Overview
Access Control Lists -- known as ACLs (pronounced "ackles") -- determine who's allowed to see, change, or move your AFS files. The permissions you set with ACLs don't work on the files themselves: they work on the folders that hold the files. On this page we show you how to add, remove, and edit permissions using a Windows XP or Vista computer.
Stanford OpenAFS makes this all possible. It puts AFS onto your desktop. If you don't have the program, you can obtain it from the Stanford OpenAFS site.
The following example shows how to set ACLs on a folder located inside your personal WWW folder.
- Get to your destination
- Are you allowed to set permissions?
- How to set ACLs
- Commonly used ACLs
- Setting pickier ACLs
- Setting group ACLs
- Tips and tricks
- What each "ACL" stands for
Get to your destination
Start Stanford Open AFS and put your AFS Home Folder onto your desktop . If you need help doing this, see Using Stanford OpenAFS for Windows. Your home folder will open on your desktop. Inside this window are your WWW files and folders: you are now in AFS. Double click on the WWW folder in order to get inside it.
Right-click the folder for which you want to set permissions. A contextual menu for that folder will pop up.
Slide your cursor down to AFS on the menu. Move the cursor to the right to open the submenu.
Click Access Control Lists.
Note: Your menu screens may look slightly different depending on your operating system and desktop settings. The important instruction is to click AFS then Access Control Lists.
A Set AFS ACL window will appear. This window shows what permissions are currently controlling your folder.
Are you allowed to set permissions?
Check the "Normal" list window. Make sure you have the administrative permissions required to set ACLs in this folder. If your own SUNet ID does not appear in the folder with "rlidwka" permissions—it's that "a" at the end that's important—then you'll have to find a way to get administrative permissions before you can set ACLs. The Are you allowed to set permissions page suggests ways to get administrative permissions. When you're in your own home folder you almost always have "rlidwka" permissions, but when you're not in your home folder this issue is crucial.
How to set ACLs
We'll pretend you're adding, removing or changing ACLs for someone whose SUNet ID is "gsmith" and that you're going to give this person "write" privileges.
To add someone to the Access Control list
- Click the Add... button. An Add
ACL Entry window will appear.
- In the Name: field type the SUNet ID of
the person you want to add. In our example, you'd type:
gsmith
- Click on the r - Read , l - Lookup, i - Insert, d - Delete, w - Write, and k - Lock buttons.
- Click the OK button.
- Check the Set AFS ACL window to make sure your addition was recorded.
- Click OK.
To remove someone from the Access Control List
- Click on and highlight the SUNet ID of the person you want to remove in the Set AFS ACL window.
- Click the Remove button.
- Check the Set AFS ACL window to make sure your removal was recorded.
- Click OK.
To edit permissions in the Access Control List
In our example there is no "gsmith" ACL in the Set AFS ACL
window. In real life, however, you may want to update or edit ACLs
from one kind of permission to another. The next section, Commonly
used ACLs, tells you which ACLs give which permissions.
- Click on and highlight the SUNet ID you want to edit in the Set AFS ACL window.
- Click or unclick the "Permissions" buttons you want.
When you're done making changes in the Set AFS ACL window, click OK.
Commonly used ACLs
This page tells you which ACLs to assign based on what you want to do. These are the most commonly used ACLs. You can set even pickier ACLs if you need to.
We'll presume that you're inside the folder or directory you want to set ACLs in, know that you possess the administrative privileges to do so and, for the sake of example, want to give ACLs to someone with the SUNet ID of "gsmith".
- Look but don't touch - Click the following buttons:
- r - Read and l - Lookup
- This lets people list your files, and open your files so they can read
them, but prevents them from changing anything. Double check your work
in the Set AFS ACL window: you should see "<sunetid>
rl".
- Almost total power - Click the following buttons:
-
r - Read, l - Lookup, i
- Insert, d - Delete, w - Write,
and k - Lock
- This is the most popular ACL. It's called "Write" permission
for short. It lets someone work in your folder, change files, delete them,
add new files, etc. Double check your work in the Set AFS ACL
window: you should see "<sunetid> rlidwk".
- Total power (administrative perms) - Click the following
buttons:
- r - Read, l - Lookup, i
- Insert, d - Delete, w - Write,
k - Lock and a - Administer
- Be stingy when granting administrative permissions ... the wrong person
can wreak havoc in your and other folders. Double check your work in the
Set AFS ACL window: you should see "<sunetid>
rlidwka".
- To kick someone out of a directory
- Use the instructions (above) for removing someone from the Access Control
List. This works even if the SUNet ID your remove had admin perms (rlidwka).
Double check your work in the Set AFS ACL window: the
SUNet ID of the person whose permissions you removed should be absent.
Note, however, that if this person is a member of a group ACL they may
still be able to influence your folder.
- If you're an instructor and are having many students submit
tests, papers, homework, etc. into a single directory, you'll want to
prevent the files they submit from being altered once they're added to
the directory, and also prevent students from accidentally reading or
deleting other students' work.
- Use the instructions above to:
- Add or edit an entity called: system:anyuser (It's not a SUNet ID, but works nevertheless.)
- Click on the following buttons: l -List, i - Insert, and k - Lock
- If you're adding it, don't forget the colon in the word "system:anyuser". Double check your work in the Set AFS ACL window: you should see "system:anyuser lik".