intricate web file of system permissions!

Your comments are welcome below, or feel free to email us.

View a list of all the episodes of The Workflow Show.

The Workflow Show is also available on iTunes.

SHOW NOTES

Adobe Premiere Pro

CatDV

Reach Engine

POSIX

777/775 Permissions

Directory Services

View Full Transcript

Episode Transcript

Speaker 0 00:00 Welcome to the workflow show. This is Nick gold. I'm here with my cohost Jason Whetstone. Hey everyone and producer Ben Kilburg. Also our solutions architect in case you don't know him. Howdy. And this is episode four Oh one, and I'll get into the subject matter in a moment, but it probably makes sense to, uh, explain our extended absence. So we were kidnapped by aliens, run through a lot of procedures. It made us much better at doing ma'am system. It was pretty awesome actually. We got like brain enhancements and so we're even better than we were at like doing workflow automation and that stuff now except for walking a little funny. Well there's that at Whetstone. Whetstone got a significant upgrade. He's on like version seven now of man programming, something like that. Thank you Nick. No, we were, we were on hiatus. We're back back in action. Speaker 0 00:58 And so we thought for episode four Oh one, which we're just going to call the beginning of our fourth season because why not? It's been a little while. Um, this episode is about the wonderful, incredibly stimulating, exciting one might even say esoteric, verboten, subject of permissions and ownership, permissions, rights, ownership. What are we talking about here? ACL, what, what are these things? So permissions, the reason we decided, I decided this is a good episode, a good subject matter. We, we tried to educate people here, we tried to make sure our listeners are aware of the issues that our clients run into that are kind of common things that people need to be thinking about. And what would you say guys? Probably what at least 50% of the support calls we get at dark core are rooted in permissions. She's actually thinking like exactly where you're going. Speaker 0 01:59 I was actually thinking more like 85. So permissions, this is something that's an important subject and a subject. Many people either know nothing or very little about. So let's, let's take it from this perspective. A lot of our clients, you know, we bring into the realm of shared storage. They may be had one editing system and they've grown and they realized they need multiple people hitting the same storage system. Or maybe they had multiple editing seats, but everyone was using local storage, whether that was FireWire drives these days, that's more likely to be high-speed Thunderbolt drives. But everyone kind of had their own block of storage. And this issue of permissions just kind of doesn't tend to come up in that scenario. It's, I've found over many, many years now of just being a computer user, um, in studio environments, in professional environments, as a personal computer user, you don't really tend to have to think a whole lot about permissions as desktop, desktop user, one machine, one user. Speaker 0 03:02 You know, you might not even be familiar with the concept. And so this concept, you know, most users especially, you know, Mac users will probably have a sense of this where if you do a get info on a file file, eight directory, a volume and entire drive, and you do an a command, I always will call it to the day I die. Apple, I, they don't even put an Apple on the key anymore. It's the command key butterfly, the Cloverleaf, the little swirly that's on some foreign money. I've seen that on. It's like, I forget what country. That's because Apple owns that country. It's probably true. Or they at least have a bigger like gross domestic product as a company. Right. It was the Apple. It's like Steve jobs isn't really dead. He's just like writing it out in like the Northern tip of Norway that Apple just bought, you know, it's a satellite. Speaker 0 03:59 You don't know they're watching this from. That's probably true. It's like that crazy old guy in that movie contact who wanted to like go up and use the space. Well I think that's, he was probably the inspiration. Steve jobs was probably the inspiration for that character. That makes a lot of sense. That makes sense. Because he was crazy and dying anyway on to happier subjects. So permissions, um, yes. If you do a get info on any file or directory or drive that you have access to, um, that little get info window comes up and one of the little sections you see has to do with file permissions and you'll usually see things like, you know, group user, others and there will be like read, read, write, read, only read, only read away. Right. So what are these things that as a desktop user I essentially never have to think about. Speaker 0 04:52 And the moment I get involved with mixing multiple people on a single storage system, and then especially maybe there's multiple computer platforms at play, you've got Linux, you've got McIntosh, you've got windows, maybe some people are hitting a sand through a fiber channel connection. And some people hit that same sand through a reshare of it, you know, like it presents out the sand volume as a file sharing Mount across an ethernet network. When you start to introduce those types of scenarios, suddenly this permission stuff in my experience gets top of mind really fast. And usually that's because people are having some kind of problem. Yeah. Like my thing doesn't work. I can't open this file. I can't my, my folder that I just, uh, you know, that just appeared because I expanded it as zip file has a little, uh, you know, the little, the little red, you know, with the slash the little red circle with the slash when I, when I tell the producer, you know, my, my, my folder or my images that I got from the client or on the sand, go go head there and look at them. Speaker 1 05:58 And they go there and they're like, Oh, I, I don't have access. It says no access. Speaker 0 06:01 Right. And under hates me. Why is that? And that's a pain, right? It's like I made you, I should be able to unmake you, but then suddenly you're making things or other people are making things and you can't even open them. You can't delete them, you can't move them. What is going on here? So the purpose of this episode is to educate people about what is going on, which all comes down to this issue called permissions. And hopefully this at least gives listeners a frame of reference. So if they experienced these issues, they have at least a sense of what might be going on. Uh, whether we're supporting the environment, whether they're supporting their own environment. It might give you some ideas to start to dig into. Uh, exactly. Speaker 1 06:39 And this is really just to help people understand what's going on behind the scenes and why they might be having issues. The other thing I think that's important to mention is, um, one thing that I've run into is that there is a perception that, um, particular applications maybe don't work the way they should. Uh, maybe, uh, Hey, you know, uh, premiere just isn't, um, it's just, it just doesn't work or I don't know, a cat DV, a reach engine, whatever. It just doesn't work. And, um, when, when you dig in and look under the covers a little bit, you're, you can, you can certainly find that the reason it's not working is because the application doesn't have permission to access the files are requesting. So that would, that would make it tougher for the application to do it. So you know, you know, my point is an under the covers, everything's working the way it should except that you know the application can't get to those files so you're not going to get them through your, through your interface. Speaker 0 07:33 So let's kind of start this off pretty high level. Let's do a little rewind loop. That was cool. That was my rewind sound. I'm pretty good at that. Huh? I can also go forward again. Okay. Back again. So you know, we've been dealing with computer systems for you know, over half a century and you know, we have evolved and it's really a very old principle in computer systems. This notion of a file system. Now we use that word very regularly at Chesapeake. It's a fairly technical word. I feel like sometimes our users don't necessarily even mean exactly know exactly what we mean when we use the phrase file system. So let's start there. So when you format a drive, whether that drive is a single hard drive inside your computer or externally attached to your computer or you have an entire storage infrastructure that you kind of turn into a drive, which we also refer to as a volume, right? Speaker 0 08:42 Each volume, each unique drive, you know, that would be represented as a drive icon that you connect to on your computer is a file system. Right? And when we file system, you tell me, am I being accurate? A file system is basically a very kind of low level, very basic, very kind of single purpose in life database. Essentially. That's what it is. I mean it's a, you know, a file system is, it's a set of different data, software, um, standards that, um, presents a, you know, a set of data, namely files and directories to a user. So when we, let's say plug in a brand new little external USB 3.0 drive that you have and you plug it into your computer. Well, these days, a lot of the time they come formatted, they might even say on the box formatted for windows formatted for Mac. Speaker 0 09:34 But some folks will be familiar with the fact that you know, often you have to format a drive, right? And through that act of formatting, what you're doing is you're taking basically this block of hardware that has some, you know, a little bit of intelligence on it. It has its own firmware, but that hard drive mechanism or the entire storage infrastructure that you have when you format it or you turn it into the volume, you are essentially, you know, adding this little database and extra layer of information. That's why you lose a little bit of the storage space on a drive or a volume when you format it well, what you're formatting is you are actually kind of creating, you could call it a scaffolding, right? It's kind of like the framework that you know tells that physical piece of storage hardware, this is how you're going to store files. Speaker 0 10:26 This is how you're going to handle the individual, what get down two blocks of data. It's a very low granular level piece of the file. We're talking fragments of files here, but this is how you're going to spread those blocks of data that are parts of files across this physical storage device. This is, you're going to establish a system of rules who can use them, what is their directory structure? W you know, there's the volume and then there's a series of directories under it and there's sub-directories. There's naming conventions and all of that. All of what Nick just mentioned is what? It's metadata. Well, it's something that we talk about all the time. Exactly. Exactly, but we're talking a real low level type of metadata talking about metadata and a man. We're talking about something that's very, very root level to the operators. So this isn't time code, this isn't qualitative descriptive metadata. Speaker 0 11:18 It's a little boy, it's a little girl, it's a fire truck. It's you know, B roll. It's a good shot. I mean, those are qualitative. Sometimes those are even technical. We're talking about lower level metadata metadata about where your files are stored, how they're stored, who has the rights to them, who can do what with them. Those those rights and the ability to really do several things. We'll talk about that in a moment, but those are kind of codified into this file system, low-level database that exists on all of these storage devices, whether it's a big old Sam that you have, we talk about the sand metadata on a StorNext or an Exxon volume, right? That's basically the file system where all the files located on the storage exact, how are they split apart, how do I put them back together and it's, it's pointers and descriptors and permissions. Speaker 0 12:13 So you format a drive in the world of Mac, it's a little external desktop drive. You know you have a number of options of different file systems. You can choose. Many people don't really know why you might choose one versus another. We usually tell people, well, if it's a little local storage device, you're going to use the standard Apple file system for local storage, which is HFS plus with journaling, HFS plus being another word for the Mac OS extended file system, which has literally been with us for well over a decade now. And then this other feature that they added, gosh, it still probably was about eight, nine, 10 years ago. This journaling function journaling, just another feature of the file system that they added in that allows it to keep better track of files as they're being written to or even read from. And so if you accidentally unplug, let's say your little external drive without unmounting it first and unmounting, it is kind of the act that, you know, make sure that the computer is no longer actively accessing that volume when it cuts it off. Speaker 0 13:20 Because if you immediately yank it, there can be corruption of the files on that volume because you really want the computer to kind of raw wrap up its operations, disconnect from it, let it go, and then you can physically unplug it, right? But by that time you've unmounted it, the computer has really lost all awareness of it whatsoever. In fact, to get the computer to recognize it, you'd have to unplug it and plug it back in. Right? So we choose these file systems and then you plug in that drive and you set it up as your capture. Scratch for your NLE and you'd go to town on it and maybe you're rendering to it and you're saving project files to it and then you're