University of Notre Dame > OIT

Office of Information Technologies

services banner

Exchange
Google Apps at ND
Passwords & Accounts
Voice, Data, Video
Clusters/Classrooms
Calendaring
Training
Print/Scan/Copy
Center for Research Computing (CRC)
Presentation Technologies
WebEx
Security
Course Management
Shared File Space
Web Publishing
Software
Equipment
Support
Corporate Data
Policies

security banner

RSS Feed
Subscribe to the OIT Security Alerts RSS Feed

OIT Home > Services > Shared File Space > AFS Access Rights

AFS Access Rights

Security Considerations
Modifying AFS Access Rights Using WebFile
Groups

Security Considerations

When modifying access rights of your AFS storage, it is important to recognize that you could be exposing your information to the entire Internet, when you did not intend to do so.  Such exposure could be a violation of the ND Information Security Policy.

The default settings for the directories that all AFS accounts are created with are (as shown in WebFile):

Folder Name

User/Group

Access Rights

Summary

Private

owner (your NetID)

All

With this setting, you have full access to the contents of this folder, but others cannot see any of the files

Public

owner (your NetID)

system:anyuser

All

Read

With these settings, you have full access to the contents of this folder, and anyone on the Internet can also see (read) them

www

owner (your NetID)

system:anyuser

All

Read

With this setting, you have full access to the contents of this folder, and anyone on the Internet can see (read) them, most commonly when using a web browser

When you create new folders, they inherit the access rights of the parent folder unless you specifically modify those settings.

Modifying AFS Access Rights Using WebFile

AFS uses Unix-like access rights for determining a user’s permissions to a particular file or folder. While these can be manipulated through a command prompt, most users will probably find WebFile’s graphical interface to be easier to navigate to assign the desired permissions to the folders.

To view or change your current AFS access rights (or ACLs for Access Control Lists) in WebFile:

  1. Navigate to the folder you want to check the ACLs on.
  2. Click on the Access Rights button.
    AccessRightsButton.jpg
  3. You will get a window like this one:
    aclpage1.jpg
  4. Scroll down to the “Change Existing ACLs at netid/FolderName/” section
    ExistingACLs.jpg
  5. To explain this info:
    • The “User/Group” column will list the netIDs of users or the names of groups (more on that later) who have rights to that space.
      • The group “system:anyuser” allows anyone the access rights listed. Typically, this should be just “List Only” or “None”.
    • The “Access Rights” column will list the various options for access rights that user/group has.
      • List Only: This means they can see the folder contents but cannot open the folders or files with in it. This setting is usually one put in place by the system itself.
      • Read: This setting means that user/group can see the files/folders in this folder and open the file/folder for viewing. They cannot change the file at all.
      • Write: This allows a user/group to edit or delete existing files or create new ones. It also allows all rights that Read gives.
      • All: This gives a user/group all the rights of Write and Read, and in addition this user can alter the access rights to these folders. Typically, this level of access should only be given to the owner of the file space.
      • None: This revokes all access to the folder.
    • The “Change To” drop down will list the available access rights for each user.
  6. To change access rights, simply select the rights you want to give to that particular user/group in the “Change To” column and scroll down and click the “Change ACL” button.
  7. To remove a user’s or group’s access, set their “Change To” column to “None” and click the “Change ACL” button.
  8. To give someone rights to this folder, scroll to the “Add New Access Rights”, enter their NetID in user/group column and select the level of access rights you want to grant them. (See 5.b for a description of these access levels.)
    newACL.jpg
    If you want these users to have access to all the folders within this one, check the box labeled “Change access rights for all sub directories within”. (For example, in netid/MySharedFolder, and you have folder “NeatStuff”, if you want them to have the same rights in that folder that you’re giving them in “MySharedFolder”, check the box.)
    When you have things set correctly, click the “Change ACLs” button.

Groups

You can make groups to control access rights to simplify adding and removing people to a number of different folders. You can use groups you create by substituting “netid:groupname” in the above access rights section instead of a NetID. This can be useful so that you simply need to add or remove group members to the group, rather than add or remove individual NetIDs from ACLs.

To manage your groups click the “Group Management” button:
groupbutton.jpg
You should get this window:
groupmanagement.jpg

To create a group, enter the name in the “New Group Name” box and click “Create It”

To manage an existing group, choose it in the “Groups you own” drop down and click “Select It”

After creating a new group or managing and existing group, the following will show up beneath the initial options on the page:
groupedit.jpg

To remove current group members, simply select them in the “Member List”, make sure the button is set to “remove selected member(s)”, and click “Change Group”.

To add new group members, enter their NetIDs in to the “Member list to add” box and click “Change Group”.

To delete a group, select the “delete the group” option and click “Change Group”.

 

For information about setting access rights in AFS, please refer to the WebFile documentation.

If you have additional questions or problems, please contact the OIT Help Desk at 574-631-8111.

 
 

Need answers?
Contact the OIT Help Desk at oithelp@nd.edu or 574-631-8111.