Skip to main content

Are You Allowed to Set Permissions?

To increase security and reduce risk, Stanford is sunsetting its WebAFS service that is used to upload and download files to AFS.

To optimize AFS and make sure it is serving its intended functions, UIT has also taken these actions:

  • UIT no longer automatically provisions new faculty and staff members with AFS user volumes. New faculty or staff who need a personal user volume must submit a Help request.
    • This change does not impact existing AFS directories or the process for adding permissions for new individuals to those existing directories. Your existing space and everything in it remains intact.
    • This change does not impact the auto-provisioning of new AFS user volumes for students and postdocs.

​Class volumes do not expire and are kept indefinitely. This is an official academic policy, and any change to this policy must be considered by the Faculty Senate.

Overview

Before you start worrying about how to give permissions, you should know if you have the administrative ability to do so. If you don't, we give you tips for gaining admin power.

Are you allowed to set permissions?

In the example below, your SUNet ID is "jdoe" and you want to set ACLs in a directory called "rocketscience" in the "dept" section of Stanford's AFS space. It would therefore be located at the end of the following directory path in AFS: /afs/ir/dept/rocketscience/. You'll use the "cd" command to get there. If this sounds like gobbledygook, take a look at the Navigating AFS page or just follow along using the directory in which you really want to set permissions instead of our hypothetical "rocketscience" directory..

1) Log into Stanford Unix.

2) Go to the directory where you'd like to set permissions.

a) In this example, you'd type:
cd /afs/ir/dept/rocketscience/
b.) You can always tell if you're in the right directory because the command prompt will be augmented with your present location. In other words, a command prompt that used to look something like this:
cardinal4:>
shows your location in AFS like this:
cardinal4: /afs/ir/dept/rocketscience/>

3.) Check the ACLs in that directory.

At the command prompt, while in this directory, type:

fs la
For the purposes of our example, you'll probably see something like this in response:
Access list for . is
Normal rights:
     rocketscience-admins rlidwka
     system:dept-admin rlidwka
     system:backup rl
     system:administrators rlidwka
     system:anyuser rl
     jdoe rlidwka

Look for your Sunet ID in the ACL list. If it's there, with "rlidwka" listed afterward, as shown in the example, ("jdoe rlidwka" at the bottom of the list) then you're ready to set ACLs. Go to the Commonly used ACLs section of the How to set permissions with ACLs page .

4.) Tips for getting admin power

  • If your SUNet ID is not displayed in the ACL list, or if your SUNet ID is displayed with only "rlidwk" afterward (you need the "a" at the end: it's what gives you "administrative" power), then you can't set ACLs. But all is not lost.

    Your SUNet ID may not be showing up because it's actually located in your department's admin group. In our example, the entry called "rocketscience-admin" in the ACL list is tyical of groups created by or composed of people with administrative control over a directory. To find out if you're a member of this "pts" group, type "pts mem <groupname>" at the command prompt (as in pts mem rocketscience-admin). The system will display the SUNet IDs of everyone in that group. Since the group has "rlidwka" privileges, if your SUNet ID is among those displayed it means that you too possess administrative privileges.


  • If your SUNet ID is not displayed in the ACL list, and you have only "rlidwk" privileges (or less), and you're not a member of a pts group that has "rlidwka" privileges, you may still have hope. You need to find someone who has administrative permissions and ask about obtaining them for yourself in that directory. You can probably find that someone by scanning the ACL list on your screen.

    • If there is another SUNet ID in the ACL list that has "rlidwka" privileges it may belong to a colleague or someone you know. If you can't identify the person by their SUNet ID, either 1) type the word "whois" and their SUNet ID at the command line (as in "whois jdoe") or 2) go to the Stanfordwho page on the web, use the "for Stanford community members only" link, and scroll down to the "Or find the person by SUNet ID" field.

    • Use the same "pts mem <groupname> technique you did before. After issuing the "pts mem" command on your rocketscience-admins group, scan the results to see if there's anyone you know, or use a "whois" look up as described above to find out which SUNet IDs belong to which people. Note that this only works for admin groups peculiar to your department. Other groups in the ACL list -- system:dept-admin, system:backup, system:administrators, etc. -- won't be able to help you.

    • Still no luck? Use the "cd ../" command to move up one directory. You might find people with control over your sub-directory in the ACL list of the directory right above the one you're in.
Last modified