unplugging it and you're walking over to your friend's house and you're plugging that in or you're editing on a different machine, you plug it in. Speaker 0 14:01 It typically just keeps working. Most people aren't really thinking about that. And so a lot of people, when you use local storage, even if it's these external local storage devices where you're bouncing between machines, you're still often, not always, but often not having to really expose yourself to this issue of permissions because everything just works. Right. However, let's, let's get into what permissions are really ruling. So I alluded to that. These, there's kind of several categories of rights if you will, or you know the rules that the file system kind of incorporates, let's say a user who is connected to me, mr storage device can do X, Y, or Z with files are stored on me or have the access to go into particular folders. So the here are the categories and you tell me if I'm missing any, cause I know that with certain things they can get much more granular than this. Speaker 0 15:03 But in the old school conception of permissions, and we're talking about politics, so this is a system that was called Posics. It's literally been baked into Linux, Unix and Linux, Unix like operating systems kind of as their fundamental principle for how they should manage permissions. It's not even, it's a, it's a set of standards just to throw it out there. It stands for portable operating system interface. It is a set of standards that's been around for years. So that's, you know, I mean like seventies and kind of stuff. I mean it's been around for forever. Again, on backend systems, servers, you know, Unix based systems, ax VMs or whatever it was back in the day windows. So these permissions have always existed. And in Posics there's basically kind of several class of user and then several kind of levels that you might have for access. Speaker 0 15:56 So let's talk about the different user groups or users and groups. And that's really it. So in the world of politics, permissions, there is the user or the owner, the owner, we would typically say the owner. So, so the owner of a file is typically what the person who created in the first place who created in the first place, which makes sense and that owner over that file. And granted this is where we're going to get into the gotchas. You would typically think, I'm in an application, I'm digitizing media, I'm creating a project file, I'm the one creating it. I'm logged into this computer. And that account that you're logged in as to the computer is again, a very important aspect of this because we're really looking at things, these rules, these permissions get defined by user accounts. Exactly. And that's a gotcha. And well, here's the thing, right? Speaker 0 16:48 You know, again, you're an editor. Maybe you got a smaller shop, you got a couple of workstations, nobody's on shared storage. There's just some local storage, you know, devices, maybe some Thunderbolt raids that people use on their workstations. And you have maybe a few different editors who might pop between those workstations. And some days you got an assistant. Some days you got a real editor there and maybe someday you're doing color correction and it's another guy and you might not ever log out of an account on that computer. You may have multiple humans sitting in front of that same workstation, logged in under the same account on the computer, right? And so every file that everyone's creating all the time gets stamped with the owner and the owners, whoever that main account is that you're logged in as when you're creating all these things, because everyone's sharing the same account. Everyone's the owner of the same files and owners. And we'll get into what the kind of the rights themselves are in a moment. But let's just say when you're the owner, unless something is kind of going awry, you can basically do whatever you want with that font and read, read, right? Speaker 1 17:50 You can create it. Delete. Speaker 0 17:51 We'll talk about these things a little bit more in a second. But so you've got the creator of the files as kind of one tier. Speaker 1 17:57 And let's be clear, the owner would be, and Nick did mention this, the, the owner would be owned by the account that is logged into that machine currently. You know, like at that moment. But it's not just the name, it's actually the ID behind the scenes. Something that you really wouldn't see. If you did a get info on a file, you would, you would see a, you know, a user name. It would be the name of the account that's logged in. But behind that is an actual ID in the system. Every user has an ID. So those IDs, like have a name, what do we call those IDs? Um, yeah, that's the UID. So user ID exactly a number, um, on, on a Macintosh was about to like, just rant my social security number, but I really was just putting that out on the internet. Speaker 1 18:41 Granted, it's probably already out there cause it dozens of hacks that happened like every minute of every day. But they'll do that. But one way that you can find out if it's one, two, three, four, five, six, seven. Yeah. So one way that you can find out, there's a few ways you can find out what are like currently logged in user ideas. One way would it be, it would be to go into your system preferences. This is on a Macintosh. Go into your system preferences, go into the users and groups or accounts, depending on your operating system. Click on that. And then if you are an administrator on that machine, you can right click on your, you know the user that's logged in and there's a little advanced options and you go in there and it lists, um, all of the information about that user, the pertinent information and your user ID will be there. It will show you what it is I've ever done that. Another quick way, if you're not scared of terminal is to pop open a terminal window and just type ID and hit enter. That will show you your user ID, your groups user, right, your, your group ID and any groups of which you are a member, which we'll get into. You know, so Speaker 0 19:38 You think of your account if you're even thinking about it, cause you actually do have an account that you mindfully log into and we do encourage this. We like accounts even on, I mean, yes there are times when you need to have multiple users sharing an account, but in an ideal world, in order to have better tracking over who is doing what, it's nice to have accounts. And then when we get into group environments it becomes essentially necessary. Right? But again, we'll get into that in a moment. But so you've got this thing but the computer is really thinking of you as this user ID number. When you have an account that is mapped to the username that you're familiar with, which is Matt, you know your password is mapped to that account. And so when you create a file, boom, that file is created in a way that you can do whatever you want with it. Speaker 0 20:20 Now that's the, that's at a user account level. The individual user account who created the file will be the owner. Now, you know, in sometimes in a shared environment when there's other servers at play, whether it's a ma'am, a transcoder, it's not always humans creating files. Right? Right. You know, at a certain point you, your infrastructure is at a level where, let's say you just have mass transcoding operations that are going on all the time. Every of those new media files you're generating from something old is not being created by a human. It's being created by a trans coding system of a software robot. That's true. However, it is essentially the same. Those machines are logged in as some account and they have that user that you know, to which that's probably not an ID, but it's probably not an account that's shared with an actual human user. Speaker 0 21:11 It's like the computer gets its own account be, I mean it could be, it could be a service account, it could be a local account. Um, but you know, still make accounts for the machine typically. Yeah. Yeah. Cause people to sort of list, we like to think so after our alien brain upgrades. Um, so you've got these users and a computing system can have many different users and then we have this higher level of organization that can group users together called a group. Right. And a group basically defines that there's a number of different user accounts that really should be treated similarly. Exactly. So you can start to create sets of rules that affect, say your editors. Right. And then you might have, you know, assistant editors as a group producers, you might have loggers, you might have producers, you might have an admin, which you know there's, there might be an admin team or an it team, but you can start to group people. Speaker 0 22:17 So they still exist as individual users as far as the system is concerned. They still have their user IDs. But now you have another stamp of IDs at this group level of identification. And they also have ideas. Yes. Groups. Gid is, Gid is kids. If it was like the GIF versus Jif debate, we'd call them. And here's another thing. Uh, every user on the system has a primary group. So that is the group. When you create a file or a folder on the file system that is the group that will be in that group column underneath where it says owner, there will be a group that will be your group. Typically kind of the permissions that are associated with a file that you create as an individual user who's logged in somewhere will essentially spread to the group exactly that the group will inherit those permissions. Speaker 0 23:12 Essentially the individual within the group had over whatever it is they're creating. And again, this stuff sounds wonky to you if you've just been using desktop storage and never thought about any of these concepts because, because what, by default when you plug in a local storage device, it basically just sets, it almost ignores permissions on those. Well it can. That's, that's the other thing I wanted to, uh, kinda mention as we talk about, you know, w w w we're kind of, we're kind of talking about shared storage and desktop storage. Um, Nick mentioned earlier how you can take a drive and unplug it from your machine and go over to your friend's house Speaker 1 23:46 And plug it in. Um, it may not just work. It kind of depends on several different factors. Does your machine have, have different accounts on it or are you just logged in as a single user? Um, if you have a family of four and each of your family members has their own account that they log in and out of the machine to, you know, when they're, when they're working or playing games or whatnot, you know, um, and that file system is sort of, let's just say bound to the permissions, you know, bound to the, uh, um, the, you know, the accounts on your machine. Then you may, you know, go plug that drive in at your friend's house who doesn't have multiple accounts and you may not have the same access to all the same files that you have at home. Um, one way to get around that, again, do the, you know, do the get info, the, uh, uh, you know, command I and the finder and there's a check, there's a check box that says ignore ownership on this volume. That's very useful, especially in, in, you know, environments while you're shuttling drives around. Um, to make sure that, you know, everyone can sort of use that drive the same way. Speaker 0 24:48 Please. So when, when you say ignore ownership or whatever, what it's telling the file system to kind of bake into it on that volume. That drive is ignore permissions. Yeah. Basically don't think about which groups someone to do. Everyone can do read-write, you know, and every file you create will be wide open and anyone could utilize it from any account that would happen to be logged into. And ideally if you plugged it into at least another Mac, you know, if you created it on a Mac, a Mac will respect this. Well a windows machine respect it. Not always. In fact, you might even need special software added into, you know, make the best use of that Mac format in volume. Two different styles of file systems. They're talking in TFS virtues versus HFS plus. Yes, because windows prefers this NTFS file system. And so those ignore permissions flags you set as a Mac user, you know, might not necessarily get respected when you cross platforms and things like that. But one thing Speaker 1 25:44 In mind is new files. And folders are still created the way they would be otherwise, whether that checkbox is on or off. So you can go back and turn that checkbox back off and you know, now your, now your machine will respect permissions and you know that. Speaker 0 26:00 What about the stuff that you had already saved there when the box was checked? That doesn't, no, it doesn't change anything about the file system. It just changes the way the machine behaves in regards to that file system. So it's essentially just, it really is just kind of boring. So instead of ignoring it, it's, so, it's not like checking that checkbox, you know, disables permissions altogether. It's more like the machine just ignores the, exactly. But the moment you, you uncheck the box. So it's paying attention to them. All of the permissions that were applied previously that may not have affected you might actually suddenly affect you because maybe you do have multiple accounts on that system. So let's talk about what these permission levels are. So we were talking about Posics, which was kind of the old school, been used for many decades, still widely used approach to permissions. Speaker 0 26:45 We talked about, you have users who are put into groups. Usually there's a, there's a third level to that hierarchy, which is kind of this super user that we call an admin. Correct. Is there or is there not? There's just owner group and then there's everyone. So it's owner, the