Help
Skip Navigation Links.

How the GID is assigned to user accounts

Note: these rules will actually be effective from 16/5/2017.
See the SSB entry at https://cern.service-now.com/service-portal/view-outage.do?n=OTG0037377.

By default, the newly created accounts are not member of any Computing Group, and have no gidNumber attribute.
When an account becomes a member of any Computing Group, it will be assigned a gidNumber by the Account Management service, according to the rules described in this page.

The Default Computing Group (def-cg)

Before checking the full rules list, please note that there is a special Computing Group, def-cg (Default Computing Group, gidNumber = 2766), that:

  • Is given a lower priority than other groups in case of multiple groups membership.
  • Is used as a fallback group in some special cases.

Subscription to the def-cg group is open to all CERN users, without administrators approval.

GID assignment

The Account Management service periodically analyzes the membership of Computing Groups, and assigns gidNumber values to accounts.

Group memberships can be nested, i.e. if an account is member of a group that is in its turn member of a computing group, the account will be assigned the gidNumber of the computing group even if it is not member of the computing group directly.

The criteria used to assign a gidNumber is the following:

  • If an account is member of a single Computing Group, the account will get the gidNumber of that group.
    Example: if an account is member of zh (CMS, gidNumber = 1399), the account will get the gidNumber of zh (1399).
  • If an account is member of a regular Computing Group and of the Default Computing Group, it will get the gidNumber of the regular Computing Group.
    Example: if an account is member of zh (1399) and def-cg (2766), the account will get the gidNumber of zh (1399).
  • If an account is member of more than one regular Computing Group, it will retain its current gidNumber. The account owner can change the gidNumber of the account through the CERN Resources Portal.
    Example: an account is member of zh (1399), and has the gidNumber of zh (1399). The account is added to zp (ATLAS, 1307). The account's gidNumber does not change.
  • If an account is member of a regular Computing Group and gets removed from the group, the account will get the gidNumber of def-cg even if it's not a member of def-cg.
    This fallback mechanism is to avoid that an account loses access to all Linux resources just because it was removed from a group before being added to another.
    Example: an account is member of zh (1399), and has the gidNumber of zh (1399). The account is removed from zh (1399). The account's gidNumber is changed to that of def-cg (2766).

Created: 7/26/2017
Last reviewed: 7/26/2017
Tools:
Send the page Send  |  Printable version Print