Granite Policies

Requirements: Training   Requirements: Granite Onboarding Documentation   Monthly Patching   Software Packages and Updates   Managing User Permissions on Virtual Machines (VMs)   Notification of Project Personnel Changes   Security and Support Policy   Screen-Sharing over Video Conference Software  

Requirements: Training  

Granite is a secure research environment used to protect highly-sensitive data. While Granite helps us meet the challenging technological requirements for keeping data safe, we must also consider user expectations and behaviors. We therefore require a minimal set of training prior to accessing Granite:

  • Cybersecurity Training - All users will take a 1-2 hour online course offering through Dartmouth’s Information Security department. Granite Support will help coordinate that training.
  • Research Compliance Training - All users will additionally demonstrate proof that they’ve taken at least one of the following CITI course related to Human Subject Research:
    • CITI Group 1: Biomedical Research
    • CITI Group 2: Social/Behavioral Research
    • CITI Group 3: Biomedical Data or Specimens Only Research
    • If users have not previously taken one of these courses, we recommend taking either one of the above courses, or CITI Responsible Conduct of Research
  • These training requirements are separate from any training required by your IRB

Requirements: Granite Onboarding Documentation  

  • When initiating a new project, we ask that every Principal Investigator fill out an online Granite Project Form. This form contains basic project and contact information that is used to setup and enable your new Granite environment. The form is available online at https://dartgo.org/granite-project-form
  • We require that every user who will access Granite fill out a Granite User Agreement. The purpose of this form is to ensure that all users of data stored in Granite agree to and accept responsibility for compliance with the physical, administrative, and technical controls required by your Data Use Agreements (DUAs). This form is available online at https://dartgo.org/granite-user-agreement

Monthly Patching  

  • On a monthly basis, Granite Support updates all of the Granite Virtual Machines (VMs) with the latest Windows and Linux patches, as well as any updates to the underlying Granite applications. This typically happens on the third Thursday of every month from 6 AM - 10 AM, and we reach out to all Granite users the Monday prior for planning purposes. Emails are sent out to the Granite community upon completion of the work.

Software Packages and Updates  

  • As Granite VMs are by policy not connected to the Internet, we maintain a locally accessible repository of R (CRAN) and Python packages (PyPI), among others.
  • On Linux VMs, this repository is available from /opt/software.
  • On Windows VMs, this repository is available as a network drive (S:).
  • The local/mirrored repositories are currently updated twice a year.
  • If you have need of specific packages that are not available on the shared repository, please reach out to granite.support@dartmouth.edu. Be sure to include any dependencies you need as well as the name/version of the package itself. For python users, providing a requirements.txt file is helpful. We will work with you to make the package(s) accessible on this local repository.

Managing User Permissions on Virtual Machines (VMs)  

  • Setting permissions for users on virtual machines can lead to security vulnerabilities, user access problems, and/or issues with application functionality.
  • As such, Granite Support manages the setup and configuration of user permissions and access directories on all Granite VMs.
  • At project setup, Granite Support will work with project leaders to discuss needs, establish and document security goals, and configure directory permissions accordingly.
  • Updates to directory permissions can be made on an as-needed basis by putting in a support ticket with granite.support@dartmouth.edu.
  • The ability to transfer data in and out of the VM is handled separately and also by Granite Support. On a case-by-case basis, we allow certain users from each project the ability to transfer files in/out, based on each project’s DUA, and can update who has this level of access.

Notification of Project Personnel Changes  

It is the Principal Investigator’s (PI) responsibility to notify Granite Support of any personnel changes to any project(s) they have in Granite. Please reach out to Granite Support as soon as possible if there are personnel changes to your research team so that we can update user access accordingly.

Security and Support Policy  

From an administrative and support perspective, Granite intentionally divides responsibilities between super-admin and sub-admin roles so that the security of the system is not in the hands of a single person or role. Super-admins have the responsibility for managing overall computing resources and updating VM images, while sub-admins oversee teams, projects, and individual virtual machines, managing user access and VM configurations.

In order to provide support and troubleshoot user issues, sub-admins are by default set as the owners of VMs over which they have responsibility. Sub-admins are equipped with user accounts on their assigned VMs and individual folder permissions are set accordingly. Sub-admins do not have admin access to Windows VMs and are limited to sudo access on Linux VMs. They otherwise rely on super-admins when a higher level of access is required. Super-admins have no direct access to project VMs.

While sub-admins can access project folders, by policy they do not unless there is a clear reason - i.e., troubleshooting user-identified issues. Even in that case, care is taken to avoid accessing any data files so as to limit issues with IRB requirements and/or the inadvertent sharing of protected data.

In their work, sub-admins and super-admins seek to balance the security and privacy of Granite data against the need to provide effective support to Granite users. We encourage users to reach out with any questions or concerns.

Screen-Sharing over Video Conference Software  

Screen-sharing over video conferencing software introduces potential security and compliance issues that must be carefully considered and managed. Granite users are expected to adhere to this policy and take all necessary precautions to protect sensitive data.

In accordance with the Data Use Agreement (DUA) with CMS, Granite users are not permitted to screen share from virtual machines (VMs) that access CMS data.

In other cases, limited VM screen sharing is possible in accordance with the following guidelines:

  • All parties on the call must be connected to a secure, encrypted network (VPN).
  • All parties on the call must use institutionally-provided WebEx, Zoom, or MS Teams accounts, and ensure that they are regularly updated.
  • All parties should be verbally verified before screen sharing is initiated.
  • All parties on the call must be currently active users on the Granite VM being shared.
  • All parties on the call must be located in a separate and private physical space, and be aware of background computing processes on their local device.
On this page: