Table of Contents
This chapter explains how to create groups and discusses different ways to use them.
An AFS group is a list of specific users that you can place on access control lists (ACLs). Groups make it much easier to maintain ACLs. Instead of creating an ACL entry for every user individually, you create one entry for a group to which the users belong. Similarly, you can grant a user access to many directories at once by adding the user to a group that appears on the relevant ACLs.
AFS client machines can also belong to a group. Anyone logged into the machine inherits the permissions granted to the group on an ACL, even if they are not authenticated with AFS. In general, groups of machines are useful only to system administrators, for specialized purposes like complying with licensing agreements your cell has with software vendors. Talk with your system administrator before putting a client machine in a group or using a machine group on an ACL.
To learn about AFS file protection and how to add groups to ACLs, see Protecting Your Directories and Files.
There are three typical ways to use groups, each suited to a particular purpose: private use, shared use, and group use. The following are only suggestions. You are free to use groups in any way you choose.
Private use: you create a group and place it on the ACL of directories you own, without necessarily informing the group's members that they belong to it. Members notice only that they can or cannot access the directory in a certain way. You retain sole administrative control over the group, since you are the owner.
The existence of the group and the identity of its members is not necessarily secret. Other users can see the group's name on an ACL when they use the fs listacl command, and can use the pts membership command to display + the groups to which they themselves belong. You can, however, limit who can display the members of the group, as described in Protecting Group-Related Information.
Shared use: you inform the group's members that they belong to the group, but you are the group's sole owner and administrator. For example, the manager of a work group can create a group of all the members in the work group, and encourage them to use it on the ACLs of directories that house information they want to share with other members of the group.
If you place a group owned by someone else on your ACLs, the group's owner can change the group's membership without informing you. Someone new can gain or lose access in a way you did not intend and without your knowledge.
Group use: you create a group and then use the pts chown command to assign ownership to a group--either another group or the group itself (the latter type is a self-owned group). You inform the members of the owning group that they all can administer the owned group. For instructions for the pts chown command, see To Change a Group's Owner.
The main advantage of designating a group as an owner is that several people share responsibility for administering the group. A single person does not have to perform all administrative tasks, and if the group's original owner leaves the cell, there are still other people who can administer it.
However, everyone in the owner group can make changes that affect others negatively: adding or removing people from the group inappropriately or changing the group's ownership to themselves exclusively. These problems can be particularly sensitive in a self-owned group. Using an owner group works best if all the members know and trust each other; it is probably wise to keep the number of people in an owner group small.
The groups you create must have names with two parts, in the following format:
owner_name prefix indicates which user or group owns the group (naming rules appear in
To Create a Group). The
group_name part indicates the group's
purpose or its members' common interest. Group names must always be typed in full, so a short
group_name is most practical. However, names like terry:1 and
terry:2 that do not indicate the group's purpose are less useful than names like terry:project.
Groups that do not have the
owner_name prefix possibly appear on some ACLs; they are created
by system administrators only. All of the groups you create must have an
By default, you can create 20 groups, but your system administrators can change your group-creation quota if appropriate. When you create a group, your group quota decrements by one. When a group that you created is deleted, your quota increments by one, even if you are no longer the owner. You cannot increase your quota by transferring ownership of a group to someone else, because you are always recorded as the creator.
If you exhaust your group-creation quota and need to create more groups, ask your system administrator. For instructions for displaying your group-creation quota, see To Display A Group Entry.