pts_setfields - Sets privacy flags or quota for a Protection Database entry

Cautions

       Changing a machine or group's group-creation quota is allowed, but not recommended. The concept is
       meaningless for machines and groups, because it is impossible to authenticate as a group or machine.

       Similarly, some privacy flag settings do not have a sensible interpretation. "OPTIONS" specifies the
       appropriate settings.

Copyright

       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.  It was converted from HTML  to  POD
       by  software  written  by  Chas  Williams  and Russ Allbery, based on work by Alf Wachsmann and Elizabeth
       Cassell.

OpenAFS                                            2025-03-21                                   PTS_SETFIELDS(1)

Description

       The ptssetfields command sets the group-creation quota, the privacy flags, or both, associated with each
       user, machine, or group entry specified by the -nameorid argument.

       To examine the current quota and privacy flags, use the ptsexamine command.

Examples

       The following example changes the privacy flags on the group "operators", retaining the default values of
       the  first,  second and third flags, but setting the fourth and fifth flags to enable the group's members
       to add and remove other members.

          % pts setfields -nameorid operators -access S-Mar

       The following example changes the privacy flags and sets group  quota  on  the  user  entry  "admin".  It
       retains the default values of the first, fourth, and fifth flags, but sets the second and third flags, to
       enable  anyone  to  list the groups that "admin" owns and belongs to.  Users authenticated as "admin" can
       create an additional 50 groups.

          % pts setfields -nameorid admin -access SOM-- -groupquota 50

Name

       pts_setfields - Sets privacy flags or quota for a Protection Database entry

Options

-nameorid <userorgroupnameorid>+
Specifies the name or AFS UID of each user, the IP address (complete or wildcard-style) of each
machine, or the name or AFS GID of each machine for which to set privacy flags or group-creation
quota. It is acceptable to mix users, machines, and groups on the same command line, as well as names
(IP addresses for machines) and IDs. Precede the GID of each group with a hyphen to indicate that it
is negative.

-access <privacyflags>
Specifies the privacy flags to apply to each entry. Provide a string of five characters, one for each
of the permissions. If this option is omitted, the current setting remains unchanged.

Set each flag to achieve the desired combination of permissions. If the following list does not
mention a certain setting, it is not acceptable. For further discussion of the privacy flags, see
pts_examine(1).

• The first flag determines who can use the ptsexamine command to display information from a user,
machine or group's Protection Database entry.

• Set it to lowercase "s" to permit the members of the system:administrators group to display a
user, machine, or group entry, the associated user to display a user entry, and the owner or
members of a group to display the group entry.

• Set it to uppercase "S" to permit anyone who can access the cell's database server machines
to display a user, machine, or group entry.

• The second flag determines who can use the ptslistowned command to list the groups that a user
or group owns.

• Set it to the hyphen ("-") to permit the members of the system:administrators group and a
user to list the groups he or she owns, or to permit the members of the system:administrators
group and a group's owner to list the groups that a group owns.

• Set it to uppercase letter "O" to permit anyone who can access the cell's database server
machines to list the groups owned by a machine or group entry.

• The third flag determines who can use the ptsmembership command to list the groups to which a
user or machine belongs, or the users and machines that belong to a group.

• Set it to the hyphen ("-") to permit the members of the system:administrators group and a
user to list the groups he or she belongs to, to permit the members of the
system:administrators group to list the groups a machine belongs to, or to permit the members
of the system:administrators group and a group's owner to list the users and machines that
belong to it.

• Set it to lowercase "m" to permit members of a group to list the other members. (For user and
machine entries, this setting is equivalent to the hyphen.)

• Set it to uppercase "M" to permit anyone who can access the cell's database server machines
to list membership information for a user, machine or group.

• The fourth flag determines who can use the ptsadduser command to add users and machines as
members of a group. This flag has no sensible interpretation for user and machine entries, but
must be set nonetheless, preferably to the hyphen.

• Set it to the hyphen ("-") to permit the members of the system:administrators group and the
owner of the group to add members.

• Set it to lowercase "a" to permit members of a group to add other members.

• Set it to uppercase "A" to permit anyone who can access the cell's database server machines
to add members to a group.

• The fifth flag determines who can use the ptsremoveuser command to remove users and machines
from membership in a group. This flag has no sensible interpretation for user and machine
entries, but must be set nonetheless, preferably to the hyphen.

• Set it to the hyphen ("-") to permit the members of the system:administrators group and the
owner of the group to remove members.

• Set it to lowercase "r" to permit members of a group to remove other members.

-groupquota <groupcreationquota>
Specifies the number of additional groups a user can create (it does not matter how many he or she
has created already). Do not include this argument for a group or machine entry.

-auth
Use the calling user's tokens to communicate with the Protection Server. For more details, see
pts(1).

-cell <cellname>
Names the cell in which to run the command. For more details, see pts(1).

-config <configdirectory>
Use an alternate config directory. For more details, see pts(1).

-encrypt
Encrypts any communication with the Protection Server. For more details, see pts(1).

-force
Enables the command to continue executing as far as possible when errors or other problems occur,
rather than halting execution at the first error.

-help
Prints the online help for this command. All other valid options are ignored.

-localauth
Constructs a server ticket using a key from the local /etc/openafs/server/KeyFile file. Do not
combine this flag with the -cell or -noauth options. For more details, see pts(1).

-noauth
Assigns the unprivileged identity anonymous to the issuer. For more details, see pts(1).

Privilege Required

       To edit group entries or set the privacy flags on any type of entry, the issuer must  own  the  entry  or
       belong  to  the system:administrators group. To set group-creation quota on a user entry, the issuer must
       belong to the system:administrators group.

Synopsis

ptssetfields-nameorid <userorgroupnameorid>+
           [-access <setprivacyflags>]
           [-groupquota <setlimitongroupcreation>]
           [-cell <cellname>] [-noauth] [-localauth]
           [-force] [-help] [-auth] [-encrypt]
           [-config <configdirectory>]

       ptssetf-na <userorgroupnameorid>+
           [-ac <setprivacyflags>]
           [-g <setlimitongroupcreation>] [-c <cellname>]
           [-no] [-l] [-f] [-h] [-au] [-e]
           [-co <configdirectory>]