Chapter 5. Using Groups
Prev   Next

Chapter 5. Using Groups

Table of Contents

About Groups
Suggestions for Using Groups Effectively
Group Names
Group-creation Quota
Displaying Group Information
To Display Group Membership
Example: Displaying the Members of a Group
Example: Displaying the Groups to Which a User Belongs
To Display the Groups a User or Group Owns
Example: Displaying the Groups a Group Owns
Example: Displaying the Groups a User Owns
To Display A Group Entry
Example: Listing Information about a Group
Example: Listing Group Information about a User
Creating Groups and Adding Members
To Create a Group
Example: Creating a Group
To Add Members to a Group
Example: Adding Members to a Group
Removing Users from a Group and Deleting a Group
To Remove Members from a Group
Example: Removing Group Members
To Delete a Group
Example: Deleting a Group
To Remove Obsolete ACL Entries
Example: Removing an Obsolete ACL Entry
Changing a Group's Owner or Name
To Change a Group's Owner
Example: Changing a Group's Owner to Another User
Example: Changing a Group's Owner to Itself
Example: Changing a Group's Owner to a Group
To Change a Group's Name
Example: Changing a Group's group_name Suffix
Example: Changing a Group's owner_name Prefix
Protecting Group-Related Information
Interpreting the Privacy Flags
To Set a Group's Privacy Flags
Example: Setting a Group's Privacy Flags

This chapter explains how to create groups and discusses different ways to use them.

About Groups

An AFS group is a list of specific users that you can place on access control lists (ACLs). Groups make it much easier to maintain ACLs. Instead of creating an ACL entry for every user individually, you create one entry for a group to which the users belong. Similarly, you can grant a user access to many directories at once by adding the user to a group that appears on the relevant ACLs.

AFS client machines can also belong to a group. Anyone logged into the machine inherits the permissions granted to the group on an ACL, even if they are not authenticated with AFS. In general, groups of machines are useful only to system administrators, for specialized purposes like complying with licensing agreements your cell has with software vendors. Talk with your system administrator before putting a client machine in a group or using a machine group on an ACL.

To learn about AFS file protection and how to add groups to ACLs, see Protecting Your Directories and Files.

Suggestions for Using Groups Effectively

There are three typical ways to use groups, each suited to a particular purpose: private use, shared use, and group use. The following are only suggestions. You are free to use groups in any way you choose.

  • Private use: you create a group and place it on the ACL of directories you own, without necessarily informing the group's members that they belong to it. Members notice only that they can or cannot access the directory in a certain way. You retain sole administrative control over the group, since you are the owner.

    The existence of the group and the identity of its members is not necessarily secret. Other users can see the group's name on an ACL when they use the fs listacl command, and can use the pts membership command to display + the groups to which they themselves belong. You can, however, limit who can display the members of the group, as described in Protecting Group-Related Information.

  • Shared use: you inform the group's members that they belong to the group, but you are the group's sole owner and administrator. For example, the manager of a work group can create a group of all the members in the work group, and encourage them to use it on the ACLs of directories that house information they want to share with other members of the group.

    Note

    If you place a group owned by someone else on your ACLs, the group's owner can change the group's membership without informing you. Someone new can gain or lose access in a way you did not intend and without your knowledge.

  • Group use: you create a group and then use the pts chown command to assign ownership to a group--either another group or the group itself (the latter type is a self-owned group). You inform the members of the owning group that they all can administer the owned group. For instructions for the pts chown command, see To Change a Group's Owner.

    The main advantage of designating a group as an owner is that several people share responsibility for administering the group. A single person does not have to perform all administrative tasks, and if the group's original owner leaves the cell, there are still other people who can administer it.

    However, everyone in the owner group can make changes that affect others negatively: adding or removing people from the group inappropriately or changing the group's ownership to themselves exclusively. These problems can be particularly sensitive in a self-owned group. Using an owner group works best if all the members know and trust each other; it is probably wise to keep the number of people in an owner group small.

Group Names

The groups you create must have names with two parts, in the following format:

owner_name:group_name

The owner_name prefix indicates which user or group owns the group (naming rules appear in To Create a Group). The group_name part indicates the group's purpose or its members' common interest. Group names must always be typed in full, so a short group_name is most practical. However, names like terry:1 and terry:2 that do not indicate the group's purpose are less useful than names like terry:project.

Groups that do not have the owner_name prefix possibly appear on some ACLs; they are created by system administrators only. All of the groups you create must have an owner_name prefix.

Group-creation Quota

By default, you can create 20 groups, but your system administrators can change your group-creation quota if appropriate. When you create a group, your group quota decrements by one. When a group that you created is deleted, your quota increments by one, even if you are no longer the owner. You cannot increase your quota by transferring ownership of a group to someone else, because you are always recorded as the creator.

If you exhaust your group-creation quota and need to create more groups, ask your system administrator. For instructions for displaying your group-creation quota, see To Display A Group Entry.

Prev   Next
How AFS Uses the UNIX Mode Bits Home Displaying Group Information