owner, the group that the owner is in. And then everyone and everyone is, is ruled is, is everyone in that group? Everyone outside that group. It's everyone. So does everyone other, so it's, it's, it's everyone who isn't in the group that the owner of the file, the creator of the file isn't. Exactly. So it's how do other groups of users have the ability? So okay, so we have owner, we have the group that the owner is in and we have everybody else who isn't in that group, but who might be either other individuals or other, other groups of users. Speaker 0 27:39 Right. And we can define essentially the following permissions based on those different, you know, that that hierarchy of users. We can have wide open permissions, full read, write, read, write, execute is really read, write, execute. So let's talk about what those words mean. Read, you know, read is the ability for you as your user using whatever software you're using, whether it's a finder or whether it's premier pro or final cut or whatever it may be, it you name it all read is simply the ability for you as your user to actually see the greed and view and open a file and often copy. Yes, yes. You can also potentially duplicate it. You know, any, let's table that. Let's talk about copying what, we'll talk about that in a moment. But for an individual file, you know, you, you can utilize it, right? But you can't change it. Speaker 0 28:43 You can't necessarily delete it. Cause again, we're just talking about read. So think of read as a very nondestructive thing. Destructive in the sense that you're not changing it. You don't have the ability to change the file. You don't necessarily have the ability to delete it, but you can use it as it exists in that static form. It is at the moment you open it should you have the read permission, right. And read permission on a directory. Correct. Oh, so, so on a directory structure level, cause these permissions equally applied to folders or directories as they do to individual files within folders. So at a directory level, if you have read access to a directory, you can see all of the files that are in it. Not quite, not a little more complicated than that. Okay. So read gives you the ability to actually read the contents. Yes. And it's not a hierarchical thing. So if you have read on a directory, that doesn't mean you have Speaker 1 29:42 Read to all of the contents. It just means you have read to the directory. Well it means you have. Yeah, exactly. So you, so some contents of that directory you may have access to, but there may be essentially more granular level permissions on the contents within a directory. But you also need to have, you also need to have execute permission on a directory to list the contents. If you don't have execute permission, you can't even see the contents. So they just don't appear to you execute. So execute means it's different for a directory versus a file. So directory, um, again, it means that you have the ability to traverse the directory to see the contents. Um, execute on a file means that you have the ability to run that as a, as an executive will application. So whether it's a script, yeah, it's essentially whether it's a script, a bash script or a Python script or an application, a Mac iOS application, you have the ability to, you know, to actually run it. Speaker 1 30:35 Does execute even need to exist as a defined permission for, you know, a text document? No. So unless it's a script, unless it's a, you know, a bash script or a Python script or something like that. So you're really thinking like application that you run something that you launched, not a data file that you read into another application. Exactly. But a folder is kind of treated as such because there is this interactive process. When you open a folder, you're really polling the folder for a list of its contents. So that's why the folder you need execute because there is that level of kind of you're engaging with the folder. Right. Okay. So let's just say this. If you have read only over a folder, you can go into the folder or you need read and execute, read and execute to be able to execute. Usually follows, read, right? Speaker 1 31:24 I mean it usually does. I mean when we, when we talk about setting permissions on, you know, a pool of shared storage or something, we're usually gonna give all, like let's say we are doing, we're basically taking a club and we're beating the sand into submission and we're just saying, all right, everybody has the ability to read all the files on this, on this pool of storage. We're going to give all the folders, read and execute permission. Got it. Okay, so then we have this other one, right? Right now, right. Again, doesn't sound immediately obvious maybe to a computer user. What does it mean to write to a file? So we have the following categories and again, if I'm missing any, let me know. So write allows you to create a file. You obviously need the ability to write into the folder that you're in at a given moment. Speaker 1 32:10 So write permission to a folder you need. You need the permission. At the folder level, the directory level that you're in, but then you're going to, once you do have the right access to that layer of a directory that that, that, that, that folder within a hierarchy, you can create folders there. I have right access to this directory of right access to this volume or this Sam, I can create stuff there cause you're writing data, right? You're writing it through the act of creating it in the first place. So writing means the ability to create, right also means to modify, right? Because now you're writing data into a preexisting file and you're manipulating the data in a permanent way. Again, you might have a backup system, you might be capturing various versions of that file on some backup, but, but for the file that you're directly manipulating at that time, if you have right access to the file, you can change the file. Speaker 1 33:07 I opened a premiere pro project, I do some edits, I do some tweaking. I resave it because I was able to resave it. That meant I had right access to the premiere project. And let's just make a quick distinction here about how most applications, you know, open and save files. When you open a file, your, your um, machine is, is really cashing that file into Ram. It's caching it into like a temporary holding spot that's giving you the ability to make changes and edit it. So let's, let's just, let's just say you're opening a document, a project file and premiere. So that project file is now and premiers like application cache. There could be some local pool of storage somewhere on your file system where you know, temporary files are written in red too. But when you save that project, that's when you need the right access because you're not opening that project and like continuously interacting with it. Speaker 1 33:57 You're opening it into a, you know, a scratch space essentially. And when you go to save it, that's when you need the right access in the directory and on the file. That's the important thing. If you don't have right access on the directory, but you have right access on the file, you, you're, you're kind of halfway that you're kind of halfway there, but you still wouldn't be able to save that file, which is maddening. Yeah, it's, it is. It is. It can be. So it also bears repeating again, you need both permission on the directory itself, meaning the folder and the file itself. Got it. So right. Access means to create, to modify, right. Also means to delete. Right. Which again, sounds thank you. Thank you. Then it's weird because you think, right, you think I'm adding something, but even the act of deletion means you're kind of writing something as far as the file system is concerned, as far as that directory is concerned, the file itself, you know, you think of, right, is just this catchall. Speaker 1 34:56 If it's anything that destructively modifies the file itself, create, modify, delete. Exactly. You need that right access in addition to the read and execute access. So we've got read, write, execute, execute. Kind of is a little bit of an asterix in a sense because we kind of assume that you're going to need execute ability if you'd have readability over something that actually all certain needs execute. So we'll always usually set that up. So the way this usually manifests is, well, the way that this usually frankly just crosses someone's radar in the first place is when they've gone from a system of local that they've often Speaker 0 35:38 Had that little checkbox applied to ignore the permissions. Again, they're not absent, they're just being ignored by any machine that plugs that drive in basically because it's at a drive level, you're telling it to ignore the permissions, right? It's actually per system. So each computer system has to have that override in place. I believe so. And I hope somebody, correct me if I'm wrong there please. I'm pretty sure us if we're wrong, I'm pretty sure that that is a system specific setting. So you plug that drive into another machine so it still may give you problems. Yeah. So, Speaker 3 36:14 And Macko S if you have a, an external hard drive and the designation is external hard drive, the default setting is to set those permissions to floating. So the user is zero, zero in the group is zero zero. And so that, like we were saying how we ignore ownerships, that's what it really means. It's floating permissions. And then there's a special user in the iOS itself that is the designation of floating permission. So that's what happens. And that's why it's also insecure for you to have flooding permissions on one of those external hard drives. Um, because anybody can see it. So if you log in from this user account to that user account, um, they can both see everything and write everything on that drive. So if you want to enforce permissions on an external volume, you have to take that off. Speaker 0 37:04 And to our users, it may have sounded like you just had a glitch because you well, no, no, no, no. You spit out like it sounded random. If you don't know what we're talking about, like you said like zero, zero a few times that it sounded like maybe you were just going into Tourette's mode or something. So this ties back to Posics permissions. Correct. Again, as far as how the computer system itself is seeing these, much like how you might think your account is named Nick gold, but it's really your user ID while we're talking about read, write, execute permissions. But the computing system, politics systems have a numerical cause. Their computers, they like to think of numbers. They have a numerical way of kind of expressing what the read, write and execute functions are on any given file or directory. And we use numbers to describe these, right? I wasn't even talking about that. I was just talking about the UI actually. Got it. So the user was set to zero. Exactly. What are users <inaudible>. So what are these Posics numerical permissions though? Like we say, Oh, it's a seven 77 like what do these things mean? So we refer to that as a file mode actually. So let's just, let me just back up and say, when most people say there's a problem with permissions, um, it's usually the file mode. It's not necessarily ownership cause I, I actually make a distinction between ownership and file mode. Um, so to me, ownership and permissions are two things. Speaker 1 38:36 You may be the owner, um, or you know, your brother may be the owner. Um, but the, but the mode, the file mode is what's not giving you the right access or the read access that you're looking for. So the difference between CHONe and <inaudible>, right. For anyone who knows Linux out there. Um, so what this is, is it's, it's a, I guess what's referred to as an as an octal, um, series of numbers, right? The octal notation. Yeah. It's an octal notation. So, um, seven, seven, seven really means you have, you know, it's, it's basically carte blanche, read, write, execute, access the Holy Trinity. Yeah. You have everything you need. Um, so read is represented as, um, let me think about this a minute. Uh, execute as a one, as a one bit, I believe read is two and right is three. I should have just verified this before we started. Speaker 1 39:26 But um, to have access to the internet. Yeah, exactly. But um, they're both essentially laptops. Yeah, exactly. Essentially those numbers are added together to represent, um, you know, that seven 77. So, um, I think right as for Redis to and execute is one, I believe that. So if it adds up to seven, it means it's wide. Exactly. Whereas if it says zero, it means no one has any access. So seven, seven, five is what we see a lot of times on a, on a shared pool of shared storage on a San or a NAS. So seven, seven two is right for, for read. Yeah. Okay. So I had them reversed. Thank you Ben. Well, which makes sense. We are talking binary one to four because it's using bits to notate this and those, those are your first, well, not counting zero. Those are your first three numbers. Speaker 1 40:15 Binary counting system. So a seven, seven, five would be, uh, the owner. The first number is the owner. The owner has read, write, execute. The group to which that file's associated also has read, write, execute. The every one bet only has read, right? Or I'm sorry, excuse me, the owner only has read execute. So it's seven. What's execute numerically? What did we say? That's one. That's one. Yeah. Yeah. So you're adding, you're adding Redis four. Yup. So you're adding four and five to get four foreign one to get. So it's five, so seven, seven, five. So if we're taking one of the tiers out, so owner group, other, that would be a zero. So in our calculations, say we're talking about other or the world, you know for everybody, everyone. Um, and we want to take out their ability to write and then it would be four