NAME

pts_setaccess - Sets privacy and authorization flags for Protection Service entries

SYNOPSIS

pts setaccess -nameorid <user or group name or id>+ [-anonexamine [<can anyone examine this entry? true or false>]] [-anonlist [<can anyone list owned groups or this entry? true or false>]] [-showmembers <who can list this entry's membership: anyone|members|self>] [-adduser <who can add members to this entry: owner|members|anyone>] [-removeuser <who can remove members from this entry: owner|members>] [-disabled [<user is blocked from accessing fileservers? true|false>]] [-afsonly [<user is only permitted to access AFS-3 fileservers? true|false>]] [-authuser [<is entity included in system:authuser>? true|false]] [-cell <cell name>] [-noauth] [-force] [-localauth] [-auth] [-encrypt [<encrypt commands]] [-config <configuration file>] [-help]

DESCRIPTION

The pts setaccess command sets the privacy and authorization flags associated with each user, machine, network or group Protection Service entry specified by the -nameorid argument.

Flags that don't have the related option specified are left unchanged.

Use the pts_examine(1) command to examine the current privacy flags.

OPTIONS

-nameorid <user or group name or id>+

Specifies the name or AFS UID of each user, the name or AFS GID of each group, or the IP address (complete or wildcard-style) or AFS UID of each machine. It is acceptable to mix users, machines, and groups on the same command line, as well as names (IP addresses for machines) and IDs. Precede the GID of each group with a hyphen to indicate that it is negative.

-anonexamine [<true|false>]

This flag determines who can use the pts_examine(1) command to display information about an entry.

If true or if the flag is used without a value, anyone who can access the cell's Protection Servers can display information about the entry.

If false, the entries can only be displayed by:

-anonlist [<true|false>]

This flag determines who can use the pts_listowned(1) command to list the groups owned by a user or group.

If true or if the flag is used without a value, anyone who can access the cell's Protection Servers can list the groups owned by a user or group.

If false, the groups owned by a user or group can only be listed by:

-showmembers <anyone|members|self>

This option determines who can use the pts_membership(1) command to list the groups to which a user, machine or network belongs, or the users, machines and networks that belong to a group.

If anyone, any user who can access the cell's Protection Servers can list membership information for the user, machine, network or group.

If self, a user can list the groups to which they belong, for a user entry, and a group's owner can list the members of the group, for a group entry.

If members, members of a group can also list its members. This is equivalent to self for user, machine and network entries.

Members of the system:administrators group can always use pts_membership(1) on any entry.

-adduser <owner|members|anyone>

This option determines who can use the pts_adduser(1) command to add users, machines, networks or groups as members of a group. It is only meaningful for group entries.

If anyone, any user who can access the cell's Protection Servers can add members to the group.

If owner, the group's owner can add members to the group.

If members, the group's members and owner are allowed to add new members to the group.

Members of the system:administrators group can always use pts_adduser(1) to add members to any group.

-removeuser <owner|members>

This option determines who can use the pts_removeuser(1) command to remove users, machines, networks, and groups from membership in a group. It is only meaningful for group entries.

If owner, the group's owner and members of the system:administrators group can remove members.

If members, the group's members and owner are allowed to remove members from the group.

-afsonly <true|false>

This option controls whether the user can access Auristor fileservers. If true a CPS record for this user may only be fetched by AFS-3 fileservers, effectively denying access to Auristor fileservers.

-authuser <true|false>

This option controls whether the user is a member of the system:authuser group. If true, the user will be a member of the system:authuser group. If false, the user will not be a member of the system:authuser group. User entries created with the pts_createuser(1) -machine or -network switch are not members of the system:authuser group.

-disabled <true|false>

This option controls whether the user can access any fileservers. If true fetching a CPS record for this user is not permitted, effectively denying fileserver access.

-auth

Use the calling user's tokens to communicate with the Protection Server. For more details, see pts(1).

-cell <cell name>

Names the cell in which to run the command. For more details, see pts(1).

-config <configuration file>

Sets the location of the configuration file to be used. The default file is /etc/yfs/yfs-client.conf. For more details, see pts(1).

-encrypt [<yes|no>]

Enables or disables encryption for any communication with the Protection Server. For more details, see pts(1).

-force

Enables the command to continue executing as far as possible when errors or other problems occur, rather than halting execution at the first error.

-help

Prints the online help for this command. All other valid options are ignored.

-localauth

Constructs a server ticket using a key from the local /etc/yfs/server/KeyFileExt file. Do not combine this flag with the -cell or -noauth options. For more details, see pts(1).

-noauth

Assigns the unprivileged identity anonymous to the issuer. For more details, see pts(1).

EXAMPLES

The following example changes the privacy flags on the group operators to enable the group's members to add and remove other members.

   % pts setaccess -nameorid operators -adduser members -removeuser members

The following example changes the privacy flags on the user entry admin to enable anyone to list the groups that admin owns and belongs to.

   % pts setaccess -nameorid admin -showmembers anyone

PRIVILEGE REQUIRED

To set the privacy and authorization flags on any type of entry, the issuer must own the entry or belong to the system:administrators group.

To set the afsonly and disabled flags, the user must belong in the system:administrators group

SEE ALSO

pts(1), pts_adduser(1), pts_createuser(1), pts_examine(1), pts_listowned(1), pts_membership(1), pts_removeuser(1)

COPYRIGHT

IBM Corporation 2000. http://www.ibm.com/ All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.

ACKNOWLEDGEMENTS

"AFS" is a registered mark of International Business Machines Corporation, used under license. (USPTO Registration 1598389)

"OpenAFS" is a registered mark of International Business Machines Corporation. (USPTO Registration 4577045)

The "AuriStor" name, log 'S' brand mark, and icon are registered marks of AuriStor, Inc. (USPTO Registrations 4849419, 4849421, and 4928460) (EUIPO Registration 015539653).

"Your File System" is a registered mark of AuriStor, Inc. (USPTO Registrations 4801402 and 4849418).

"YFS" and "AuriStor File System" are trademarks of AuriStor, Inc.