[ FAQ | HowTo | Info | Policies ]

Access Control and AFS Groups

Computer Systems Lab Documentation : HOW-TOs and Other Advanced Documentation : AFS File System : Access Control and AFS Groups
The AFS Filesystem provides Access Control Lists (ACLs) and user-managed AFS user groups for controlling file access.

2.1.4.1 Access Control Lists (ACLs)

Each directory in AFS has an ACL (Access Control List).

The ACL of a directory applies to all files in that directory. For example, If the ACL allows read access to a user, then all readable files (according to the Unix owner permission bits) in the directory will be readable by that user. The same applies to write and execute permissions (note: in order to execute a file (run the program), you must also be able to read the file). It is impossible to have two files in a given directory with different ACLs.

Access can be specified for individual users or AFS groups.


[ Back to Top ]

2.1.4.2 Access Control Commands

Listing Access Control Lists

On UNIX systems:

Use the fs listacl command:

fs listacl path
fs la path
path is the pathname of the directory

On Windows NT systems:

  • Right-click on a directory, and use the AFS | Access Control Lists menu; or
  • In a command window, use the fs listtacl command:
    fs listacl path
    fs la path
    path is the pathname of the directory

Setting/Modifying Access Control Lists

On UNIX systems:

Use the fs settacl command:

fs setacl path user permission
fs sa path user permission
path is the pathname of the directory
user is the username of an individual user, or an AFS user group
permission is an AFS Access Control List permission (right) to be granted

For example:

fs setacl project2 bbadger read
fs setacl project2 bbadger rl
Give the user bbadger read and lookup access to all the readable files in the directory project2
fs setacl src username:mygroup write
fs setacl src username:mygroup rlidwk
Give the group username:mygroup rlidwk (read, lookup, insert, delete, write, and lock) access permissions to the directory src (username is your user name).
fs setacl private system:anyuser none
Remove all access permissions for the group system:anyuser

On Windows NT systems:

  • Right-click on a directory, and use the AFS | Access Control Lists menu; or
  • In a command window, use the fs setacl command:
    fs setacl path user permission
    fs sa path user permission
    path is the pathname of the directory
    user is the username of an individual user, or an AFS user group
    permission is an AFS Access Control List permission (right) to be granted
    Please see above for examples.

See Also:


[ Back to Top ]

2.1.4.3 Access Permissions (Rights)

The following permissions (rights) can be specified in AFS ACLs:
Permission Attribute Description
r read allows a user to look at readable files in the directory
l lookup a user with this right may list a directory, look at an ACL or access subdirectories.
w write allows a user to modify writable files in the directory
d delete allows a user to remove files from a directory
i insert allows a user to add files to a directory
k lock allows a user to put advisory file locks on a file in the directory
a administer allows a user to change the ACLs on the directory. If a user has administer access to a directory, that user may change the ACLs of that directory and any directories within that directory. For that reason, we do not suggest granting this access to anyone for your personal directories.

In addition, the following aggregate permissions can be user:
Aggregate Permission Description
read read (r) and lookup (l) permissions
write read (r), lookup (l), insert (i), write (w), delete (d) and lock (k) permissions
all grant all permissions (rliwdka), including administate
none remove all permissions for the specified user or group


[ Back to Top ]

2.1.4.4 AFS groups

User-Managed AFS Groups

AFS allows users to create and manage their own groups of users. AFS groups can be named in ACLs (Access Control Lists), which is convenient, because you do not need to change every ACL when someone joins or leaves a logical group of users.

AFS groups that are owned by users are named username:groupname.

System-Defined AFS Groups

The AFS system defines the following system groups:

system:anyuser
any user, regardless of authentication status
system:authuser
any user (or process) that has authenticated to the AFS system
system:administrators
the system administration group


[ Back to Top ]

2.1.4.5 AFS Group Commands

Listing AFS Groups

On UNIX systems:

Use the following pts commands:

pts membership user
list the groups user is a member of
pts membership username:group
List the members of group username:group
pts listowned username
List the groups owned by username

For example:

pts membership bbadger
lists the groups that bbadger is a member of
pts membership bbadger:workgroup
lists the members of bbadger's group bbadger:workgroup

On Windows NT systems:

don't know

Creating/Modifying AFS Groups

On UNIX systems:

Use the following pts commands:

pts creategroup username:group
create group username:group. username must be your username.
pts adduser user username:group
Add user user to group username:group. Usually username is your username.
pts removeuser user username:group
Remove user user from group username:group. Usually username is your username.

For example:

pts creategroup bbadger:workgroup
The user bbadger creates a group named bbadger:workgroup
pts adduser bucky bbadger:workgroup
add user bucky to bbadger's group bbadger:workgroup
pts removeuser bucky bbadger:workgroup
remove user bucky from bbadger's group bbadger:workgroup

On Windows NT systems:

don't know

See Also:


[ Back to Top ]

2.1.4.6 Advanced AFS Group topics

put stuff here about giving others permissions to modify groups


[ Back to Top ]
Documentation built by builddoc v1.09
run by ziel on Wed Mar 3 12:58:46 1999
Please do not link to this page. Please link only to the top level of the CSL documentation tree.