Managing Access to AFS Group Directories for Web Sites

Overview

This document explains how to grant and remove individuals' access to the files used for publishing a group website at the University of Michigan.

How Access to Your Web Pages Is Controlled

If you have used group space in AFS to publish a website, you have an AFS directory where your website's pages are stored. Access to that space is controlled using:

  • Permission groups (also called pts groups)
  • Permissions (also called ACLs)

Generally, two pts groups are created for you when your group space is set up. The names of these groups are derived from the name of your group's directory in AFS.

If the URL for your group's website is, for example, http://www.umich.edu/~groupname, then the name of your group directory space in AFS is groupname, and the names of the pts groups used to provide access to change your web page files are:

  • groupname (the pts group for people with full access to make changes)
  • groupname:members (the pts group for people with read access only)

These groups are given different permissions to access and make changes to your webpages.

Permissions diagram: The administrators pts group is given full access to the AFS group directory and can make changes. The members pts group is given read access only.

To give people full access to your webpages so that they can make changes, add them to the administrators pts group for your AFS group directory. Remember to remove people from that group when they no longer need access.

Permissions diagram: Add people to the administrators pts group to give them full access to change web pages in group directory.

First, Make Sure You Have Permission to Change the pts Group

Only people who are members of the "administrators" group can make changes to the group's membership. To find out if you are a member of the group, you will need to log in to the ITS Login Service and type a Unix command to list the members.

Log in to the Login Service

  1. Use secure software to connect to the Login Service (login.itd.umich.edu).

    • Windows: Use SSH Secure Shell software. For more information, see Using SSH Secure Shell to Connect to Host Computers [Windows].

    • Mac OS X: Mac OS X comes with SSH software called Terminal. Open the Applications folder, then the Utilities folder to find it. Open Terminal and enter this command: ssh login.itd.umich.edu
      Tip If you have installed the Blue Disc's U-M SSH Connections shortcut, you will be immediately connected to the Login Service and prompted for your password.

  2. At the login prompt, enter your uniqname and press the Enter or Return key.

  3. At the password prompt, enter your UMICH password and press Enter or Return.

List the Members of Your Administrators pts Group

  1. At the Login Service's % prompt, type this command:

    pts membership groupname

    where you have substituted the name of your pts group for groupname. For example, if you wanted to see the members of a pts group called "testgroup," you would type pts membership testgroup.

  2. Press the Enter or Return key.

  3. The uniqnames of the members of your administrators pts group will be listed.

    • If your uniqname is in the list, you have permission to make changes and give people access to your group AFS space.

    • If your uniqname is not in the list, you will not be able to make changes. Contact one of the group members and ask that he or she add you to the pts group. Instructions for adding people are provided below.

Exit the Login Service

  1. At the % prompt, type exit.

  2. Quit or exit your SSH program.

Giving Other People Full Access

Give other people access to change files in your webspace by adding them to your administrators pts group.

  1. Log in to the Login Service.

  2. At the % prompt, type this command:

    pts adduser uniqname groupname

    where you have substituted the uniqname of the person you want to add for uniqname and have substituted your own group name for groupname. For example, if you wanted to add a person whose uniqname was bjensen to the testgroup pts group, you would type:
    pts adduser bjensen testgroup

  3. Press Enter or Return. You will be returned to the % prompt. You will not see confirmation that the person was added. You can check by listing the members of the group if you wish.

  4. Repeat Step 1 for each person you wish to add to the pts group.

  5. Exit the Login Service.

Removing Access

Rescind individuals' access by removing them from your "administrators" pts group.

  1. Log in to the Login Service.

  2. At the % prompt, type this command:

    pts removeuser uniqname groupname

    where you have substituted the uniqname of the person you want to remove for uniqname and have substituted your own group name for groupname. For example, if you wanted to remove a person whose uniqname was bjensen to the testgroup pts group, you would type:
    pts removeuser bjensen testgroup

  3. Press Enter or Return. You will be returned to the % prompt. You will not see confirmation that the person was removed. You can check by listing the members of the group if you wish.

  4. Repeat Step 1 for each person you wish to remove from the pts group.

  5. Exit the Login Service.

Limiting Permissions for Certain People

You may wish to grant certain individuals more limited access to your web pages. For example, you might want to give people access to make changes to the web pages but not give them permission to make changes to the membership of your pts group. You can do this for people as individuals, or you can create a pts group and then apply permissions to it.

Note Unix users: If you are comfortable using Unix commands, you can use ACLS instead of MFile to set permissions. See Using Access Control Lists (ACLs) With AFS Directories and Folders for details about setting ACLs.

For Individuals

  1. Log in to MFile.
    (See Using Your AFS Home Directory Over the Web with MFile for instructions for using MFile.)

  2. Navigate to your group directory and check the checkbox next to your group directory name. Then click Set Permissions for Folder.
    Tip If you do not know the location of your group directory in AFS, contact the ITS consultants (764-HELP or [email protected]) for help.

    Screen shot of checking the checkbox and clicking Set Permissions.

  3. In the Permissions Manager, type the uniqname of the person you want to give access to in the text box, check the appropriate checkboxes to select the permissions you want, then click Save Permissions.
    Tip Definitions of the permissions (lookup, read, and so on) are in the Setting Folder Permissions section of ITS's MFile documentation.

    Screen shot of Permissions Manager.

  4. Repeat steps 2-3 for each uniqname whose permissions you are updating.

  5. Log out of MFile by clicking the logout button when you are finished.

For a Group

First, create a pts group and add people to it:

  1. Log in to the Login Service.

  2. At the % prompt, type this command:

    Explanation of the command: pts creategroup parentgroupname:newgroup -o parentgroupname.

    where you have substituted the name of your group directory for parentgroup and a name for your group for newgroup. For example, if your group directory name was testgroup, you would type pts creategroup testgroup:limited -o testgroup, and the name of your new group would then be testgroup:limited.

  3. The Login Service will confirm creation of the group by listing its ID number.

  4. Add people to the group (see instructions for adding people above). Remember to add yourself! You will not be included as a member automatically.

  5. Exit the Login Service.

    Note If you need help, you can ask the AFS Support Team to create the pts group for you. Email them at [email protected].

Then, assign permissions to the pts group using MFile:

  1. Log in to MFile.
    (See Using Your AFS Home Directory Over the Web with MFile for instructions for using MFile.)

  2. Navigate to your group directory and check the checkbox next to your group directory name. Then click Set Permissions for Folder.
    Tip If you do not know the location of your group directory in AFS, contact the ITS consultants (764-HELP or [email protected]) for help.

    Screen shot of checking the checkbox and clicking Set Permissions.

  3. In the Permissions Manager, type the name of your pts group in the text box, check the appropriate checkboxes to select the permissions you want, then click Save Permissions.
    Tip Definitions of the permissions (lookup, read, and so on) are in the Setting Folder Permissions section of ITS's MFile documentation.

    Screen shot of Permissions Manager.

  4. Log out of MFile by clicking the logout button when you are finished.

Updating Your Web Pages

You can use MFile to download the files for your web pages to your computer. You can then make changes to those files and upload the revised copies. See Using Your AFS Home Directory Over the Web with MFile for instructions on using MFile.

If you do not know the location of your group directory in AFS, contact the ITS consultants (764-HELP or [email protected]) for help.

Tags: 
Last Updated: 
Thursday, March 20, 2014 - 00:00