plus zero plus one equals five, right? Speaker 1 41:07 Correct. Correct. So that's how you kind of, that's how you kind of figure out what the file mode is on, you know, in a file or a folder. Typically what we would see is the folders. Like let's say, let's say we're getting, you know, the way we would normally set up, own a read, write group, read rate, everyone read only. So for a folder that would be seven, seven, five for a file. That would be six, six, four, because the files don't need execute. They don't need the execute, but that's their scripts. Typically. They're not on the scene. You make a file execute, but it just doesn't, no, I haven't. I have actually looked into that and I don't, um, what I've, what I've found out is there's not a huge problem with making movie files or text files, executables. It doesn't give you anything extra. Speaker 1 41:54 It's just not, it's not really correct. Ta-da. Um, but you know, you really, and, and to be honest, it could create security concerns on your sand cause you could go into a text file and put a script in there. And if that was executive or you know, there could be, there could be security implications there. There could be, you know, set the stage. We talked about kind of users groups and everybody else who isn't either you, your user or your group. There's other users and other groups. Uh, we talked about read, read, right. You can technically have, right only. Yes. Like you could set that on that coaster. Yes. That's what we refer to as a Dropbox. Yeah. So a right only folder is one you can drag or copy a file into, move a file into, but you don't necessarily have the ability to open cause you don't have the execute, execute or read or read. So you can't go into it. It won't give you a list of what's in there. Oh, because execute is like what an LS commands using. Yes, you're not. So in terminal you've got a list. Command and list is a program LS and a composer. Ella, sorry, funds list Ron's list. Oh, sorry. Speaker 1 43:09 There was a hand motion going over your head. So list is a program that uses the execute characteristic of a folder to show you what's in it and give you a read of it without you actually having to go into it. That's why when I wasn't thinking about using terminal command line interface for accessing it, execute on a folder didn't make as much sense because as a user and finder, you're just going into it, right? There isn't a way in finder to give you a list of what's in a folder without just opening. And let's be clear about that in finder. Um, you actually don't see the execute permission. It doesn't show you that it only shows you read. Right. Um, they, they, they try to, you know, as you, as you've probably learned from listening to us for the past half hour, you know, this can get a little hairy and a little complicated. Speaker 1 43:57 And Apple is all about making the user experience simple so they don't even show you that execute property. Um, the finder just kind of takes care of it for you. So when you make a folder, you automatically have read-write execute on that folder. Um, so the, you know, in the, in the action of going into the get info box and changing the permissions to, you know, read, read, write, whatever it takes care of the executed bit for you. Um, uh, what was I gonna say? I can't remember. Anyway, continue. So let's talk now about how these factors come into play. Speaker 0 44:31 The moment you have a shared storage environment. So this, this has happened. Um, not that we did it, uh, but we came into a circumstance once, a client of ours that we were introduced to who had already purchased a a sand system and it happened to be StorNext, which meant that it uses fiber channel connectivity in addition to ethernet connectivity. The data between a StorNext client and the sand storage goes over fiber channel, but then there's ether net. In fact, there's two ether net networks. One is dedicated to kind of that, that metadata, the file system metadata is how it gets communicated to the client systems of the sand. And then you have your general network over ethernet as well. So anyway, they bought a sand that a bunch of Mac users, they attached them to it and we get a call one day and it was actually an introduction that was made and, and the issue was this, people are constantly creating files on the sand and other people can't use them. Speaker 0 45:35 This is a very common problem. And, uh, and institutions that, um, and I'm sure we'll get into directory services, but in an institution that does not, um, currently employ directory services or they have several machines that are not bound to the directory service. So, um, you know, classic example, I have a small production team. They all have their own pools of storage. They all have their own, you know, systems and everything and now we're going to put them on a sand. Um, so we, we do that. We buy a sand, we put it in the, you know, in the building. We wire it all up and let's remind people with the sand, you know, kind of like a file server. Again, the underlying technology is quite different, but it's a drive icon. You Mount it, it pops up on your desktop. But that same drive with the exact same data, it's the same system is also on the next machine. Speaker 0 46:26 And the other machine, any machine that's a client of the sand is mounted to it. And it's the same drive, same drive, same permissions, same file ownership, which is, which is, which is great, right? We want this shared place for us to collaborate. We want to have a big system where, you know, it's not hundreds of FireWire drives and a shelf. It's the standard. It's the centralized thing. We can back it up in one fell swoop. I mean there's a lot of reasons to do it and then they, you know, they don't really maybe have a history of having to think about permissions cause they weren't in local storage. They plug everyone in and we'll, we'll talk about what directory services are in just a moment. But suddenly people are creating things and other people can't use them. Right. So let me, let me talk through why I would guess that to be the case. Speaker 0 47:10 You tell me if I'm wrong. So I, there may not be any groups set up at all. Right? So there is only me, maybe there are. Well, but let's say, let's say there aren't, right? Let's say in the app there probably aren't because we're talking about a system where everybody's on their own machine level. So you and what group by default on your own machine are you in Stan Macco S you'd be on staff, which is group 20 so there's a group called staff that your main user account is likely going to be part of. But here's the question, is the staff group of 20 on my individual workstation that happens to be on the sand, the same staff group that other workstations it is actually, yes sir. So if I'm creating a file under my staff group on, you know, on the sand Speaker 4 48:03 <inaudible> Speaker 0 48:05 Let's, well let's let, let's talk even more basic. I create a folder on the sand, right? Because I don't want to just put every file under the sun on the route or you know, main level of the drive. We want to start organizing things into directories. So I created a directory. My user was whatever account I happened to be logged in on my computer, whether or not I was even aware that I was logged into what a challenge. Gotcha. But continue. And then I'm probably in this staff group. So I create a folder. The folder, the, the you, the owner will be me, correct. Speaker 0 48:39 Oh, very group. The primary group will be staff. The primary state will be Greg, which everyone else is a member. So I think I see the, gotcha. There's a, there's a few, can I, let me, let me throw one potential. Got you out. If everyone was disconnected originally and the computer is assigning user IDs to your accounts, knowing how computers work. And I've also kind of overheard this come up over the years, so I'm cheating a little bit. Um, the computer probably assigns the IDs to accounts you create on it numerically. It does. It probably doesn't pick numbers at random. It doesn't pick numbers at random. So my computer, let's just call it edit one has the Nick account and then there's another machine edit two. And let's say it has adjacent account on it. Yep. But really, we know that the nickname on the account and the Jason name on the account are really not as relevant. Speaker 0 49:36 It's not relevant at all. The numerical number that's associated with this account is more important as far as how would these computers are seeing things. It is actually the only thing that's important. And so my account Nick and your account, Jason, what would a typical user ID be for that first primary account? So yeah, five Oh one exactly. So McIntosh is livers that yes. Flies like the button fly. Yes. I love that. Other ones are awesome. Anyway, so even conversation zippers and man parts. Yeah. It's like whoever came up with that, it's like just use buttons. People. It's better. There is, there is quite a, there's quite an art to figuring out the button fly though. Oh yeah. But um, be that as it may. So when you get a brand new Macintosh out of the box, you get the little like, you know, funky little video that play with all the different Speaker 1 50:27 Languages coming in everyday. Yes. Um, and you create a new account. You are the five Oh one user. The five Oh one user is an admin is an admin. So that means it's part of the admin group, which happens to be group 80 for anybody out there that you know that might know. Um, uh, it, it, so it's not in 20, well it isn't 20, but yes it is in 2020 as I believe it's actual primary group. But it is also a member of the baby. Yes. It can be a member of as many groups as you want tos, X permissions. A user can be a member of many different groups and groups can also be nested. That's how you give Posics. Yes, you can add a, a group to a group and that's how you give, um, uh, people in different groups, different plastics. Speaker 1 51:12 For now we'll throw the gotcha. But so anyway, far as how this is all seeming. Yes. The, the, the users really seeing us all as the same. The, the, the sand thinks of us all as the same person. All the same person. Exactly. So what can happen and, and you know, here, here's another, here's another scenario that I see a lot. It is, I had problems. I Googled, I looked on the forums, the forums all said, create a new user, make that user and an administrative user log out of your original user. If the problem persists, then you know your is all screwed up. If the problem doesn't persist, then you fixed it. So what does that user do? They, they make the, you know, they make that new user there, you know, that's the, now they're now their user and they turn off the other one are deleted or just ignore it. Speaker 1 51:54 So now that user is five Oh two and is that user, is that second user? Let's say it isn't an admin account, it probably is. It probably is an admin account. So, so, so a lot of times it may not be, but a lot of times it is an admin account and on the sand when you go to try to, you know, move things around on the sand, you're going to keep getting that, you know, finder wants to, you know, funder wants permission to make changes on the storage and it's going to ask you for your administrative credentials and it, you know, after you authenticate it will let you make changes to that directory. But it's a pain in the tookus, you know, so and, and so when someone has this sand in this unmanaged way and they've attached all these workstations and suddenly people are complaining about not all of the users can open or use or modify all of the files that they're creating, why might that be occurring when, well, there's a few reasons. Speaker 1 52:49 Number one, we, you know, what we just talked about for the last 10 minutes, there's no synchronicity between the user user IDs and that environment. You may have a five Oh one five Oh two five Oh three so that's on a ship. That's ownership. Exactly. The other thing. Why? The other thing is, that's a good question. It's because of something called the UMass, so we're going to, we're going to hear crickets when we talk about the <inaudible>. S K is a setting in the operating system that governs when you create an item, a file, a folder, whatever it is, what will the file mode be on that file? Seven, seven, five. It might be seven seven, five by default. In macro S it is seven five five which means you can read and write and execute, but everyone in the group, your primary group can read only and everyone else can read on. Speaker 1 53:39 So I might be a premiere user and I need to pick up an edit. Someone else had created a project file. Yup. They created it just fine. They created it. Just fine. Open it. You open it, you can open it just fine. They only had it for a few hours and I hit, well either the app tries to auto save and there's a failure or I manually try to save and I can't save. And that's frustrating because now I can't lock in all of these things I've been changing. Cause as you said earlier, you're really doing all of those manipulations and Ram, but they haven't really been locked into the file on the drive yet. And so, so this is the kind of problem that could manifest because by default on Mac, other members of my group can only read, well that's it. If Apple made it so your group could read and write all the time. Speaker 1 54:28 And here's, here's the issue that we have run into with Macko S time and time again is that, um, you know, pretty much, I wouldn't say every time. Um, so several major updates of Macko S um, namely Elian Mavericks, Yosemite, they all either treat the UMass differently. It has to be set differently or some of these operating, you know, some of these versions, namely Lyon and Yosemite completely ignored the setting. So