 Hello, my name is Gregor van den Boogert from the University of Augsburg and as was introduced and I want to talk about ACLs here and sharing. Now what everybody I think observes is if you have some constraints, some boundary conditions, people with a similar problem end up in a completely different solution and therefore I try to clarify a few assumptions and constraints. So assume you have an organization like, for example, a university. They have in their IT some sort of directory service, an LLAP, an active directory and an identity management system for life cycle management and to model essentially the organization in IT. Additionally, they found out a few years ago they need some sort of private storage cloud for SYNC and for SHARE, typically more inside the organization or beyond the organization inside the LLAP supports you, beyond it doesn't. And from these three assumptions, I have to derive that the storage cloud does not orbit like other IT services or it does orbit like other IT services around some unexplored center in this university, it is not the university itself, there is no world domination yet. By that I mean especially no world domination in this organization, so probably in Xcloud we'll gain world domination later on but in this organization it will not have it. Okay and then we want to achieve something, we want to share and SYNC data from a NAS filer and we want to use the external storage interface and we want to do it transparently so that you can the other protocols do the same thing as you can do over in Xcloud and therefore we try to explore ACLs. There are a few access control list systems out there, POSIX mode is not one, it's too limited, POSIX ACLs I think basically not used but they are richer than mode, there's the NTF ACLs which is basically the industry standard I think, the NFSV4 ACLs which are quite similar almost identically and CRUTS permissions as in Xcloud from my perspective can also be seen as an ACL thing, so list of access control entries. If you look onto a system of access control you typically have to answer a few similar questions, one is how do you handle folders in contrast to directories, directories are typically used to organize files in contrast to directories of folders, they are typically used to organize files, who can read, write or have anything else as permissions like control them, do reshare or something like that, who else could have permissions on this object, on these entities and how to determine permissions for new objects, all of the systems I described before or mentioned before have found some sort of answer to this. On the tables if you want to look at the slides offline we'll give you a few hints for all of those four systems. I want to specifically talk about the NTFS and NFSV4 ACLs because they are so similar because we're using them and you can learn a few things from them. The NTFSV4, no the NTFS ACLs introduce 14 permissions, folded with things like allow ACEs, deny ACEs and audit and alarm and more things. They have inherited ACLs for new objects as you probably know and a few other things to know it's quite common sense to stick to allow ACEs because otherwise you will lost and Windows as you probably also know reduces those 40 permissions projects them down again to three, basically three, the basic permissions which are read, modify, change, so that's read and write and full control. They also have a few things to comply with POSIX mode NTFS and NFSV4. I skip that table, I land here, okay, great. Next class has these groups permissions and that's what we derived from this. You see that for files it's reduced to three permissions basically for directories, all five of them and we think you can do all this also with ACLs, 40 permissions you can project it down and if you look at it from the other way around you can also do it from trutes to NFS. So basically access control I think is typically read, write and control, perhaps upload in context of cloud sharing, POSIX mode and POSIX ACLs, every system can handle it including crutes obviously and in setups where you have a simple directory service you can try to harmonize that and bring everything together and have a transparent access control. Thank you.