Apps have code that is deployed in a directory on the filesystem. An app specific supplemental group is used to protect access to this directory.
For example, with the FanSim, we use the supplemental group `atsfan`. If the app deployment directory is `fansim`, these are the commands to protect the app, run as the account that owns the files:
```
chown -R $USER.atsfan fansim/
chmod -R g+s fansim/
setfacl -R -m u::rwX,g::rX,o::---,d:o:--- fansim/
# for any Perl scripts, remove the s bit
chmod g-s *pl
```
This ensures that the files underneath `fansim` are readable and executable only by users who are in the `atsfan` group. A script to run these commands is here: `/nfs/04/ndem0009/bin/protectapp`
