caretaker indirection
We’ve got a “data archive” here, where we store all of our raw fMRI data, for safe-keeping. Unfortunately, it’s hard to allow the kind of fine-grained access control which would allow people to insert new data but disallow alteration or removal of data.
The solution I’ve come up with is to use a caretaker pattern, which means a program on the server side which creates, unlocks, and re-locks the appropriate directory. The workstation prepares the new data and then calls out (via ssh and sudo) to the caretaker, which prepares the new directory. The data is copied over, and then the caretaker re-locks the directory.