regardless, yeah, regardless of the way it's set, you know, it's ignoring that setting. So you create files on this file system and you know, it's not honoring that UMass setting. Um, the other thing I've run into is that sometimes applications themselves don't honor the setting and that's, you know, it just, it's kind of a, it's kind of a hairy beast, but the issue is, is that the system of users in groups is only really being managed on a system by system, workstation by station basis. Speaker 1 55:26 And maybe by luck, several users will get in a mode where they can kind of get a little bit done for a given workflow. But then the moment, say a second person needs to start modifying a project file, boom, there's problems. Right? And you're never going to know that until that second person opens that project. You're never going to know that there, that there could be initial, everyone might be humming along and then a new project comes up that inherently is going to be a little more collaborative than the last one. Correct. And maybe also people were sharing media files, but they only need read acts and I need read out, they're probably not modifying the media. They're rendering it out to a new media file. Where the other thing we can see, you know with this UMass problem is you have like say a uh, an assistant editor or an ingest librarian or something like that. Speaker 1 56:10 They are creating, that person is creating all of the folders where the media lives and then you have maybe a second injust tech or a second assistant editor that also needs to put files in that shoot date folder or something like that. And they'll run into, I can't, I can't put the files in there because I don't have permission. So we, this actual client that we had this scenario where they were running into all these types of problems, we're not going to mention them by name. Right. And I will say, we did solve the problem. Yes. Um, but this client, they were missing something. We've said the phrase a couple of times now. We said, what is your directory services? Directory services, crickets. So again, is this a fair way of describing directory services? Directory services? Yes. This is technology. This is servers, this is software. Speaker 1 57:01 But at its core, what, what directory services gives a work group. Basically the moment you're beyond a single system moment, you're into two or five or 10 or 50 or a thousand. It's a centralized rule book. That's really what it is. Well it is literally a directory. When we talk about a directory in the sense of what we used to call a phone book, you know, if, if anybody listening remembers what that is, I'm still dropping them off on just stupid and like, uh, you know, cause I often go through the back of my house and I'm kind of ghetto. Like it'll, I'll notice it after it's been there for like two months and it's like gotten totally saturated with rain and like it's really foul and so you have to pick it up by the corner, but it's still heavy and nasty and then it starts falling a little moldy. Speaker 1 57:49 So they're still out there. But it's a directory. It's a directory in that sense. Not in the sense of how this is a folder. And so, you know, a lasting, it's a guide. It's an active directory. When we talk about Microsoft active directory and a lot of people think that that's some way of like, you know, making things happen with folders and things like that. No, it is, it is a, you know, what, what we just described. It's a, it's a service of synchronizing, you know, the user IDs, group IDs and everything. But it's also, um, it also unifies the authentication process. So when you, uh, you know, say buying several machines in the act of binding a machine, it sounds very, um, it sounds very S and. M I was just going to say, you know, really all it is. Um, I remember when I first got into doing, you know, some network administration stuff that the act of binding a machine to active directory, it scared the crap out of me. Speaker 1 58:39 I was like, no, I don't want to do that. Now all it is is basically telling your machine to use the directory service to authenticate and to log people in. So once a machine is bound to a directory service, you have the ability to log in as a directory service user, right? It's like a child asking their parent, can I do this? Yeah. No, that's pretty much all your home folder. Probably on an individual workstations. Hard drive. So when you say so, but when you say a thin, I mean usually when you think of your account you think of, I'm going to get a home folder out of this, I'm going to have my documents and desktop. And so true you still have that and that's still on your local workstation usually. Although there are ways of making your home folder on a, on a network share. Speaker 1 59:21 Yeah. But let's say I still have that home directory on the built in hard drive. Cause usually those home directories are on local storage, not on a sand. Right. And I usually use this one workstation. So when you say authenticate login, login, yeah. But what's happening here is that your computer that you're sitting in front of has your home directory. It knows the home directory is associated with an account, but the account itself stops being an account that's managed just on that workstation. Correct. And the account essentially gets created in the directory services system. Right? It knows that that account should use the home directory on a particular computers, particular hard drive. Right? But it's like that account doesn't exist on the computer itself anymore. Not exclusively on that computer. In the directory services system, the groups that you start to create are groups within the directory services system. Speaker 1 00:21 So in an organization that has, say active directory, um, it is usually the, the, you know, the groups, the work group, the owners, they're the, they're the ones that actually run it. They create the groups, they add the users, they do that kind of stuff. No directory services can be used for all sorts of things. Like which network printers do I have? The ability. Exactly. That's why they're really powerful and convenient because you have the ability to authenticate to several different services. Email, maybe a company file server, maybe. Um, you know, I, you know, accustomed company application, it's all authenticated with your, with your credentials for that active directory. That makes it easier in an enterprise or corporate environment because you don't have to remember one password for your email. One log in for your sand, one login for every random file server and binding your, your, your Mac, let's say to an active directory server, gives you the ability to use those same credentials and login as that user. Speaker 1 01:16 Now, it's not as simple as, Hey, I want to, um, you know, I have this local account now that I created two years ago that I've been working with. Now I've bound my machine to active directory and now I just log in as that is that user. There's a little bit of tweakage that has to be done to make that local user into a directory services user. You essentially need to make sure that the home folder name is the same and then you need to make sure that the IDs are the same, which means doing like a, you know, a mass change of ID ownership on that folder. So that's, you know, that's, that's, that's exactly it's shown in Vermont. Um, mostly shown though. They're not just mumbling guys. Joan stands for change. Owner stands for change programs. We run from the terminal application that the macro S command line interface. Speaker 1 01:59 Right. And actually, yeah, these are programs, C, H O, w O, C H O, w N change owner, C H mod N change mode. Yeah, exactly. Um, so, um, yeah, so the act of and, and, and you know, these different directors, so, so active directories of directory service, um, open directory is also directory service that we see on a lot of Macintoshes. Um, uh, the other, the other, uh, term that we hear a lot is L DAP. Um, L DAP is, uh, essentially a standard directory service that's been used for years. Again, it dates back both active directory and open directory adhere to client two, yet they're basically both, you know, active directory of the Microsoft product, which is, you know, 99.9% of all of the directory services on the planet earth. Um, and we use ourselves as our directory services system that we install into our clients these days. Speaker 1 02:50 Right. But, but, and typically that's because we're going into an organization that already has it. And max opened directory system, which is a little more open source. It's not a commercial product. You know, both of these kind of adhere to the standards of El dab. So there was some level of cross compatibility. Typically when we say eldap we could be meaning either one of those because eldap is a generic, you know it's a generic directory services protocol. So let me ask you this. Let's say, let's go back to the edit one, edit two and a one is Nick attitude as Jason. I'm usually using it at one. You're usually using edit to, let's say we've never used each other's computers before, but we're bound to active directory. When we log in I log in as Nick. You log in as Jason. Those are getting authenticated to the directory services system? Speaker 1 03:38 Correct. Let's say we're in the same group or whatever, you know in the directory services system. So now we've sort of, I've got a home folder on my local storage. You've got a home folder on your local storage. What happens if I walk over to your computer for the first time ever? You log out, there's the login screen. I log in as Nick with my password, but I've never been on your computer before. So it's, it's essentially exactly the same as if you had, um, created a new user in the macro S accounts and a user's directory on, you'll get into your home directory now and you'll, you'll basically have a fresh account, a brand new account, and every time you log into that machine you will be at the same point you were locked out of them. It's not the same home directory that I get back on my other machine now. Speaker 1 04:24 And the only way to set that up is to actually set up a network home folder, which can be done. We don't see, yeah, we don't think, we don't see that a lot because a lot of work groups really, you know, awful. Let me just say this, and a lot of work groups with shared storage that are, that are doing what they should be doing and binding to a directory service. The sort of moving around machines is, is more about the sand. It's more about the ownership and file permissions on the sand. Then the actual user experience, you're going to lose your preferences and things like that in premiere and all that kind of stuff. I mean, you know, premier has creative cloud which will bring your preferences down. So that's really the way you get your preferences. But um, you know, your local system preferences and things like that aren't going to follow you around unless you have that, that home. So in network home, that client account that I was alluding to earlier, we went in, we sold them a couple of servers, Microsoft server software, Speaker 0 05:18 Which has as one of its features, its ability to manage active directory systems, be an active directory set up. We went in, we made those active directory servers, we put them on their network, we created users, we created groups, we made it. So when someone logs in, we bound all of the client Macs to it. And we made it that when people logged into their computers, they were really using the credentials associated with these active directory accounts accounts. Right. And so now there's a central rule book that says, because all of these people are in the same group always, and we can define that. We want people in that group to always have read and write and execute every file. We can avoid a lot of the problems that they were running into in that unmanaged way of doing it. Now we, we, I'm sure we had to go through the sand that had, that had already been set up and, and, and do that, that shown command to change the owner to a network user rather than, you know, rather than a local user basically that didn't do the damn unknowingly does the thing that people need to get, and again, correct me if I'm wrong here, but I think this is a fair statement. Speaker 0 06:35 Well the permissions get baked into the sand whenever you create files and directories because those, that permission data gets stored in the sand file system or the database that rules that larger sand storage infrastructure. The sand as a computing system really doesn't know anything at all about permissions. Not at all. The storage doesn't have to be bound to the directory server. There's really no reason for just the accounts. It's the accounts or creating and using exactly. And using files. That's the other thing. One of the things that we talk about occasionally is that machine is not able to interpret permissions. Um, one way to diagnose that is, uh, again, in the get info box on the finder, if you see a underscore unknown, that usually means, Hey, this machine doesn't know who this user is, who this owner is. Uh, you know, the other thing you can do is again, go to the terminal and do an LS space hyphen L, which basically gives you a, uh, like a verbose readout of a directory, um, on the directory that's questionable. Speaker 0 07:34 And if you see user IDs instead of usernames, that's typically, that typically means that you know that that machine does not know. Right. You can interpret. It isn't, it? Isn't, it might not be bound. Exactly. Okay. So, so let's keep stepping through this. We solved some problems. We put in a directory services. There's a central rule book. People are creating files in a way that allows the right other people in their group to have the right level of