Skip to content

Accounts for Sensitive Data

Setting up a P3 project

Still need a Savio account?

If you do not already have a Savio account, you need to first request a cluster account and then request access to a Savio FCA (Faculty Compute Allowance) or Condo allocation. You can complete both of these steps by visiting the MyBRC User Portal in your preferred browser.

Here are the steps involved in setting up a project for working with sensitive data. Most of the process involves steps that must be completed by the associated Principal Investigator (PI) of a Savio project:

  1. Research groups should begin by consulting with the Research Data Management (RDM) Program to determine whether Savio is an appropriate service based on the sensitivity of the data and computational needs. Reach out to researchdata@berkeley.edu to start this process.

  2. After consulting with the RDM Program, PIs of active FCA, ICA, and Condo projects can request P3 storage directories via a “Request a Secure Directory” button on their MyBRC User Portal project page (unless they already have a secure directory under the project), which will redirect to a required form. Before filling out the form, it would be helpful to have information regarding the dataset(s) on hand, including the source, the approximate number and size of the files, the anticipated duration of usage on Savio, and any security or compliance requirements for the dataset(s).

  3. Once the secure directory request form is submitted, the details of the request will be reviewed, confirmed, and edited (if and as needed) by administrators. The PI will then be notified and an unsigned Researcher Use Agreement (RUA) will be generated which the PI can download from the MyBRC portal secure directory request page. The RUA outlines the PI’s responsibilities for using Savio with their sensitive research data. After reviewing and signing the RUA, the PI can then upload the signed RUA form via the MyBRC portal secure directory request page for review by administrators.

Once a request for a secure directory is approved, BRC staff will set up the following appropriate storage locations:

  • For FCA accounts, each user will be given access to a P3 group directory with a 30 GB quota limit, i.e., each P3 project will get a group folder in /global/home/groups/pl1data/.

  • If the PI is a Condo owner then they would be given access to a 200 GB P3 group folder under /global/home/groups/pl1data.

  • Each P3 user also gets access to a directory in the P3 scratch space located at /global/scratch/p2p3/. Note this is separate from their regular scratch directory that will be set up for their non-sensitive data (located at /global/scratch/users).

Naming the P3 storage directory

In the "Directory Name" section of the secure directory request form, the PI will be asked to provide a name for the secure directory. The directory name will be used to name the folders which will be created in the group and scratch directories. For example, if the name provided is oski_pii, the created directories will be /global/scratch/p2p3/pl1_oski_pii and /global/homes/groups/pl1data/pl1_oski_pii.

Managing P3 projects

Giving or removing access to a secure directory

After creation of the P3 storage directories, both project PIs and managers can use the MyBRC portal to add and remove users to P3 projects by specifying which users should be members of the sensitive data group and have access to the resources. If any changes are necessary, the PI can submit a request via the MyBRC Portal to BRC administrators to add or remove account access; PIs are responsible for monitoring account access to P3 data within the Savio environment.

A PI or project manager can submit a request to give a user access to (or remove a user's access from) an already-existing P3 project via the "Projects" tab on the MyBRC portal.

  • Go to the "Projects" tab on the MyBRC portal
  • Select "Allocations"
  • Under the "Resource Name" column, find "Group P2/P3 directory (Cluster Directory)" and "Scratch P2/P3 directory (Cluster Directory)".
  • Select the needed Allocation ID
  • On the "Allocation Detail" page, use the "Add Users" or "Remove Users" button next to "Users in Allocation" section to submit the request to grant a user access or remove a user's access to the desired P3 group and scratch directories.

Once a new request is submitted on the MyBRC portal, BRC Savio administrators will process this request and provide updates. BRC Savio administrators will confirm that the PI/group has consulted with RDM and that a signed RUA has been submitted, and will confirm approval of requests via email before provisioning or removing account access to the restricted folder.

Checking P3 access and user permissions on Savio

Access to P3 storage directories on Savio is controlled via Unix groups. When working with the secure directories, it can be helpful to check group membership and determine the which users and groups own which folders and files.

Group membership can be verified using the command getent group <group_name>. This will return info about the group in the form 

<group name>:<password>:<group id>:<user1,user2,...>

For example, say you are part of a project with P3 storage allocated to /global/scratch/p2p3/pl1_oski_pii, and three users are part of this project: oski, bear, and calfan. The associated Unix group will be pl1_oski_pii, and getent group pl1_oski_pii will return something like pl1_oski_pii:x:12345:oski,bear,calfan. The <password> field is not used on the Savio cluster.

File and folder ownership can be checked with the ls utility, using the command ls -l <folder or filename>. For example, if oski were to create a new folder in /global/scratch/p2p3/pl1_oski_pii called oski_work, the output of ls -l /global/scratch/p2p3/pl1_oski_pii would look something like: 

drwxr-sr-x 1 oski pl1_oski_pii 4 Jan 1 00:00 oski_work
The important fields for determining ownership and access are the first block (in this example, drwxr-sr-x), which details access permissions, and the third and fourth blocks (oski and pl1_oski_pii), which detail the user and group owners, respectively. After the first character (d for a directory, - for a file), the access permissions come in triplets (read, write, execution) corresponding to user, group, and 'other' permissions (anyone who is not the user or group). In this example, oski has full read, write, and program execution permissions (rwx). Anyone in the pl1_oski_pii group has read and execution permissions only (r-s). The s in the execution character for the group permissions additionally indicates that any new file created in oski_work will also be owned by pl1_oski_pii, the group owner of the folder.