Groups and shares
This page is the authoritative map of the lab’s access control: which groups
exist, how they nest, and which share each one gates. All of it is built by
make groups and make clinics from editable tables in
scripts/setup-groups.sh and scripts/setup-clinics.sh.
Base groups (setup-groups.sh)
Section titled “Base groups (setup-groups.sh)”The original demo layer, mirroring the OU divisions.
| Group | Gated share | Members |
|---|---|---|
Studio | [studio] | Studio division |
Field-Ops | [field-ops] | Field Operations division |
Executive | [executive] | Executive division |
Managers | [managers] | Division managers |
Staff | (meta-group) | nests Studio, Field-Ops, Executive |
Clinic and ancillary groups (setup-clinics.sh)
Section titled “Clinic and ancillary groups (setup-clinics.sh)”Fifteen groups in the Clinicians family, each gating a same-named team share.
| Group | Share | Group | Share |
|---|---|---|---|
Primary-Care | [primary-care] | Behavioral-Health | [behavioral-health] |
Urgent-Care | [urgent-care] | Dermatology | [dermatology] |
Pediatrics | [pediatrics] | Gastroenterology | [gastroenterology] |
Cardiology | [cardiology] | ENT | [ent] |
General-Surgery | [general-surgery] | Radiology | [radiology] |
Womens-Health | [womens-health] | Laboratory | [laboratory] |
Orthopedics | [orthopedics] | Pharmacy | [pharmacy] |
Oncology | [oncology] |
Admin (back-office) groups
Section titled “Admin (back-office) groups”| Group | Gated share |
|---|---|
Administration | [administration] |
Billing | [billing] |
Medical-Records | [medical-records] |
IT | [it] |
Meta-groups (the nesting)
Section titled “Meta-groups (the nesting)”| Meta-group | Contains | Gates |
|---|---|---|
Clinicians | the 15 clinical and ancillary groups | [phi] |
GH-Staff | Clinicians + the 4 admin groups | [all-staff] |
Members of a clinic group are transitively members of Clinicians and
GH-Staff, because Samba expands the AD token’s tokenGroups at connect time.
That transitivity is what makes the nesting act as an access boundary.
The three share shapes
Section titled “The three share shapes”| Shape | smb.conf gates | On-disk | Example |
|---|---|---|---|
| Team folder | valid users = @AD\<Group>, read only = No | 2770 setgid, owned by the group GID | [cardiology] |
| All-staff | valid users = @AD\GH-Staff, read only = Yes, write list = @AD\Administration | 2775 setgid | [all-staff] |
| PHI | valid users = @AD\Clinicians, read only = No | 2770 setgid | [phi] |
The connection gate (valid users) decides who mounts the share; the write gate
(Unix mode and ownership, plus an optional write list) decides who can change
files. Both must agree, which is why all-staff lets everyone read but only
Administration write.
The access matrix, proven
Section titled “The access matrix, proven”make test-clinic-access exercises this end to end:
| User | cardiology | phi | billing | all-staff |
|---|---|---|---|---|
john.carter (Cardiology) | write | write (via nesting) | denied | read |
madonna (Billing) | denied | denied | write | read, no write |
ellen.ripley (Administration) | denied | denied | denied | write |
The two bold cells are the lesson: john.carter reaches phi and madonna does
not, although neither is named on that share. See HIPAA nesting.