SCS Computing
 Services and Solutions
  links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 » How to… 
 » Accounts & passwords 
 » AFS 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Support lifecycle 
 » Web publishing 
 » Mac support 
 » Linux support 
 » Windows PC support 

AFS groups


With the pts (protection server) command, you can create your own AFS groups and add them to AFS access control lists. AFS groups make it much easier to manage ACLs for large directory trees, and allow the addition of large numbers of users to an ACL with a single command. A typical use of AFS groups would be to create a new AFS directory that will be the root of a larger tree, and add the appropriate group to its ACL. Since a new AFS directory inherits its parent's ACL, sub-directories created in that tree will also have that group on their ACL. Adding or revoking a user's group membership will thus change access for that user throughout the entire directory tree.

System & special groups

In addition to user-created groups, the following system and special groups exist and have the listed membership:

Anyone, anywhere.
Anyone on a CMU host.
Anyone on an SCS host (except for a few exceptions --- the SCS web servers are not members of this group).
Anyone authenticated to the AFS cell (people with valid SCS accounts).
Authorized AFS administrators (Facilities staff).
The SCS Web servers and a few other authorized hosts.

The above special groups may be added to ACLs in the same way as user-created AFS groups.

How to create and manage AFS groups

Note: typing pts help will list the various pts commands. Most pts commands can be used with or without named arguments. For example,

   pts creategroup bovik:colleagues
   pts creategroup -name bovik:colleagues
will do the same thing.

Creating groups

AFS group names have the form username:<identifier>, and are created with the pts creategroup command. The username specified will be the owner of the group, and must be a valid AFS user name (you will usually want to use your own AFS username). For example, the command:
   pts creategroup bovik:colleagues
would create a group called bovik:colleagues.

Adding and removing users

To add a user to a group, use the pts adduser command:
   pts adduser jsmith bovik:colleagues
To remove a user from a group, use the pts removeuser command:
   pts removeuser jsmith bovik:colleagues

Listing group members

To see a list of the members of a group, use the pts membership command:
   pts membership bovik:colleagues

Examining and changing group privacy flags

You can use the pts examine command to find out information about a group (you can also use this command on a AFS username). The command:

   pts examine bovik:colleagues
would produce the following output:
Name: bovik:colleagues, id: -3745, owner: bovik, creator: bovik,
membership: 2, flags: S-M--, group quota: 0.
The above fields have the following meanings:
The name of the group.
A unique identification number for the group that AFS users internally.
The owner of the group
The person who originally created the group.
How many members belong to the group.
Group privacy flags that determine who can list group properties or make certain changes to the group. See below for details.
group quota
How many more groups a user is allowed to create.

The five group privacy flags appear in the following order:
  1. Status (s): Controls who can use pts examine to list status information about a group.
  2. Owned (o): Controls who can use pts listowned to list groups owned by a group or user.
  3. Membership (m): Controls who can use pts membership to list groups a user belongs to, or users that belong to a group.
  4. Add (a): Controls who can use pts adduser to add a user to a group.
  5. Remove (r): Controls who can use pts removeuser to remove a user from a group.
Each one of the flags, somar, has three possible values:
  • A hyphen, "-", gives rights only to the group's owner (along with members of the system group system:administrators, which only has SCS Facilities staff as members).
  • A lowercase version of the flag (eg a lowercase "s") gives rights to members of the group, in addition to those who have "hyphen" rights.
  • An uppercase version of the flag gives rights to anyone.
The default values of S-M-- gives anyone the ability to examine a group and see who belongs to a group, and only gives the owner of the group the other rights. You can use the pts setfields command to change these default values. Type pts help setfields for details about the syntax of this command.

Additional information

These off-site links will open in a new browser window.
OpenAFS documentation on groups
Complete documentation on pts groups and how to use them, covering many commands and features not discussed on this page.