About the Protection Database

The Protection Database stores information about AFS users, client machines, and groups which the File Server process uses to determine whether clients are authorized to access AFS data.

To obtain authenticated access to an AFS cell, a user must have an entry in the cell's Protection Database. The first time that a user requests access to the data stored on a file server machine, the File Server on that machine contacts the Protection Server to request the user's current protection subgroup (CPS), which lists all the groups to which the user belongs. The File Server scans the access control list (ACL) of the directory that houses the data, looking for groups on the CPS. It grants access in accordance with the permissions that the ACL extends to those groups or to the user individually. (The File Server stores the CPS and uses it as long as the user has the same tokens. When a user's group membership changes, he or she must reauthenticate for the File Server to recognize the change.)

Only administrators who belong to the cell's system:administrators group can create user entries (the group is itself defined in the Protection Database, as discussed in The System Groups). Members of the system:administrators group can also create machine entries, which can then be used to control access based on the machine from which the access request originates. After creating a machine entry, add it to a Protection Database group and place the group on ACLs (a machine cannot appear on ACLs directly). A machine entry can represent a single machine or multiple machines with consecutive IP addresses as specified by a wildcard notation. For instructions, see Creating User and Machine Entries. Because all replicas of a volume share the same ACL (the one on the volume's root directory mount point), machine entries enable you to replicate the volume that houses a program's binary file while still complying with a machine-based license agreement as required by the program's manufacturer. See Creating User and Machine Entries.

A group entry is a list of user entries, machine entries, or both (groups cannot belong to other groups). Putting a group on an ACL is a convenient way to extend or deny access to a set of users without listing them on the ACL individually. Similarly, adding users to a group automatically grants them access to all files and directories for which the associated ACL lists that group. Both administrators and regular users can create groups.

The System Groups

In addition to the groups that users and administrators can create, AFS defines the following three system groups. The Protection Server creates them automatically when it builds the first version of a cell's Protection Database, and always assigns them the same AFS GIDs.

system:anyuser

Represents all users able to access the cell's filespace from the local and foreign cells, authenticated or not. Its AFS GID is -101. The group has no stable membership listed in the Protection Database. Accordingly, the pts examine command displays 0 in its membership field, and the pts membership command does not list any members for it.

Placing this group on an ACL is a convenient way to extend access to all users. The File Server automatically places this group on the CPS of any user who requests access to data stored on a file server machine. (Every unauthenticated user is assigned the identity anonymous and this group is the only entry on the CPS for anonymous.)

system:authuser

Represents all users who are able to access the cell's filespace from the local and foreign cells and who have successfully obtained an AFS token in the local cell (are authenticated). Its AFS GID is -102. Like the system:anyuser group, it has no stable membership listed in the Protection Database. Accordingly, the pts examine command displays 0 in its membership field, and the pts membership command does not list any members for it.

Placing this group on an ACL is therefore a convenient way to extend access to all authenticated users. The File Server automatically places this group on the CPS of any authenticated user who requests access to data stored on a file server machine.

system:administrators

Represents the small number of cell administrators authorized to issue privileged pts commands and the fs commands that set quota. The ACL on the root directory of every newly created volume grants all permissions to the group. Even if you remove that entry, the group implicitly retains the a (administer), and by default also the l (lookup), permission on every ACL. Its AFS GID is -204. For instructions on administering this group, see Administering the system:administrators Group.