Setting the Privacy Flags on Database Entries

Members of the system:administrators group can always display and administer Protection Database entries in any way, and regular users can display and administer their own entries and any group entries they own. The privacy flags on a Protection Database entry determine who else can display certain information from the entry, and who can add and remove members in a group.

To display the flags, use the pts examine command as described in To display a Protection Database entry. The flags appear in the output's flags field. To set the flags, include the -access argument to the pts setfields command.

The five flags always appear, and always must be set, in the following order:

s

Controls who can issue the pts examine command to display the entry.

o

Controls who can issue the pts listowned command to display the groups that a user or group owns.

m

Controls who can issue the pts membership command to display the groups a user or machine belongs to, or which users or machines belong to a group.

a

Controls who can issue the pts adduser command to add a user or machine to a group. It is meaningful only for groups, but a value must always be set for it even on user and machine entries.

r

Controls who can issue the pts removeuser command to remove a user or machine from a group. It is meaningful only for groups, but a value must always be set for it even on user and machine entries.

Each flag can take three possible types of values to enable a different set of users to issue the corresponding command:

For example, the flags SOmar on a group entry indicate that anyone can examine the group's entry and display the groups that it owns, and that only the group's members can display, add, or remove its members.

The default privacy flags for user and machine entries are S----, meaning that anyone can display the entry. The ability to perform any other functions is restricted to members of the system:administrators group and the entry's owner (as well as the user for a user entry).

The default privacy flags for group entries are S-M--, meaning that all users can display the entry and the members of the group, but only the entry owner and members of the system:administrators group can perform other functions.

To set a Protection Database entry's privacy flags

  1. Verify that you belong to the system:administrators group. If necessary, issue the pts membership command, which is fully described in To display the members of the system:administrators group.

       % pts membership system:administrators
    
  2. Issue the pts setfields command to set the privacy flags.

       % pts setfields <user or group name or id>+ -access <set privacy flags>
    

    where

    setf

    Is the shortest acceptable abbreviation of setfields.

    user or group name or id

    Specifies the name or AFS UID of each user, the IP address or AFS UID of each machine, or the name or AFS GID of each group for which to set the privacy flags.

    -access

    Specifies the set of privacy flags to associate with each entry. Provide a value for each of the five flags, observing the following constraints:

    • Provide a value for all five flags, even though the fourth and fifth flags are not meaningful for user and machine entries.

    • For self-owned groups, the hyphen is equivalent to a lowercase letter, because all the members of a self-owned group own it.

    • Set the first flag to lowercase s or uppercase S only. For user and machine entries, the Protection Server interprets the lowercase s as equivalent to the hyphen.

    • Set the second flag to the hyphen (-) or uppercase O only. For groups, the Protection Server interprets the hyphen as equivalent to lowercase o (that is, members of a group can always list the groups that it owns).

    • Set the third flag to the hyphen (-), lowercase m, or uppercase M. For user and machine entries, the lowercase m does not have a meaningful interpretation, because they have no members.

    • Set the fourth flag to the hyphen (-), lowercase a, or uppercase A. Although this flag does not have a meaningful interpretation for user and machine entries (because they have no members), it must be set, preferably to the hyphen.

    • Set the fifth flag to the hyphen (-) or lowercase r only. Although this flag does not have a meaningful interpretation for user and machine entries (because they have no members), it must be set, preferably to the hyphen.