CSE as AND gate University of Washington Computer Science & Engineering
 User-Managed Unix Groups
  CSE Home  About Us    Search    Contact Info 

Introduction

As some of you may have heard, the Lab has created a software suite that makes it easier for you to deal with Unix groups. A direct benefit to you is that as an owner of, say, a course or research project group, you'll be able to add users to the group (and so give them access to the files owned by that group) through convenient command line, X windows, and web interfaces that require no more effort to use than sending a request to support. A direct benefit to support is "no more group membership change requests."  Basically, we're cutting out the middle man.

The plan is to start using this new facility immediately, with mail to support as a backup while we work out any operational problems and familiarize ourselves with the new procedures. The near-term goal, though, is to have all group membership management handled by the people who are responsible for the groups.

There is detailed documentation regarding the use and operation of this software available on the web: http://www.cs.washington.edu/lab/GrpAdmin  Therefore this note presents only an overview of the functionality and outlines the impact the software will have on day-to-day operations.

Overview

In the past, Unix group creation, membership changes, etc. have been accomplished by sending mail to support@cs. While this approach has worked, it has also been the cause of occasional delays and frustrations. GrpAdmin (as the new software is collectively known) attempts to eliminate this problem by allowing users to "own" groups and thereby manage the membership and ownership of those groups without third-party intervention.

Basic Structure

Authoritative group information is now kept in an SQL database. This allows simultaneous access and transactional semantics for all operations. Authentication and authorization for database operations is done via Kerberos or CSENetID credentials.

Each Unix group has one or more owners. Group owners are allowed to unilaterally change the membership and ownership of owned groups.

Each Unix group has a set of members. A group member is allowed to remove their personal membership in that group or to determine whether a particular group is associated with them at login.

A set of administrative users is considered to have ownership of all groups.

A group can be a primary group. A primary group directly defines the ownership and membership of a set of secondary groups. That is, adding a new owner to a primary group automatically adds the same owner to all secondary groups. Similarly, adding a member to a primary group automatically adds membership in all secondary groups. Adding owners or members to a secondary group affects only that group.

A group can have an expiration date. After the expiration date, the group, its owners and members are automatically deleted. If the expired group is a primary group all secondary groups are expired as well.

Only administrative users can create a new group.

Absent an expiration date, only administrative users can delete a group.

New Tools

Several interfaces (command line, X-Windows and Web) allow users to conveniently manage ownership of and membership in groups. See: http://www.cs.washington.edu/lab/GrpAdmin

An additional program allows users to exercise group membership access rights in "real time". Traditional Unix /etc/group files are still produced and distributed subject to the usual propagation delay. However, those files serve merely as a cache -- the database contains authoritative group information and is interrogated when necessary.

Availability

GrpAdmin is available on Lab managed Linux machines.

What Does All This Really Mean?

It means that you, as a group owner and/or group member, will be much more responsible for group management. After a transition period, support@cs will accept only requests for group creation, group deletion and "adoption" of ownerless groups. Group membership will be managed entirely by the group owners.

Examples:

  1. If you request creation of a new group, you will be made the owner of that group. Subsequently, you will be responsible for adding and removing additional group owners and members.
  2. If you are class instructor, you will be made an owner of any groups associated with that class. You will be responsible for adding and removing additional members and owners of the group(s). [Helpful hint: the first and perhaps only thing you need to do is make your TA a group owner.]
  3. For non-course groups, a demand driven policy will be followed to assign initial owners (absent specific requests for ownership having been received.) If you make repeated requests to support for membership changes in a group, you will be made the group owner. After that, further mail to support for membership changes in that group, by anyone, will be forwarded to you.
  4. If you wish to be the owner of an existing ownerless group, your wish will (modulo security and administrative criteria) be granted. You and any other group owners then will be responsible for adding and removing additional members and owners of the group.
  5. If you wish to join a group as a member, you must make the request to the group owner. The tools make it easy to determine group owners.

Conclusion

The intent of GrpAdmin is increased responsiveness and flexibility by empowering the people most affected by group membership and management to control their own affairs. Like any change, this one requires some effort by users to become accustomed to the new tools and procedures. Rest assured that over time, this will be a win-win situation for all concerned.

Comments regarding the usability and functionality of GrpAdmin are welcome. However, for practical reasons, the software should be considered "feature frozen" until January 2, 2001.

CSE logo Computer Science & Engineering
University of Washington, Box 352350
Seattle, WA  98195-2350
(206) 543-1695
[comments to support]
Privacy policy and terms of use