Accessibility Navigation:


 


Powered By: Crafty Syntax

Remote Access and Support over the Internet with TeamViewer College of Engineering Remote Support

Access Control List Basics Print

Mosaic is using a distributed file system called AFS. This file system is a little different from most systems using NFS or some other distributed file system. The most important difference to the user is in the directory/file protection mechanism.

Access Control Lists

Access control lists (ACLs) are a method of specifying who has permissions to access files and directories. AFS uses ACLs to control access more precisely.

  • AFS uses seven access rights.
  • AFS defines three standard groups, and allows users to create additional groups.

All accounts on the Mosaic system have default ACL permissions. This permission allows only the owner of a directory to access the files in that directory.

There are seven access rights in the AFS directories. The rights apply to the directory and all files in the directory, including sub-directories. The seven rights may be divided into "Directory" rights and "File" rights.

Directory rights are: 
    (l) Lookup     - the right to "see" files & sub-directories
    (i) Insert     - the right to add new files & sub-directories
    (d) Delete     - the right to remove files & sub-directories
    (a) Administer - the right to change ACLs for the directory
File rights are: 
    (r) Read       - the right to read data in files
    (w) Write      - the right to modify data in files
    (k) Lock       - the right to issue file locking commands
Access rights are specified in a string of letters. For example the rights to read and lookup are specified as "rl". All rights would look like "rlidwka". There are also special words that combine specific rights: 
         all    - all seven rights (rlidwka)
    none    - no rights
    read    - the right to read and lookup (rl)
    write    - all rights except administer (rlidwk)

There are several consequences to defining access at the directory level. These are: Files inherit the access rights associated with there parent directory. Sub-directories inherit the access rights of their parent directory when created.

AFS allows you to deny access by setting "negative" rights. Negative rights are a way of explicitly denying a user or group permission to perform the specified actions. Normal rights are granting permission for a user or group to perform specified actions.

AFS Groups

AFS defines three special groups for access control lists. You do not have control over the membership of these groups. Keep this in mind when you grant access to one of these groups.

The system defined groups are:

      system:anyuser - everyone who can gain access to Mosaic, including through the Internet
      system:authuser - everyone who is "authenticated" on Mosaic
      system:administrators - a few Mosaic administrators.

The term "authenticated on Mosaic" means anyone with a valid Mosaic account. The group system:anyuser should be considered to be the public at large. The group system:authuser should be considered to be the student, faculty, and staff of UNC Charlotte.