AFS Groups

Previous: File Permissions in AFS


Next: AFS organization: Cells and Volumes

AFS Groups

If several users need to appear together on many ACLs, it might be easier to regulate permissions if you put them in a group. A group is simply a list of users. You can give permissions to a group in the same way that you give permissions to users, and these permissions will then apply to all members of the group.

You can create your own user groups, which will have names of the form user:groupname, where user is your username, and groupname is a name you choose for the the group. For instance, user jis could create group jis:friends for his friends Jim, Mary and Bill, and another group jis:6.001 for his 6.001 classmates, Dave, Barbara and Tom. Then he could, for instance, give group jis:friends read and lookup permissions on most of his directories (jis trusts his friends). Group jis:6.001 could get read and lookup permissions on directories /mit/jis/scheme and /mit/jis/scheme/6.001, and read, lookup and insert on /mit/jis/scheme/hacks. And so on. For some examples of how to create and manipulate groups, see section 6.3 of this document.

If you want to give permission to everyone in a group except someone, you can exclude them using negative permissions, described in section 3.2 of this document. Negative permissions deny rights to users or groups. They are stronger than positive rights, so if jis gives a read permission to jis:6.001, but denies it to Tom, who is a member of the group, Tom will not be able to read the files.

AFS groups also include system groups. System groups have names of the form system:groupname. The group system:anyuser includes any AFS user. Giving read and lookup permissions to system:anyuser will, therefore, make the directory world-readable: anyone with access to AFS (literally around the globe!) will be able to read the files. The group system:authuser includes any user that has authenticated themselves with AFS locally (this includes all Athena users).

Any other AFS group system:groupname corresponds to a Moira group groupname. You cannot create Moira groups without assistance. More information on Moira groups can be found in the Moira section of An Inessential Guide to Athena, available from SIPB.