Managing Access to AFS Group Directories for Websites

Environment

AFS Group Websites (static website)

Issue

How to grant and remove access to the files used for publishing a group website at the University of Michigan.

Resolution

How Access to Your Web Pages Is Controlled

If you have used group space in AFS to publish a website, you have an AFS directory where your website's pages are stored. Access to that space is controlled using:

  • Permission groups (also called PTS groups)
  • Permissions (also called ACLs)

Generally, two PTS groups are created for you when your group space is set up. The names of these groups are derived from the name of your group's directory in AFS.

If the URL for your group's website is, for example, http://websites.umich.edu/~GROUPNAME, then the name of your group directory space in AFS is GROUPNAME, and the names of the PTS groups used to provide access to change your web page files are:

  • The administrators group: GROUPNAME This is the PTS group for people with full access to make changes
  • The members group: GROUPNAME:members This is the PTS group for people with read access only

Image showing that the PTS group (groupname) has full access to make changes and the groupname:members only have read-only access

These groups are given different permissions to access and make changes to your web pages.

  • To give people full access to your web pages so that they can make changes, add them to the administrators PTS group for your AFS group directory. Remember to remove people from that group when they no longer need access.

Permissions diagram: Add people to the administrators pts group to give them full access to change web pages in group directory.

Make Sure You Have Permission to Change the PTS Group and Login

Only people who are members of the "administrators" group can make changes to the group's membership. To find out if you are a member of the group, you will need to log in to the ITS Login Service and type a command to list the members.

Log in to the Login Service

  1. Use secure software to connect to the Login Service (login.itd.umich.edu)
    1. Windows: Use PuTTY
    2. At the login prompt, enter your uniqname and press the Enter or Return key
    3. macOS:  macOS comes with SSH software that can be run in the Terminal app. Open the Applications folder, then the Utilities folder to find it. Open Terminal and enter this command, replacing “your-uniqname” with your U-M uniqname: ssh your-uniqname@login.itd.umich.edu
  2. At the password prompt, enter your UMICH (Level-1) password and press Enter or Return

Controlling Permissions and Access

Where to Control Permissions and Access

  • The directory where you will control permissions for your group:  For websites, the directory that you need to control the permissions on for https://websites.umich.edu/~GROUPNAME is ~GROUPNAME
  • The PTS group that controls access:  For websites, the PTS group that controls access to ~GROUPNAME is GROUPNAME
  • Note: The group umweb:servers must have read permission to the directories ~GROUPNAME/Public/html and ~GROUPNAME/Private/html 
    • Do not remove these permissions, or it may take your website offline 

Commands for Simple Permissions and Access Scenarios

  • To see who can modify a website: pts membership GROUPNAME
  • To give the user with uniqname UNIQNAME access to modify a website: pts adduser UNIQNAME GROUPNAME
  • To remove the access of a user so they cannot modify a website: pts removeuser UNIQNAME GROUPNAME

Fix Permissions Problems 

  • The make-webspace script can be used to fix many permissions problems
  • ~umweb/bin/make-webspace

Additional Information

Learn more about ACLs and control permissions in more complex scenarios

See Using Access Control Lists (ACLs) With AFS Directories and Folders for information about how to control permissions and for more complex scenarios.  One notable scenario is that other groups may have been created to give and manage access.  To see if this is the case (and determine what the names of these groups are) run fs listacl ~GROUPNAME

Need additional information or assistance? Contact the ITS Service Center.

Details

Article ID: 7243
Created
Fri 2/18/22 11:58 AM
Modified
Thu 6/16/22 10:26 AM