...
<data-level> → this optional prefix maps to the information classification policy as defined in LPM-122. This identifier cannot be an arbitrary string and must use one of the designated names as set forth in LPM-122. If this prefix is absent then “shareable” is assumed unless a convention supersedes this, see examples below.
<data-release> → this optional prefix is used to narrow data access rights by specific Data Release. This prefix cannot be specified if <data-level> is not specified. If this prefix is not specified then it is assumed the members of the group have access to all data as specified in the <data-level> prefix, regardless of which Data Release is being accessed. <data-release> must be in the format of “DR#”, where “#” is a positive integer.
<identifier> → this optional prefix is an arbitrary field that can be used to designate the context in which the group grants resource access or data access rights. Also, it can be used to designate a group in which membership is denied access to a specific service, resource or Data Release. For example: “comcluster” might be used to designate those with access to the commissioning cluster where “notebookBL” might be used to designate those denied access to the notebook Aspect in the science platform. In terms of LSST’s security policy this prefix shouldn’t be used if a general case is sufficient for access.
...