With the pts (protection server) command, you can create your own AFS groups and add them to AFS access control lists. AFS groups make it much easier to manage ACLs for large directory trees, and allow the addition of large numbers of users to an ACL with a single command. A typical use of AFS groups would be to create a new AFS directory that will be the root of a larger tree, and add the appropriate group to its ACL. Since a new AFS directory inherits its parent's ACL, sub-directories created in that tree will also have that group on their ACL. Adding or revoking a user's group membership will thus change access for that user throughout the entire directory tree.
In addition to user-created groups, the following system and special groups exist and have the listed membership:
- Anyone, anywhere.
- Anyone on a CMU host.
- Anyone on an SCS host (except for a few exceptions --- the SCS web servers are not members of this group).
- Anyone authenticated to the cs.cmu.edu AFS cell (people with valid SCS accounts).
- Authorized AFS administrators (Facilities staff).
- The SCS Web servers and a few other authorized hosts.
The above special groups may be added to ACLs in the same way as user-created AFS groups.
How to create and manage AFS groups
Note: typing pts help will list the various pts commands. Most pts commands can be used with or without named arguments. For example,
pts creategroup bovik:colleaguesand
pts creategroup -name bovik:colleagueswill do the same thing.
Creating groupsAFS group names have the form username:<identifier>, and are created with the pts creategroup command. The username specified will be the owner of the group, and must be a valid AFS user name (you will usually want to use your own AFS username). For example, the command:
pts creategroup bovik:colleagueswould create a group called bovik:colleagues.
Adding and removing usersTo add a user to a group, use the pts adduser command:
pts adduser jsmith bovik:colleaguesTo remove a user from a group, use the pts removeuser command:
pts removeuser jsmith bovik:colleagues
Listing group membersTo see a list of the members of a group, use the pts membership command:
pts membership bovik:colleagues
Examining and changing group privacy flags
You can use the pts examine command to find out information about a group (you can also use this command on a AFS username). The command:
pts examine bovik:colleagueswould produce the following output:
Name: bovik:colleagues, id: -3745, owner: bovik, creator: bovik,The above fields have the following meanings:
membership: 2, flags: S-M--, group quota: 0.
- The name of the group.
- A unique identification number for the group that AFS users internally.
- The owner of the group
- The person who originally created the group.
- How many members belong to the group.
- Group privacy flags that determine who can list group properties or make certain changes to the group. See below for details.
- group quota
- How many more groups a user is allowed to create.
The five group privacy flags appear in the following order:
- Status (s): Controls who can use pts examine to list status information about a group.
- Owned (o): Controls who can use pts listowned to list groups owned by a group or user.
- Membership (m): Controls who can use pts membership to list groups a user belongs to, or users that belong to a group.
- Add (a): Controls who can use pts adduser to add a user to a group.
- Remove (r): Controls who can use pts removeuser to remove a user from a group.
- A hyphen, "-", gives rights only to the group's owner (along with members of the system group system:administrators, which only has SCS Facilities staff as members).
- A lowercase version of the flag (eg a lowercase "s") gives rights to members of the group, in addition to those who have "hyphen" rights.
- An uppercase version of the flag gives rights to anyone.
Additional informationThese off-site links will open in a new browser window.
- OpenAFS documentation on groups
- Complete documentation on pts groups and how to use them, covering many commands and features not discussed on this page.