Only that the output of system:authuser would be confusingly long, and what would system:anyuser generate anyway ?. We also have scripts for 'show me everyone who has access to this entity', which gets complicated with nested groups, and I couldn't figure out what to display for 'everyone'. It would be valid to ignore named users in the ACL and just say 'everyone' in that case.
Tangentially related, we use a wrapper to list AFS groups, which looks up a few bits of useful information about each member besides their AFS username. This is very user-friendly, but means lots of LDAP lookups and would take forever on the full output of system:authuser. I didn't know about pts delete automatically removing from groups - that does remove my only real use case for relying on the output of pts membership in decommissioning. Richard On 2022-07-15, 09:04, "Jeffrey E Altman" <jalt...@auristor.com> wrote: On 7/13/2022 6:07 PM, Richard Brittain (richard.britt...@dartmouth.edu) wrote: > I hope that doesn't lead people to expect 'pts membership system:authuser' to show all users. > > Richard I'm curious. Why would it be wrong for users to expect 'pts membership system:authuser' and 'pts membership system:anyuser' to list their membership assuming the caller had the necessary access rights? My primary objection to the existing behavior is that these groups are special and end users / administrators must understand that they are special. If an authorized user can obtain the membership list from 'pts membership system:authuser@foreign' why shouldn't the same be true for 'system:authuser'? If the concern is the cost of generating the result set, its no more expensive then executing 'pts listentries'. In a private response to my original message someone wrote that their cell uses the output of 'pts membership' to generate the list of entities that have access to a file object given the assigned ACL. This is a perfectly reasonable action to expect to work. However, the generated list will be incomplete when 'pts membership system:anyuser' and 'pts membership system:authuser' succeed while at the same time generate empty output. Jeffrey Altman