Projects
What are the Projects?
Analogy
Imagine you have a special treasure box that holds secret letters. Each letter has a magic lock on it, and only certain people have the right magic key to open them. But there are rules! You can only open a letter if:
- The letter was shared with you.
- You are part of the group that owns the treasure box.
- You follow all the rules for that treasure box.
Even if you are the boss of the treasure room, you still can't open every letter just because you want to! You need to follow the same rules.
Examples
- John and Emma are in the same treasure group. John locks a letter inside the treasure box, but Emma can’t open it unless John also gives her permission.
- John and Emma share a letter, but if John puts it inside the treasure box, Emma must be part of the group and follow the rules before she can open it.
- If John shares a treasure box with a big group, they still need to follow all the rules before opening the letters inside.
Application
Projects serve as a protection system, combining administrator-defined access controls with end-to-end encryption.
Since relying solely on cryptographic functions is impractical for performance and convenience, projects use resource tagging to manage access. Tagging a resource, such as a file or group, limits access to specified users.
You can access projects from:
- The Vault section, which displays only the projects you belong to, regardless of your user role.
- The Management section, which displays all the projects in the system.
The Open Overlay consolidates actions and views for a single entity (project, user, or group), offering a centralized interface to manage and review all related details.
Projects include a security level with requirements, name, description, creation and modification date, members and optional Principal Investigator. They may also have subprojects, creating a hierarchy.
- Projects act as a security tagging mechanism.
- Projects allow resources to be protected and shared exclusively with project members.
- Tagging a resource with a project label significantly limits its accessibility and manipulation.
- Projects consist of security levels, which include one or more security requirements.
What is the Project Hierarchy Tree in tiCrypt?
The root project in the system is No Project (Unlocked), with no requirements.
All projects created in the system are descendants of the root, with No Project (Unlocked) as their parent by default.
You can create unlimited subprojects from a single project, and subprojects inherit the same security levels as their parent project.
For a virtual machine tagged with AA, only drives tagged with AA, A, or No Project (Unlocked) can be used.
The same rule applies to transferring files into a virtual machine.
For example, a file tagged with BB can be transferred into a virtual machine tagged with BB, BBA, BBB, or BBC. However, it cannot be transferred into a virtual machine tagged with AB, B, or No Project (Unlocked).
Admins can grant project open overlay permissions, enabling users to create, edit, or delete project memberships, subprojects, security requirements, and member certifications.
Once a resource is transferred into a virtual machine, it adopts the virtual machine's project tag. For instance, if a file tagged with A is transferred into a virtual machine tagged with ABA, the file's project tag changes to ABA upon removal.
What are the Project Override Permissions?
If you have super-admin permissions, you can override project tags by classifying and declassifying projects. This action is available due to faulty tagging by users.
Users with an Admin or Super-admin role may tick the box Use my permission to override any membership, security requirement, and other rules and re-tag the resource(s) with any project I can see, regardless of its relation to the current project to fix faulty tagging. This action is carefully monitored in the audit logs.
If you cannot view all sections within a project, then you do not have the viewing permissions from your admin.
Why are Projects Important?
Projects serve the following mechanisms:
- Security through both encryption and access control.
- Access privilege by resource via security levels.
- Compliance via security requirements.
- Proof of compliance via user certifications.
For example, a project may be called "USA," where the two security levels that define the project are US citizens and US residents.
The tagged government document within tiCrypt can only be viewed by an individual who is part of the USA project.
Only users who meet the security requirements can view the document.
Projects are made of:
- Security levels made of:
- Security requirements validated by:
- User certifications.
- Security requirements validated by:
How to Control Projects As an Advanced User?
- Use the Close button in the top left, in the project overlay window to go up in the project tree.
- Click Close twice to go up two layers in directory tree.
- Use the Open Overlay button in the project overlay window to go deeper in the project tree. For example, if Top-Level Project ABC has the Subproject A, which has the Subproject A1, which has the Subproject A1* you can navigate through the project tree as needed.
- Use TAB to navigate quickly through prompts.
- When you create a subproject, press TAB multiple times to skip through optional rows and reach the buttons to proceed.
- Use SHIFT+TAB to navigate backwards in prompts.
