• IT Services
• AFS at Stanford
• Setting Permissions
• Macintosh

Setting permissions: Macintosh

Overview

Access Control Lists -- known as ACLs (pronounced "ackles") -- determine who's allowed to see, change, or move your AFS files. The permissions you set with ACLs don't work on the files themselves: they work on the folders that hold the files. On this page we show you how to add, remove, and edit permissions using Macintosh OS 10.x computers.

A program called Stanford OpenAFS makes all this possible. It puts AFS onto your desktop. If you don't have Stanford OpenAFS, you can download it for free.

The following example shows how to set ACLs on a folder located inside your personal WWW folder.

• Get to your destination
• Are you allowed to set permissions?
• How to set ACLs
• Commonly used ACLs
• Setting pickier ACLs
• Setting group ACLs
• Tips and tricks
• What each "ACL" stands for

---

Get to your destination

To get your AFS home folder onto your desktop,click and hold the Stanford Desktop Tools icon to display a popup menu. Then, click Mount AFS Volume. (Alternatively, from your Applications folder click Stanford, click AFS, and double-click AFS Controller.) When the Mount AFS Volume window opens, under "Mount volume belonging to," click My Home and then click Mount. If you need help doing this, see Using Stanford OpenAFS for Macintosh. A window will open on your desktop. Inside this window are your WWW files and folders: you are now in AFS. Double-click the WWW folder to open it.

Hold down the CONTROL key and click-hold on the folder for which you want to set permissions. A contextual menu for that folder will pop up. Slide your cursor down to AFS on the menu, then move the cursor to the right to open the "Access Control List..." submenu:

An Access Control List window will appear. In the "Normal Permissions" section of this window you can see which permissions are currently controlling your folder.

Are you allowed to set permissions?

Check the "Normal Permissions" window. Make sure you have the administrative permissions required to set ACLs in this folder. If your own SUNet ID does not appear in the folder with "rlidwka" permissions -- it's that "a" at the end that's important -- then you'll have to find a way to get administrative permissions before you can set ACLs. The Are you allowed to set permissions page suggests ways to get administrative permissions. When you're in your own home folder you almost always have "rlidwka" permissions, but when you're not in your own home folder this issue is crucial.

How to set ACLs

We'll pretend you're adding, removing or changing ACLs for someone whose SUNet ID is "gsmith", and that you're going to give this person "Write" privileges.

To add someone to the Access Control list

1. Click the Add... button. A nameless dialog box will appear.
   
   
   
   
2. In the Name: field type the SUNet ID of the person you want to add. In our example, you'd type:
   

   gsmith

3. Click on the Read  (r), Lookup  (l) , Insert  (i), Delete  (d), Write  (w), and Lock  (k) buttons.
   
4. Click the Save button.
   
5. The Access Control List window will refresh itself: check to see that the ACL you set has indeed been added.

To remove someone from the Access Control List

1. Click on and highlight the SUNet ID of the person you want to remove in the Normal Permissions window.
   
2. Click the Delete button.
   
3. A Delete Permission box will appear, asking if you're sure about this. Click the Delete button.
   
4. The Access Control List window will refresh to indicate the ACL you deleted is gone.

To edit permissions in the Access Control List
In our example there is no "gsmith" ACL in the Access Control List window. In real life, however you may want to update or edit ACLs from one kind of permission to another. The next section, Commonly used ACLs, tells you which ACLs give which permissions.

1. Click on and highlight the SUNet ID you want to edit in the Access Control List window.
   
2. Click the Edit... button. A nameless dialog box will appear.
   
   
3. Click or unclick the "Permissions" buttons you want individually, as in the "Adding" section above, or use the drop down menu to choose common, pre-selected suites of ACLs. The next section, Commonly used ACLs, gives you more information about what these common selections are and what they do.
   
4. Click the Save button.
   
5. The Access Control List window will refresh itself: check to see that the ACL you edited has been set to your liking.

When you're done making these changes click on the red "X" button in the upper left of the Access Control List window.

---

Commonly used ACLs

This page tells you which ACLs to assign based on what you want to do. These are the most commonly used ACLs. You can set even pickier ACLs if you need to.

We'll presume that you're inside the folder or directory you want to set ACLs in and know that you possess the administrative privileges to do so.

Look but don't touch (known as "Read" permissions) - Click the following buttons:

Read  (r) and Lookup  (l)

This lets people list your files, and open your files so they can read them, but prevents them from changing anything. Double check your work in the Access Control List window: you should see "<sunetid> rl".

Almost total power (known as "Write" permissions) - Click the following buttons:

Read  (r), Lookup  (l), Insert  (i), Delete  (d), Write  (w), and Lock  (k)

This is the most popular ACL. It lets someone work in your folder, change files, delete them, add new files, etcetera, but prevents them from letting other people into your folder(s). Double check your work in the Access Control List window: you should see "<sunetid> rlidwk".

Total power (known as "All" permissions) - Click the following buttons:

Read  (r), Lookup  (l), Insert  (i), Delete  (d), Write  (w), Lock  (k) and Administer  (a)

Be stingy when granting these administrative permissions! The wrong person can wreak havoc in your folders. Double check your work in the Access Control List window: you should see "<sunetid> rlidwka".

To kick someone out of a directory (this permission is called "None")

Use the instructions (above) for removing someone from the Access Control List. This works even if the SUNet ID your remove had admin perms (rlidwka). Double check your work in the Access Control List window: the SUNet ID of the person whose permissions you removed should be absent. Note, however, that if this person is a member of a group ACL they might still be able to influence your folder.

If you're an instructor and are having many students submit tests, papers, homework, etc. into a single directory, you'll want to prevent the files they submit from being altered once they're added to the directory, and also prevent students from accidentally reading or deleting other students' work.

Use the instructions above to:

1. Add or edit an entity called: system:anyuser (It's not a SUNet ID, but works nevertheless.)
2. Click the following buttons: Lookup  (l), Insert  (i), and Lock  (k)
   
   

If you have to add "system:anyuser", don't forget to add that colon between the words "system" and "anyuser". Double check your work in the Access Control List window: you should see "system:anyuser lik".