permissions. So we can set their UMass setting on their local machine so that when they create a folder or a file that the group actually has read, right, instead of just read. So here's another scenario I know we've run into, we have the sand, we have this directory services system, all of those sand clients are humming along. And then let's say the client says, well we've got a bunch of other users that we want to have be able to access at least a portion of the sand. Speaker 0 08:27 We want to make it. So there's a little place where the editors who are the direct sand users can plop things. And we want this one folder to get shared out to a much wider set of our users because they might have to go find, maybe it's our marketing department and there might be a new video we're going to do, you know, social marketing around and they go to this thing and then you have to pull it down so they can do their own thing with it. And we say, okay, well you're probably not going to put all of those users on the sand through fiber channel connections. They're really light users. So we'll often stand up another server that is on the sand and it is used often a Linux server because we like Lennox on servers when we can get away from with it because it's a very inexpensive and powerful operating system. Speaker 0 09:17 I think the world kind of knows that in 2015 you know Lennox is obviously not going away anytime soon anyway, so we say, okay, we're going to attach this Linux box to your sand. It's a sand client itself, but we're going to turn on file sharing as a service on that server and that server now becomes essentially a gateway, what we sometimes call a reshare server gateway, a head node and it then shares some of the sand out. Usually not the whole thing, but at least a portion of the sand and now other people can get to the sand, but they connect to it over ethernet, right? They are not on the fiber channel. They use a file sharing protocol. Like SMB <inaudible> is a safe bet. So let's say this is a windows user, they're in the marketing department. They need to get it something. Speaker 0 10:13 Maybe there's some bi-directional stuff. Sometimes they're dropping stuff onto the sand through this file shares. Exactly, exactly. Or maybe it's the other way. Sometimes an editor is depositing something in one of those, those network connected users, those ethernet file share users going through that reshare server need to get at it. And let's say, you know the reshare server is Linux. The editors themselves on the sand are Mac. Some of the people who are coming, getting to the sand or that portion of the sand through the reshare server, maybe our windows machines. And usually when that, that becomes the scenario, sometimes additional sets of permissions, problems can emerge. Oh yeah, absolutely. So why? Well there's, okay, there's a few reasons. Number one, you mentioned windows. So, um, you know, I shutter whenever I, um, you know what, no, I shut her whenever I, uh, whenever I um, have to deal with uh, windows users on the sand or any kind of shared storage for that matter only because, Speaker 1 11:14 Um, the default behavior and windows for making a new file or folder is that the mode is 700. Now is windows using Posics we talked about <inaudible> Linux as <inaudible> they all use and can interpret Posics equally. Okay. Um, there are other, uh, you know, there's, there's another, another set of solutions we'll get into is what the default mode is 700, so 700 zero. So let's have your group that zero indicates that they don't have zero means. Zero means they go access. It means not, you cannot see the contents. You cannot see anything. You can't say windows. The default is that even other members of your very own group don't even have the ability to open and view non-destructively. So that's interesting. So windows defaults to a much more secure environment, much more restrictive. But I can see then that a windows user creating a file, you know, you know, but should well be fast. Speaker 1 12:16 I'm going to start, I'm going to throw another one in there and this is going to light up for a lot of people cause I know almost everyone listening to this as has seen this before. You get a zip file from a client or you download it from a um, you know, stock photography or stock footage website and that's just how they present you with the, you know, the content. It's in a zip file. You put it on the sand and the footage folder and you double click up, you know, double click on it and it expands it and you can get to the contents, you can see it, you can traverse it, you, you have full access to, to use it. However, no one else in your work group does. Chances are that zip file was created by a windows machine with 700 permissions. Speaker 1 12:56 When you copy a file or expand a zip file or create a file, um, from, from a zip, um, the, the file mode of the contents of that zip are the same as when they were created. You are the, you are the new owner. However, the permissions themselves, the mode of those files and folders, it's the same as it was when it was created. So if a windows machine created those files, they're all going to have 700. So that means no one else in the work group will be able to, to traverse that directory. You have directory services. Is this always going to be an issue because windows has that default? Yes. And the only solution really, you know, people ask, well what do I do? The only solution is to go back to the user who is, you know, you can always see who the user is by doing the get info. Speaker 1 13:43 Go back to the user that created that and tell them they need to open up the permissions on that folder. That's really the only, or you can have an administrator. So they never do that, right? In the real world, our clients never do that. And so we client a lot of times, you know, our clients just, it's not top of mind for them. They're not thinking about it. So they don't want to think about seven, seven. I get it. Listen, you know, I hang with you techies, but you know, I, you know, I don't want to think about these strings of numbers and crap. I lost. So one thing that I've done exactly one thing that I've done is I've actually created a, um, uh, uh, what do you call it? Uh, an automator service and the finder that, um, makes the process of changing the permissions of a file very easy. Speaker 1 14:25 So you, you essentially do a right click and then there's a service you can run that changes the permissions. Now the catch is you have to be the owner of the file. So essentially this is something that could be, you know, theoretically deployed to a work group, you know, a department and everyone has the service. That doesn't mean anyone can, can change the permissions. That means you know, you, you phone up or email the person who owns the file and say, Hey, I need you to run this script on these, on these sets of files so I can get to them. Also, I know at times have come with come up with more automated ways of doing this that we have encapsulate the ability to change permissions in an either a completely automatic fashion or I know sometimes we've kind of built little scripts that live inside of a watch folder that wants something that's I have watch folder also on a, on a, on a, you know, done a similar thing where on a regular basis a, um, a, you know, an automated script will run. Speaker 1 15:17 It will parse the entire contents of the sand and it will look for anything that say has a, uh, restricted permission set. Let's say we're dealing with a work group where everyone wants to have the ability to read, write in any folder, um, but they want, or let's just say anyone in the primary group. So let's say that's your editors for example. They need to really have pretty good wide open access, but you don't want everyone to have wide open access just the editors. So you make sure that the editor, the editor's group or the sand users group or whatever it is, that's the group that, that, you know, that's the primary group of that, of the, of everything on the sand. So then you just, you know, the script basically goes through the sand on a regular basis, whether it's once a night or whatever it is, and it says, Hey, if I find a file that's not owned by this group, make that the group, you know, make that the group and then set the mode of the file to seven, five, five, there is some danger, right, because you're now giving a wider set of users a wider set of abilities that include destructive capabilities. Speaker 1 16:15 Sure. And so, so I mean, here's what I've observed over the years. We have clients that, you know, get frustrated if there's permissions issues, we work through them. We come up with the best system we can. But I mean, I think it's fair to say if you've been on local storage and everyone's doing their own thing, especially in a work group where you've been ignoring permissions on external drives and you've literally never had to think about this before. Oftentimes I've found that, that I think our clients have the expectation that that level of the not thinking ever about permissions is something that's truly achievable in any kind of a shared storage infrastructure. I think it's fair to say, guys, that's simply isn't the case. It is not the case. You will have to think about permission to think about it at some level, even if, I mean, you know, what I might be telling you is, you know, your workflow person within your organization or our workflow, the here at Chesapeake systems, Speaker 0 17:10 Um, you know, there needs to be a conversation to think about how, how are we going to address some of these concerns? Um, you know, I think a lot of people are used to dealing with a company file server where everybody has like their own little scratch space directory and, and they're the only person that can read right there. Maybe everyone else can write but not read and you know, or, but there's some, the point is there's some sort of a get around issues. Yeah. But you, you know, you just in a shared storage environment, this has to be a conversation. It has to be something that you're thinking about. Well, especially a production storage environment where you're, you're creating directories on the fly for new projects as they come up. There's lots of people mucking around. There's various levels of collaboration both at a project file level, at a media file level, at a directory structure level. Speaker 0 17:54 I mean, so much more thinking has to go into how the group as a whole utilizes this resource that, you know, you're gonna have to think about it. And I think it's also fair to say we can create all sorts of wonderful automated systems that 98% of the time may be, can prevent this from being a pain in your butt. But probably there will be outlier situations from time to time where even if you never really have to think about this, generally something will happen cause some user on some other system has their default set in a certain way. Exactly. It just, it creates a little bit of a mess. And I know that in those circumstances, you know, for a lot of our users jumping into the command line and using these CIM OD and shown tools is it's too much. And we don't frankly want most of our users doing that. Speaker 0 18:39 Cause you can cause a lot of problems, a lot of problems. The other thing, the other thing to keep in mind is that in many I find an even though I think, I think almost any work group can, can give me the argument that they all need to be administrators on their machine and I can't find one that really sticks. Sure. So, but, but my point, the reason I wanted to mention this is because if you are an administrator on your machine that gives you extra privileges on the sand. A lot of people don't realize this. If you, if you're in group 80 which means you're an admin on your machine, you can royally screw up your sand if, if, if, if, if the finder asks you for authentication and you put in your password, you know you basically are able to do lots of damage. Speaker 0 19:18 So that's something to keep in mind. And I mean, and this is I think a good frame of reference. Everything that we're saying sounds like a Royal pain in the rear end and this permissions thing people would do go to this mode of we'll do whatever you can to get it as close as possible to me never having to think about it. Let's just open everything up really wide. And the risk in those scenarios, and listen, we're, we're in a production environment. We have people with a lot of very valuable media and data on their sands. And let's be blunt, not every one of our users has a backup system in place. Some people just don't budget for it, they don't have it. We encourage it across the board. But the wider you open things, the more damage and individual can cause people can accidentally wipe out very quickly or all your data or a huge juicer really, really, really common. Speaker 0 20:07 You know, mistake that I've seen. Um, we've got a sand, we've got all of our client, you know, maybe at the root level of our sand. We have all of our client, you know, folders and that's got all of our clients. Um, we have one client that we very frequently do work for their, you know, they happen to be our most valuable client and somebody makes the mistake of accidentally dragging that client folder into another client folder. And now suddenly everybody's projects and media are offline. You know, if you have carte blanche wide open read, write access to your sand, anybody could do that. And it's a mistake or offline cause they no longer link back to the main files. The data's, the data is not gone. It's still there. You haven't lost anything. But now you've got to find it. I mean you know, where is it? Speaker 0 20:47 Who made the mistake? We don't know. You know, it really doesn't matter. You know, the point is, you