Apps have code that is deployed in a directory on the filesystem. An app specific supplemental group is used to protect access to this directory.
For example, with the FanSim, we use the supplemental group atsfan. If the app deployment directory is fansim, these are the commands to protect the app, run as the account that owns the files:
chown -R $USER.atsfan fansim/
chmod -R g+s fansim/
setfacl -R -m u::rwX,g::rX,o::---,d:o:--- fansim/
# for any Perl scripts, remove the s bit
chmod g-s *plThis ensures that the files underneath fansim are readable and executable only by users who are in the atsfan group. A script to run these commands is here: /nfs/04/ndem0009/bin/protectapp