I should start with stating that Apple does not recommend the use of ACLs on an Xsan volume to limit file access with a Final Cut Pro workflow. For those of us who desire the control that ACLs give, that is of little deterrence. So, I enabled ACLs on my Xsan volume and went to town limiting where it was needed and gave full access where it was needed. That is when, with the help of two savvy editors, I discovered why Apple does not recommend the use of ACLs with FCP.
It appears that FCP wants the ability to Write Attributes, even when Read access appears sufficient. I suppose FCP knows how to negotiate this with POSIX permissions, but not with ACLs.
Click Read More for the rest of the story...
I came to this conclusion when the two savvy editors were able to recreate causing a dropped frame on the other's system by accessing media files located in the same directory where one of the users was owner and the other a member of the group with Read access only. (It should be noted that this is an inconsistent behavior, which makes it all the more annoying. It may also manifest itself in ways other than dropped frames.)
The power of ACLs is its granularity, and it was time to start taking advantage of that. I went about thinking of the most innocuous write permission I could give to test my theory — I was not about to have my Xsan volume become the Wild West [editor's note: Yee haw!] by granting everyone Read/Write access to all directories, nor did I want to use POSIX permissions, which are too limiting, do not provide inheritance, and do not provide good integration with PC StorNext clients.
The only thing I could think that FCP wanted to write in regards to the media files is the file attributes. (A file attribute is data describing a file, such as owner, file type, access permissions, date modified, size, etc.) Giving Write attributes to the user's group seemed like the most innocuous approach and it worked. Once I added this to the ACLs for the group and propagated the permissions, my savvy editors could no longer taunt me with dropped frames.
Fig. 1 Original ACL for Group
Fig. 2 Revised ACL for Group
With the exception of the absent dropped frames, the user experience has not changed. They still do not have the ability to write to directories they do not own, nor has their workflow been modified.
We have been using this solution for over a month now without issue, or dropped frame.
I expect future releases of Final Cut Pro to be more ACL aware, but until that happens (and my facility chooses to update), adding the Write Attribute to the group's ACL is the best solution.
I recommend testing in your environment before implementing and reading Apple's Knowledge Based articles regarding ACLs, Xsan and FCP.