know now, now all of our stuff's offline. Like is it, so I guess the point I would like to put out there is if you're moving to shared storage or expanding your shared storage, you're going to have to be aware of permission. Yes. These will be issues we have to talk through. Definitely there's planning around that. It the, the, the pain aspect of it can be largely mitigated through conversation and having a properly configured directory services system that properly encapsulates the relationships between your various users and groups of users. And you, you do, you know, it's funny cause we're talking about this very techie subject, but what we're, as we always seem to come around to on the workflow show, we're really talking about workflow. Yes. Speaker 0 21:32 We're talking about what is the order of events, the hands in the pot that needs to happen for a piece of work to be created, modified, reviewed, approved, delivered. And if these permissions fall apart because these are files that we're dealing with at the end of the day, you know, your workflow will be interrupted and you might not deliver it or you might deliver it and there your recipient has a problem. There's so many potential issues. We've got to plan through it. You've got to start to incorporate directory services essentially the moment you do shared storage. And that for us is often tethering onto an existing active directory system that an organization already has their it department maintain. I mean if you're a big company, you already have directory services, right? Um, so we find, we find occasionally that, um, the media departments within a large organization, um, maybe they don't have as great of a relationship with it. Speaker 0 22:24 They can't make things move quick enough through it. So, um, you know, there, there may be a second directory server just for the media department for that reason and I get it right. Cause the media guy guys too. I have deadlines, I can never have any permissions issues, open it wide up. And that's like literally antithetical thinking to your typical it guy who is conservative and really cares about data and he doesn't want be to be able to delete each other stuff accidentally or intentionally. So you know, they're both worthy goals. You need your workflow to work and not give you bottlenecks, but you also should be mindful of data and your data and your customer's data, your client's data in a way that makes it. So there probably is some level of permissions Speaker 1 23:06 That actually is a scheme and has been thought out. Let's, let's throw out an example. What if, what if you have a, ma'am, what if you have a media asset management system? I mean, you know, you've got a, a storage repository for that media asset management system. You know, where all of your footage lives, where all of your assets live. Um, do you want your users to be able to go out underneath that, that media asset management system and be able to change file names and move them around? And do all kinds of stuff like that. No, you, you probably don't, you, you really, you want the man to really want the man to do that. You know, the mom's gotta be the, that the top of the food chain trying to get people to go through the ma'am and not through financially, you know. Exactly. So let me ask you this again. It warrants discussion. We talked about Posics, we talked about that stuff. Oh. And there is a tool that I wanted to mention. I know we've often said, Hey, customer, download this application. Yes, Speaker 5 23:55 No, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no. Speaker 1 23:59 So it literally, it's icon. It's called batch mod. Yeah. Because I guess you're, you're changing them. It's basically ch mod, but with a user interface. So it's very easy as a pretty user interface. It's very easy. The icon is the bat icon, the little that sort of looks like the Batman. So there's character, there's definitely no copyright concerns. And so you've got this batch mod app and it gives users a very easy, fairly drag and drop kind of tool to let's use permissions. Um, it lets you, uh, um, push the permissions down through a directory structure so you can, you know, relatively quickly go through an entire directory tree and apply whatever permissions you've set in that little gooey. Speaking of directory trees, do, do permissions tend to get inherited as it creates threes within directories? That's a great question. It depends. It depends on whether you're, if you're actually using Posics permissions, then no, not really. Speaker 1 24:50 There's, there's really no inheritance for positive. So. Well, what's the alternative to plastics? Before we go there, I just wanna I just wanna mention a quick caveat about Batman. Batman does not query your directory server badge. Mine will only show you your local groups on your machine. So for a lot of work groups that are actually bound to directory services, it's not as useful as it could be that the one saving grace for that is that it will allow you to set the group of which you are primary member. So in many active directory environments, your primary group is domain users, which has everyone. So, um, it's everyone that's a member of the directory service. So talking about ownership, which is what we're a little, what you're talking about, what we're essentially talking about is changing the user mode on the group. So exactly. Winding the user mode. Speaker 1 25:36 Exactly. So really, really all you're doing is just setting that, you know, the typical scenario is somebody brings in a hard drive. They were on a shoot, you know, maybe the person who was doing it had a windows machine. So we've got seven zero zero. So we need to bring it in and we need to open up that group to seven 75. So batch mode to the rescue, right? We can do that for a lot, but on the sand and then you're good to go. So if there's a media manager or somebody in the organization who does the, you know, that's the tool that often we'll teach them to use because it's pretty straightforward and probably best for a group like a Chesapeake to work with you to make sure you're understanding how those tools are working and you're not missing anything up. Right? But so, okay, so we talked about Posics, we talked about all of this read, write, execute stuff. Speaker 1 26:22 That's what all of this conversation has been based around. It's wonderful. It's, it's been around a while. It's respected, it's supported by, you know, everything from Mac, windows, Unix, Linux. Why would we use anything else? But there is something else. Yes, there is something else. It's called, uh, access control lists. Whereas ACL or ankles, you'll hear all three of these things, but HCLs and ankles are commonly the word we. So use, um, ACL is give you the ability to more granularly define what your permissions are. You can go file by file, director by director. You can set inheritance. You can set like very specific permission such as allow, right? Allow, read, allowed, delete, allow, modify, deny. You know, so you get this whole set of deny allow uh, flags that you can, you know, flag particular files with you can, you can basically, uh, you can set an inheritance flag which will basically put, you know, in a directory, push that down to the contents of, you know, push that setting. Speaker 1 27:20 There also something more nuanced about the way users and groups are handled in HCLs. Like you have some extra flexibility, you have some extra flexibility, you can add particular, you can add additional groups and add permissions for those groups. So you could add like say say Hey, you know, here's a folder on the sand. I need producers to be able to write into this group, you know? Whereas most of the time it's on the editors that are reading, writing this, this particular folder. I need producers to be able to read right into this folder. So you could add that group and then give them read-write access and can do that with, with Posics. No, the only way to manage it that way within Posics is to nest groups within groups. So you would have to have multiple groups. You get one group and positives. Oh, so if you want essentially like you know, one way to think of this would be like we have this, you know this, we have the situation where we need to have producers and editors being able to read, write on a folder in the sand. Speaker 1 28:17 So maybe we would create a group called super editor or super producer, super producer that has those other groups in it. Yeah. And then when we make that group the, it sure sounds like it would be easier if you could just apply multiple groups. Sure. It is easier. Now, um, let me just say this. If you are going into the finders get info box and you are pressing the little plus button at the bottom where the users and groups are listed and adding a group, adding an owner, adding a user, you are essentially adding an ACL to that file, ACL and access control list. But what is, where is the data for this ACL system? That's a good question, but I think it is part of the file system. Again, metadata is, well that, yeah, it is. It's a file system. Metadata. So the HFS local storage file system on Mac, you know, supports these ACL Sans can support the ACL. Speaker 1 29:11 Yes. You know, different file system types. You have to do some investigation as to whether that's file system supports ACL. They sound really great as I'm sitting here talking about that. There's a fantastic, there is an issue. So windows and Macintosh systems interpret the ACL differently. They're not completely, yeah, they're not completely synchronous between the operating system. Would that be, well, who knows? I mean, isn't, one of the things that makes Posics permission so powerful is that it's respected by every major computer, the standard. It's been around for years. So this is just private corporations run a muck and we should have said, it's kind of is, it kind of is. Here's the, here's the even more important thing about ACL is a Linux servers don't interpret them at all. They're completely ignored. So, you know, and in a, in a setup where again, you've got a, ma'am, you've got a, um, you know, maybe, maybe a backup and archive server that's a Linux based system, uh, that those systems are not going to be affected by the ACL at all. Speaker 1 30:16 So here's the question. If you're a Mac user, you're a windows user and those operating systems by default are oriented around HCLs. Is it that they're also writing positive permission simultaneously, but they're just much more simplified than the ACL. So the politics is there, but it doesn't illustrate information. That's exactly what it is. The politics is always there. The positive emotions are always there. They're inherently part of, of every file and director and the politics permissions and the ACL permissions contradict one another. Um, I believe so. Well, so one is going to supersede. Yeah, I think the ACL always has the precedence. So, uh, that's could be an issue where if a windows user, we talked about that scenario, the windows user creates a file. They've, there's some very windows Akhil kind of stuff going on and they plop it on that sand reshare that they have. Speaker 1 31:09 And then a Mac user opens it up and the, you know, the Macs just don't understand the windows. Ackles and so let's say you had several groups that were associated with that. Well, there's really only going to be the one group that the positive side of things respects, right? And so if your Mac user isn't in that POSIX group but was in one of those windows ACL other groups, they might not have the rights to the file once they opened it on their Mac. So this is, this is one of the reasons that I firmly recommend not using ACL is in a mixed environment. They, they, they probably work really well for a lot of users in all Matt and all. But in mixed environments, especially ones that include Linux servers, I just recommend against them. I've also had a personal experience with, um, you know, so let's take a media asset management system, like reach engine for example. Speaker 1 32:02 Reach engine does not have its own transcoder. So, um, and you know, our reach engine, uh, clients all have different transcoder. Some of them have elemental, some of them have vantage, some of them have episode. Um, episode itself can be run on a, on a, on a Mac or a PC. Uh, vantages is, is a windows based server. I've, I've seen problems with ACL based sands, um, and, and vantage freaking out with, with those, you know, have this, these servers doing things, it's unlikely all your services are servers are Mac, even if you're running Mac, you know, as your editing systems, I, and I, I, these issues are gonna come up. Yeah, they are. And I think the important message here is always be aware of all of the different touch points in your workflow and on your storage. It's not just, well this person needs to be able to do this and that person needs to be able to do that. Speaker 1 32:52 You've got services, you've got machines, servers that are, you know, that are also needing to interact with these files and directories. And you know, if you are, um, having problems with users being able to access directories and files, the machines will also have problems with those. So, um, you know, all I'm all, I'm re, you know, the, the picture I'm really painting is it's difficult to have the cake and eat it too where you know, everyone, uh, everyone can just do cart blanche whatever they need to do and you know, never, never have to think about permissions, but then also have some of these automations that always work, if that makes sense. So it's like you're gonna have to think about this stuff. It probably is best to think about it with an outfit like us or another integrator or it farm that really knows this stuff and really plan out your scenarios in advance. Speaker 1 33:43 Understand by introducing the shared storage system or a new additional shared storage system, this is who's going to be using it. These are the workflows. This is how we imagine files flowing from these users to these, this group, to this, this storage to that, these apps from these users to these apps. You, if you plan it out and we understand what those flows are going to be, we can probably build a system that in a largely if not almost entirely automated way deals with this. Yes, but it is still being dealt with. It's not being ignored. Right? We can still utilize the benefits of directory services by intentionally locking down permissions for certain users, users, certain directories. You know, if you've got a bunch of assistant editors, they're newbies, they're freelancers. They don't have a very vested stake in your organization necessarily. They might not be the most highly trained people they have to do raw ingest and logging. Give them a little, you know, spot that can plop it all into but can literally not even see what's on the rest of your sand because why should they need to? Why should they be given the rights to cause damage? Delete files potentially cost you money, shut down your business. Literally these things can happen because of permissions Speaker 0 34:58 That were set too widely and or weren't being respected. One of the ways that Speaker 1 35:01 We really like to set up ingest to a man and it could really be any man. Um, but uh, my favorite way to set up in just to a ma'am is to set up a repository for the man that is, that is locked down permissions wise. Meaning that the man is really the only user that can, that can write and you have a workflow that uh, you know, takes a wide open directory and ingest directory, let's say. And it's really just a Dropbox. So you put things in that ingest directory and either a, you know, a manually run workflow that, you know, asks for metadata or something like that would run and then pick up those files and move them to a, to an odd few skated location from the users so that they have to, they really have to go into the ma'am to find their, their stuff. Speaker 1 35:47 And that, that, that, that solves several problems. One of the problems is it gets your users using the ma'am, which what you want. If you've, if you've invested in it and you're really using it to its fullest potential, you want the users to use it. You don't want them, you know, poking around on the sand for things. Um, but it also gives you that security where once the, ma'am is, is really the owner of something. It's not being moved around by, you know, uh, and users, users that, you know, deleted, renamed by users that think they know more than the man does. Speaker 0 36:15 So, you know, we don't have time to talk about this. We're winding on the discussion, but just to give a little illusion to the subject. Ma'ams themselves can be bound to directory services systems. You can certainly bound applications to directors. So, and a ma'am platform take reach engine, which w, you know, we have several installs going on at any given moment. Cat, DV, so any of these ma'ams systems, you know, an Empress Emam cat, DV reach engine, what have you, uh, can't demo, whatever it is. We have whole other application level rights and permissions and roles that really extend quite further when we talk about what we can lock down. You know, we talked about how politics is the most basic ACL is kind of uh, you know, hadn't have new levels of capability and granularity in a ma'am, it's like whole other realms. Like can you run this automation workflow? This is typically based on, Speaker 1 37:18 On the application itself. I mean it is, it's based on the application itself. Um, and it's really how far they're going with their, uh, directory services integration. Um, some of the platforms really only use it for authentication, so to give you a single sign on experience. So for example, I log into my machine with a, with a certain username and password. I also want to be able to log into the man with a certain username and password. Once you get in there, you have to have a media manager set up your access for some of the systems. Some of the systems will let you map, um, uh, uh, roles in your directory services to roles within the ma'am. Um, so that it's all based on your directory service that makes the management a little bit easier for some, but maybe a little bit more complicated for others. Speaker 1 38:01 They know if you're in a work group where again, you've got, uh, you've got an active directory server, you know, a corporate active directory server, you have it managing that and you don't want to have to bother it to like say move things around or create new groups for you based on what you want to be able to do in the ma'am. You know, you may not, you want to bind your roles to the man roles, to active directory groups. Um, but all of the ma'ams do it a little bit differently. I mean they, you know, some of them give you really, really, really granular control based on, you know, that directory service. Some of them really are just using it for authentication. So, but typically the hierarchy is that there is a group for the users roles. It's very similar. So this is what you can do, this is what you can't do. Speaker 1 38:44 Right. And there are users. So this, you know, Bob's a member of this group and he has that, again, we can tie so much to it, which workflows can you run? Can you publish? Can you, you know, can you even see that the media exists in the, ma'am can you do this? But not that, can you, we have several different clients that in the man are based there. What they can see in the ma'am is based on what their role is. Um, for example, are you a, are you a user that has the ability to publish content out to a CDN? Right? And if that's really your primary function, you really don't want those users to see raw footage and scratch, you know, scratch assets and things like that. You really only want them to see the finished content. Um, and then to be able to run those publishing workflows, that makes their experience a lot more tailored to them. Speaker 1 39:31 But it also, it also kind of locks it down so they can't screw anything up. And in a sense, and this is a subject for another day, but you know, you hear the term rights management systems and you know a rights management system is basically keeping track of which files you have the legal right to publish or do other types of things with repurpose. What have you, and again this is using sometimes very sophisticated kind of sets of logic and rules we build at usually a ma'am level, a database level that can be infinitely more multifaceted and granular than Posics permissions or HCLs. But again can still kind of tie into those fundamental sets of users and groups that you've built out at that directory services level. Right. But then we can just do even more with, because the ma'am has those capabilities itself, right? So it's like we can take advantage of the, the what you already have foundationally a directory, services wise and yes, your, your file system permissions are still going to be important, but then we can claim completely separate this other stuff just at the layer of the, ma'am that still has some relationship to those other grouping and entities. But just give us like essentially the ability to set any set of logic whatsoever in any given circumstance for any given workflow and have certain checksums in place. Speaker 0 40:54 Well that's cool stuff. So I think we've probably confused a few people. We've probably frustrated them because they realized darn it, here's another up to tech thing. I'm going to have to pay more attention to. You know, maybe they were looking at the subject of this podcast and they're thinking, Oh this is going to solve all my problems, which not so much unless you like pay us to solve your permissions problem. We're really just happy to do. I think what we really want to do accomplish here is to get everybody thinking about it. And I find that once people have an understanding of what's going on behind the scenes, even if it's a very high level understanding and not real detailed, um, there'll be less frustrating encounter. This is the workflow show. A lot of our listeners are very technical, but a lot of them also are very focused on their creative endeavors or managing groups of creatives and aren't hardcore crazy it guys. Speaker 0 41:42 And so I think we can end on this note when you are formulating a plan for a shared storage infrastructure or really any kind of shared infrastructure, when you're realizing that there's now going to be, you know, these direct pathways between users for storage, for networking, all you need to be able to do is ideally document and think through the workflows, right? You don't have to come into a conversation with a group like Chesapeake and talk about seven 75 permissions. We don't have conversations that way. Usually if it's a, you know, if it's a user who you know doesn't want or need the crash course on politics permissions, we can say, what will your users be doing? What is the flow of data, the flow of files, the types of collaboration, who's reading which files, who's creating files, who's modifying them, how are they getting past? Speaker 0 42:41 And if we can understand your workflow, we can codify a permissions and directory services system that makes it so in the vast majority of circumstances you're never going to know what's actually going on. And it works wonderfully. Hopefully after listening to this, you at least kind of have an understanding for why some of these things come up and why. As much as we're always jumping in there to help customers with permissions issues, there's a lot of different factors that need to be investigated. Sometimes it's a snap of the finger, sometimes it's take some deep investigation into other aspects of the infrastructure. Could be whole other groups of users that your creative media group doesn't really control and interact with very much. So you may have to start to investigate like what are other groups of people up to if there's files coming from them or going to them. Speaker 0 43:32 But this is all part of the workflow investigations that we certainly engage our clients with. And, and again, we can, we can make the tech do what you wanted to, but we have to know what it is that we'll be getting done. And by whom, by whom exactly. Thanks for proper use of the word to whom there. Yes. So on that note, on that, that grammar now or whatever. Um, thanks Ben. So, uh, I, this I think brings the episode to a conclusion pretty much. You've got a pretty good basic understanding of permissions if you've been with us for the last more than the 40 minutes that we were intending for this to be, but Hey, pass this around. If there's users who could stand to listen to this, please spread the episode around. It's a great crash course. You can of course always engage with us at Chesapeake systems for more information. Speaker 0 44:21 This is the type of stuff we do of course. Uh, of course you can engage us just by reaching out to pro [email protected] or with your account manager or your technical people that you deal with regularly through Chesapeake. Um, and with that, I think the first episode of season four is here folks. So please keep listening. The goal is that we really are going to be striving to get a workflow show episode out on more of our old school schedule, which I'd say is a roughly every three weeks or so. Every three to four weeks, we're going to really, we're going to have, we already have a queue of great guests that want to be on this season. One of the next episodes that's coming up is going to be with a vendor, but very much an educational lesson in transferring stuff across the internet and networks, which because many people are spread across the planet these days, we do transfer a lot and there's optimal ways of doing that. A non-optimal way. So we're going to keep trying to, even when it's a vendor or a guest on, really try to get to an issue that we can kind of, you know, espouse and, and, and, and get into. So you're getting something educational actually out of it. So thank you mr Whetstone. Thank you mr gold. Mr Kilburg. Kilburg thank you gentlemen and remember with great power comes great responsibility. So be wise in changing your permissions. Yes. Nice final thought. Definitely. Alright, thanks for listening folks. Until next time. Bye bye. Bye. Speaker 3 45:51 Just when you thought it was over, here's an audio production, a denim. Earlier in our conversation we were discussing the idea of floating permissions or ownership, and I remembered incorrectly that the UID in Gid for ignoring ownership is UID zero zero in Gid zero zero it's not the correct UID is 99 and the correct Gid is 99 take care and thanks for listening.

Other Episodes

Episode 0

November 30, 2020 00:46:48
Episode Cover

#57 Scaling Out Workflows; Audio Production vs. Video Production with Ben Meadors, Post Production Engineer, Spotify Studios

The Workflow Show is also available on Spotify, Stitcher, iTunes, Amazon, YouTube Subscribe on Castos On this episode of The Workflow Show, Jason and...

Listen

Episode 0

April 22, 2019 01:11:02
Episode Cover

#36 "Managed Services"

It’s not easy to find opportunities to respond to changes in your integrated environment when system uptime is critical for your business. If your...

Listen

Episode 0

November 04, 2020 00:53:55
Episode Cover

#56 Engineering Empathy: Building Innovative Access Systems and Preserving Video Testimony with Sam Gustman, CTO and Associate Dean at USC Shoah Foundation and USC Libraries

On this episode of The Workflow Show, hosts Ben and Jason interview Sam Gustman, CTO of USC Shoah Foundation - The Institute for Visual...

Listen