|
CSE Home | About Us | Search | Contact Info |
As some of you may have heard, the Lab has created a software suite that makes it easier for you to deal with Unix groups. A direct benefit to you is that as an owner of, say, a course or research project group, you'll be able to add users to the group (and so give them access to the files owned by that group) through convenient command line, X windows, and web interfaces that require no more effort to use than sending a request to support. A direct benefit to support is "no more group membership change requests." Basically, we're cutting out the middle man.
The plan is to start using this new facility immediately, with mail to support as a backup while we work out any operational problems and familiarize ourselves with the new procedures. The near-term goal, though, is to have all group membership management handled by the people who are responsible for the groups.
There is detailed documentation regarding the use and operation of this software available on the web: http://www.cs.washington.edu/lab/GrpAdmin Therefore this note presents only an overview of the functionality and outlines the impact the software will have on day-to-day operations.
In the past, Unix group creation, membership changes, etc. have been accomplished by sending mail to support@cs. While this approach has worked, it has also been the cause of occasional delays and frustrations. GrpAdmin (as the new software is collectively known) attempts to eliminate this problem by allowing users to "own" groups and thereby manage the membership and ownership of those groups without third-party intervention.
Authoritative group information is now kept in an SQL database. This allows simultaneous access and transactional semantics for all operations. Authentication and authorization for database operations is done via Kerberos or CSENetID credentials.
Each Unix group has one or more owners. Group owners are allowed to unilaterally change the membership and ownership of owned groups.
Each Unix group has a set of members. A group member is allowed to remove their personal membership in that group or to determine whether a particular group is associated with them at login.
A set of administrative users is considered to have ownership of all groups.
A group can be a primary group. A primary group directly defines the ownership and membership of a set of secondary groups. That is, adding a new owner to a primary group automatically adds the same owner to all secondary groups. Similarly, adding a member to a primary group automatically adds membership in all secondary groups. Adding owners or members to a secondary group affects only that group.
A group can have an expiration date. After the expiration date, the group, its owners and members are automatically deleted. If the expired group is a primary group all secondary groups are expired as well.
Only administrative users can create a new group.
Absent an expiration date, only administrative users can delete a group.
Several interfaces (command line, X-Windows and Web) allow users to conveniently manage ownership of and membership in groups. See: http://www.cs.washington.edu/lab/GrpAdmin
An additional program allows users to exercise group membership access rights in "real time". Traditional Unix /etc/group files are still produced and distributed subject to the usual propagation delay. However, those files serve merely as a cache -- the database contains authoritative group information and is interrogated when necessary.
GrpAdmin is available on Lab managed Linux machines.
It means that you, as a group owner and/or group member, will be much more responsible for group management. After a transition period, support@cs will accept only requests for group creation, group deletion and "adoption" of ownerless groups. Group membership will be managed entirely by the group owners.
Examples:
The intent of GrpAdmin is increased responsiveness and flexibility by empowering the people most affected by group membership and management to control their own affairs. Like any change, this one requires some effort by users to become accustomed to the new tools and procedures. Rest assured that over time, this will be a win-win situation for all concerned.
Comments regarding the usability and functionality of GrpAdmin are welcome. However, for practical reasons, the software should be considered "feature frozen" until January 2, 2001.
Computer Science & Engineering University of Washington, Box 352350 Seattle, WA 98195-2350 (206) 543-1695 [comments to support] Privacy policy and terms of use |