Computing Groups and Unix Groups management
What are Computing Groups and Unix Groups?
Computing Groups and Unix Groups are groups with an additional attribute that represents their Unix Group ID,
or GID, to make them usable in Unix environments.
In the LDAP directory service (Active Directory) in use at CERN, this attribute is called gidNumber.
Once an account becomes a member of one of these groups, directly or indirectly, the Account Management service
will assign to the account the same gidNumber of the group, and this will make the account usable in a Unix
environment.
If an account is member of more than one group, or in other particular cases, special rules apply (see
How The GID Is Assigned To User Accounts).
Important: please note that, currently, no Computing Group is assigned to new
accounts by default.
In the future, after the subscription policies to Unix services will be reviewed, new accounts will be added to a
default Computing Group (called "def-cg"), but for the time being, to get a gidNumber, an account must be added
to a computing group, either by the account owner (if the group policy allows it) or by the group administrators.
Computing Groups and Unix services subscription
Currently, adding an account to a Computing Group makes the account able to use most Unix-based services (e.g.
LxPlus) and automatically triggers the creation of an AFS home folder.
This policy will change in the future, so that users will be able to opt in and out of individual Unix services,
and Computing Group administrators will be able to define a set of services that should be available by default
(i.e. without people manually needing to subscribe) for their own users.
Computing E-Groups and AFS
The membership in a Computing E-Group is reflected on AFS in the following way:
- Members of Computing E-Group 'xx' are members of AFS group 'cern:xx'
- Admins of Computing E-Group 'xx' (i.e. members of E-Group 'xx-admins') are members of AFS group 'xx'