What are the Users' Viewing Abilities of a Project Resource?
| Resource | User Requirements | Project Requirements | System Permissions |
|---|---|---|---|
| Unlocked (no tag) | Do not apply | Do not apply | Basic Team Interaction Basic Vault Interaction Basic Group Interaction Basic Inbox Interaction |
| Project-tagged | Project Member | Regular Member, No restrictions or Cannot Download | All above + Basic Project Interaction |
| Security Level Project-tagged | Project Member + Security Level Certified | Regular Member, No restrictions or Cannot Download + Non-expired Certification | All above + Basic Project Interaction |
What is the Difference between Projects and Security Level-Based Projects?
Projects have a tag and require project membership to join them. Security level-based projects have a tag as well as a security level with security requirements, so they require both user certification and project membership to be part of them.
What are the Project-Tagged Virtual Machines?
Projects can be tagged in the Virtual Machines section under Drives.
Attaching a project-tagged drive to a virtual machine automatically tags the virtual machine with the same project.
To tag an element to a project, you must be a member of that project. A project can have only one assigned security level.
What is the Mechanism behind Adding Users to a Project?
Adding a security level tags the project. Adding a user to a subproject automatically adds them to the parent project.
What is the Mechanism behind Removing Users from a Project?
Removing a security level unlocks the project. Removing a user from a subproject will still keep their membership in the parent project.
What are the Subprojects?
A subproject is a project that is branched off of a parent (top-level) project. Subprojects can have different security levels from their parent project and are independent regarding access control. The project hierarchy determines which resources can be tagged with a specific project.
What is the Purpose of Making Announcements in Projects?
A user can make an announcement of up to 250 characters to all users with the appropriate project membership. Regardless of your role, you must be a project member to make announcements to its members.
Announcements will appear in the Notifications section. Notifications older than three months are automatically archived by default. This setting can be changed upon request.
What is the Mechanism Behind Project Deletion?
A project can be deleted only if it has no subprojects or members. Even if you are the sole member, deletion is restricted. Only admins can delete projects via the Management section. Avoid deleting security requirements as they may still be in use.
Can I use tiCrypt for Multiple Institutional Departments?
You can use tiCrypt in multiple departments.
tiCrypt is designed to function at the institutional level adapting projects from 1-2 users to 100+ users per project.
How do I Prevent Users from Accessing Classified Data from Two Isolated Datasets?
Large institutions cannot trust large groups of users with sensitive data. It is a matter of time until sensitive data gets leaked, resulting in fatal outcomes for the institutions.
Projects often should not allow user access to other data sets except their current work projects.
There is a definite temptation for any individual to take a peek at classified data whenever it is available at their fingertips.
tiCrypt uses security levels, security requirements and user certifications to control data point allocation as follows:
- What resource is being accessed?
- Who can access the resource?
- How can they access the resource?
- When can they access the resource?
Projects allow separation between tasks, restricting users from combining data sets.
For example, suppose you have 60 projects with federal data & state data and 60 levels of data management.
Each project will have a unique tag with a distinct security level. In this way, tiCrypt identifies which projects include federal and state data and prevents users from accessing restricted projects or combining data between projects based on security requirements set by the admin.
For a user to be able to use two projects but never combine the data between them, the admin can set up restrictions in the pop-up when adding a user to the project to Cannot download. This means the project member can view the project data but cannot download it or move it out of its container, therefore processing it in a separate allowed virtual machine designed for this purpose.
How do I Enforce an Expiration Date in the Agency Contract?
Many agencies who work with research teams require an expiration date in the institutional contract. You must create an infrastructure to adhere to the contract terms.
- Create a new top-level project based on the initial contract
- Add the users of the contract to the project
Users you add cannot be external. They must have an existing tiCrypt account, belong to a team and be activated by an existing admin.
For example, various agencies require researchers to be US citizens. You can set a level in your project titled US Citizen.
Security requirements satisfy the security level. Once project members satisfy the appropriate requirements, they qualify to actively work in the initial contract.
User Certifications are vital to the initial contract because they include an expiration date to the project members.
Copy the project expiration date from the contract and paste it into the User Certifications.
This ensures compliance with agency contract terms, eliminates concerns about operating with expired data, and keeps all project members motivated to complete the project on time.
How to Conduct Research Project Management in tiCrypt?
This answer addresses Project Investigators and Sub-admins. There are two methods to execute research in projects.
Research Teams Not Utilizing Project Tags
- Open project with no restrictions.
- Requires only membership to join.
- The new team allows you to track the resource quota of the project and let the project members know each other.
- You do not need to write anything in the Risk assessment ID field. This option serves management purposes in large projects.
For this workflow, do not enter a security level.
For this workflow, do not enter a date due, unless required by contract policy.
Before setting up a VM for your unlocked project, you should have the hardware set up and drive capacity for the project from your admin.
Upon VM configuration creation, the system requires you to Format the new drive for encryption to take place.
Use Sync Users’ Permissions in a Virtual Machine to ensure all users have updated permissions.
A drive can only be mounted in one place as read-write or in multiple places as read-only. You will set the drive to read-only to allow users to add data to it. Use the read-write when sharing with admins or VM co-owners only.
When attaching a new drive to a running VM ensure both drives are either NTFS for Windows or EXT4/BTRFS for Linux/Mac.
Research Teams Utilizing Project Tags
- Tagged project with security levels and requirements.
- Requires membership and user certificates to join.
The new team allows you to track the resource quota of the project and let the project members know each other.
- Add Users to the Team for Project.
- Create Security Requirements for the Project
- Create a Security Level for the Project
Use similar keywords for the security levels and the security requirements of the same project.
- Create a Top-level Tagged Project from Management.
- Add New Members to a Project From the Overlay.
- Certify User(s) with a Certification for a Security Requirement
- Create a Virtual Machine for the Project.
- Tag the Project in the Virtual Machine.
Before setting up a VM for your classified project, you should have the hardware set up and drive capacity for the project from your admin.
Upon VM configuration creation, the system requires you to Format the new drive for encryption to take place.
Use Sync Users’ Permissions in a Virtual Machine to ensure all users have updated permissions.
A drive can only be mounted in one place as read-write or in multiple places as read-only. You will set the drive to read-only to allow users to add data to it. Use the read-write when sharing with admins or VM co-owners only.
When attaching a new drive to a running VM ensure both drives are either NTFS for Windows or EXT4/BTRFS for Linux/Mac.
Subprojects can have different security levels from their parent project and are independent regarding access control. However, the project hierarchy determines which resources can be tagged with a specific project.
- A subproject is a project that is branched off of a parent.
- Subprojects do not inherit any access restrictions from the parent.
- A user might be able to access resources tagged with a particular project but not be able to access resources tagged with a parent project.
- Adding a user to a subproject automatically adds them to the parent project.
- Removing a user from a subproject will still keep their membership in the parent project.
The other Subadmin/PI will have shared ownership of the VM, enabling them to take over its drives if necessary.
How do I Set Up Enforced Compliance Goals for my Projects?
Create a project with security requirements acting as compliance goals for project members.
- Create a set of Security Requirements (the compliance goals).
- Create a Security Level (the level of access).
- Create a Project using the Security Level.
- Certify Compliant Users.
Compliance goals are crucial for safeguarding reputation, enforcing security for sensitive information, and building trust with government agencies.
Customize user access in your projects via restrictions. For example, filter the users who achieved compliance goal A and give them access to view the project resources; Then, for the users who achieved compliance goal B, allow them to download the project resources and work on them separately.
How do I Share Project-tagged VMs?
To tag a VM you must be it's owner or manager and be a member of the project you are tagging it with.
Virtual machine file transfers do not remove file content but make a copy of the file.
You should tag most resources to a project for healthy security management practices.
You can only share project-tagged resources with users who are part of the same project.
How do I Implement Restrictive Actions in a Sensitive Project?
When you add user(s) to your project, you can set viewing or downloading restrictions in place.
All downloads and views occur in the current session of the your browser.
How to Handle Hierarchical Scope Data with Simultaneous Source Usage Restrictions?
Suppose you have federal-level data, and the funding agency allows you to combine it with state-level data, but the requirements ban the use of two or more states simultaneously.
How can you work with this data without moving it?
To achieve a complete architecture for hierarchical scope data where users have access to more data sets without being able to combine them, you can use the following workflow.
- Create a parent (top-level) project.
- Add a description in the parent project informing users to "not mix data from source A and source B".
- Separate the data access by creating a security level in parent project.
- Add security requirements for parent project.
- Certify users for the security requirements in parent project.
- Create a child sub-project from the parent project.
- Create a distinct security level for the subproject.
- Add security requirements for the subproject.
- Certify users for the security requirements of the subproject.
When a common member of a parent and child project tries to move data between the two projects, the system will block the operation due to the security levels in place.
Now you have an enforced policy that allows users to operate in the same project without combining any data sets.
What is the PI Column in Projects Table?
The PI column stands for Principal Investigator, who is usually the individual responsible for the progress of the project. The PI may be a tiCrypt user or an external individual. The PI field is strictly management-oriented and serves as project metadata.