Skip to content Skip to site navigation

Setting Permissions with Macintosh

To increase security and reduce risk, Stanford is sunsetting its AFS service for web hosting and file storage. While you can still access AFS using your valid Stanford SUNetID, there are more secure web hosting platforms and document management solutions to which you should transition.

To reduce the use of AFS, UIT has taken these actions:

  • UIT no longer automatically provisions new faculty and staff members with AFS user volumes. New faculty or staff who need a personal user volume must submit a Help request.
    • This change does not impact existing AFS directories or the process for adding permissions for new individuals to those existing directories. Your existing space and everything in it remains intact.
    • This change does not impact auto-provisioning of new AFS user volumes for students and postdocs.

    See New Process for Provisioning AFS User Volumes for more information.

  • All user, dept, and group AFS volumes must be renewed annually or they will be locked, archived, and permanently deleted as detailed in the AFS Volume Expiration Policy.


Permissions determine who's allowed to see, change, or move your AFS files. The permissions you set don't work on the files themselves: they work on the folders that hold the files. On this page we show you how to add, remove, and edit permissions using Macintosh OS X computers.

The following example shows how to set permissions on a folder located inside your personal WWW folder.

Note: You can also set folder permissions from the UNIX command line. First, make sure you are logged into Kerberos. Then, log into one of the shared UNIX workstations. See Setting Permissions with UNIX for more information.

Get to your destination

To get your AFS home folder, log into WebAFS.   Inside your home folder are your WWW files and folders. Click the WWW folder to open it.

Check the box to the left  the folder for which you want to set permissions and then under Actions click Set Permissions for Folder.

The Permissions Manager window will appear. In the "Normal Rights for folder name" section of this window you can see which permissions are currently controlling your folder.

Permissions Manager window

Are you allowed to set permissions?

If you do not have the administrative privileges required to set permissions in this folder, the Set Permissions for Folder action is unavailable.  The Are you allowed to set permissions page suggests ways to get administrative privileges. When you're in your own home folder you almost always have administrative  privileges, but when you're not in your own home folder this issue is crucial.

How to set permissions

Note: The "Commonly used permissions" section, below, gives you more information about what these permissions are and what they do.

To add permissions

  1. In the Permissions Manager window, enter the SUNet ID of the person you want to add.
  2. Check the boxes for the permissions you want to grant to this person. For example, to grant "Write" permission, check the boxes for lookup, read, write, insert, delete, and lock.

    give someone write permission to selected folder
  3. Click Save Permissions.

To remove permissions

  1. Locate the SUNet ID of the person you want to remove in the Permissions Manager window.
  2. Uncheck all the boxes associated with that SUNet ID.
  3. Click Save Permissions.

To edit permissions

  1. Locate the SUNet ID of the person whose permissions you want to change in the Permissions Manager window.
  2. Check or uncheck the permissions you want to grant this person.
  3. Click Save Permissions.

Commonly used permissions

This section tells you which permissions to assign based on what you want to do. These are the most commonly used permissions. You can set even pickier permissions if you need to.

Look but don't touch (known as "Read" permissions) — Check the following boxes:

lookup and read
This lets people list your files, and open your files so they can read them, but prevents them from changing anything.

Almost total power (known as "Write" permissions) — Check the following boxes:

lookup, read, write, insert, delete, and lock 
This lets someone work in your folder, change files, delete them, add new files, etc., but prevents them from letting other people into your folder(s).

Total power (known as "All" permissions) — Check the following boxes:

lookup, read, write, insert, delete, lock, and administer
Be stingy when granting these administrative permissions! The wrong person can wreak havoc in your folders.

To lock someone out of a directory (this permission is called "None")

Use the instructions (above) for removing permissions. This works even if the SUNet ID you remove had admin permissions. Note, however, that if this person is a member of a group permission they might still be able to influence your folder.

If you're an instructor and are having many students submit tests, papers, homework, etc. into a single directory, you'll want to prevent the files they submit from being altered once they're added to the directory, and also prevent students from accidentally reading or deleting other students' work.

Use the instructions above to:
  1. Add or edit an entity called: system:anyuser (It's not a SUNet ID, but works nevertheless.)
  2. Check the following boxes: lookup, insert, and lock.
If you have to add "system:anyuser", don't forget to add that colon between the words "system" and "anyuser".
Last modified December 9, 2015