Skip to content Skip to site navigation

Setting Permissions with Windows

To increase security and reduce risk, Stanford is sunsetting its AFS service for web hosting and file storage. While you can still access AFS using your valid Stanford SUNetID, there are more secure web hosting platforms and document management solutions to which you should transition.

To reduce the use of AFS, UIT has taken these actions:

  • UIT no longer automatically provisions new faculty and staff members with AFS user volumes. New faculty or staff who need a personal user volume must submit a Help request.
    • This change does not impact existing AFS directories or the process for adding permissions for new individuals to those existing directories. Your existing space and everything in it remains intact.
    • This change does not impact auto-provisioning of new AFS user volumes for students and postdocs.

    See New Process for Provisioning AFS User Volumes for more information.

  • All user, dept, and group AFS volumes must be renewed annually or they will be locked, archived, and permanently deleted as detailed in the AFS Volume Expiration Policy.

Overview

Access Control Lists -- known as ACLs (pronounced "ackles") -- determine who's allowed to see, change, or move your AFS files. The permissions you set with ACLs don't work on the files themselves: they work on the folders that hold the files. On this page we show you how to add, remove, and edit permissions using a Windows XP or Vista computer.

Stanford OpenAFS makes this all possible. It puts AFS onto your desktop. If you don't have the program, you can obtain it from the Stanford OpenAFS site.

The following example shows how to set ACLs on a folder located inside your personal WWW folder.


Get to your destination

Start Stanford Open AFS and put your AFS Home Folder onto your desktop . If you need help doing this, see Using Stanford OpenAFS for Windows. Your home folder will open on your desktop. Inside this window are your WWW files and folders: you are now in AFS. Double click on the WWW folder in order to get inside it.

Right-click the folder for which you want to set permissions. A contextual menu for that folder will pop up.

Slide your cursor down to AFS on the menu. Move the cursor to the right to open the submenu.

Click Access Control Lists.

Note: Your menu screens may look slightly different depending on your operating system and desktop settings. The important instruction is to click AFS then Access Control Lists.

Contextual menu for folder

A Set AFS ACL window will appear. This window shows what permissions are currently controlling your folder.

Set AFS ACL dialog box

Are you allowed to set permissions?

Check the "Normal" list window. Make sure you have the administrative permissions required to set ACLs in this folder. If your own SUNet ID does not appear in the folder with "rlidwka" permissions—it's that "a" at the end that's important—then you'll have to find a way to get administrative permissions before you can set ACLs. The Are you allowed to set permissions page suggests ways to get administrative permissions. When you're in your own home folder you almost always have "rlidwka" permissions, but when you're not in your home folder this issue is crucial.

How to set ACLs

We'll pretend you're adding, removing or changing ACLs for someone whose SUNet ID is "gsmith" and that you're going to give this person "write" privileges.

To add someone to the Access Control list

  1. Click the Add... button. An Add ACL Entry window will appear.

      Add ACL entry dialog box

  2. In the Name: field type the SUNet ID of the person you want to add. In our example, you'd type:
    gsmith
  3. Click on the r - Read , l - Lookup, i - Insert, d - Delete, w - Write, and k - Lock buttons.
  4. Click the OK button.
  5. Check the Set AFS ACL window to make sure your addition was recorded.
  6. Click OK.

To remove someone from the Access Control List

  1. Click on and highlight the SUNet ID of the person you want to remove in the Set AFS ACL window.
  2. Click the Remove button.
  3. Check the Set AFS ACL window to make sure your removal was recorded.
  4. Click OK.

To edit permissions in the Access Control List
In our example there is no "gsmith" ACL in the Set AFS ACL window. In real life, however, you may want to update or edit ACLs from one kind of permission to another. The next section, Commonly used ACLs, tells you which ACLs give which permissions.

  1. Click on and highlight the SUNet ID you want to edit in the Set AFS ACL window.
  2. Click or unclick the "Permissions" buttons you want.

When you're done making changes in the Set AFS ACL window, click OK.


Commonly used ACLs

This page tells you which ACLs to assign based on what you want to do. These are the most commonly used ACLs. You can set even pickier ACLs if you need to.

We'll presume that you're inside the folder or directory you want to set ACLs in, know that you possess the administrative privileges to do so and, for the sake of example, want to give ACLs to someone with the SUNet ID of "gsmith".

Look but don't touch - Click the following buttons:

r - Read and l - Lookup

This lets people list your files, and open your files so they can read them, but prevents them from changing anything. Double check your work in the Set AFS ACL window: you should see "<sunetid> rl".

Almost total power - Click the following buttons:

r - Read, l - Lookup, i - Insert, d - Delete, w - Write, and k - Lock

This is the most popular ACL. It's called "Write" permission for short. It lets someone work in your folder, change files, delete them, add new files, etc. Double check your work in the Set AFS ACL window: you should see "<sunetid> rlidwk".

Total power (administrative perms) - Click the following buttons:

r - Read, l - Lookup, i - Insert, d - Delete, w - Write, k - Lock and a - Administer

Be stingy when granting administrative permissions ... the wrong person can wreak havoc in your and other folders. Double check your work in the Set AFS ACL window: you should see "<sunetid> rlidwka".

To kick someone out of a directory

Use the instructions (above) for removing someone from the Access Control List. This works even if the SUNet ID your remove had admin perms (rlidwka). Double check your work in the Set AFS ACL window: the SUNet ID of the person whose permissions you removed should be absent. Note, however, that if this person is a member of a group ACL they may still be able to influence your folder.

If you're an instructor and are having many students submit tests, papers, homework, etc. into a single directory, you'll want to prevent the files they submit from being altered once they're added to the directory, and also prevent students from accidentally reading or deleting other students' work.

Use the instructions above to:
  1. Add or edit an entity called: system:anyuser (It's not a SUNet ID, but works nevertheless.)
  2. Click on the following buttons: l -List, i - Insert, and k - Lock


If you're adding it, don't forget the colon in the word "system:anyuser". Double check your work in the Set AFS ACL window: you should see "system:anyuser lik".
Last modified December 9, 2015