• AFS acls are per directory, not per file.
  • fs(5) setacl is what you set these with.
  • The following are permissions that you can set*
a (administer): change the entries on the ACL
d (delete): remove files and subdirectories from the directory or move them to other directories
i (insert): add files or subdirectories to the directory by copying, moving or creating
k (lock): set read locks or write locks on the files in the directory
l (lookup): list the files and subdirectories in the directory, stat the directory itself, and issue the fs listacl command to examine the directory's ACL
r (read): read the contents of files in the directory; issue the ls -l command to stat the elements in the directory
w (write): modify the contents of files in the directory, and issue the UNIX chmod command to change their mode bits
A, B, C, D, E, F, G, H Have no default meaning to the AFS server processes, but are made available for applications to use in controlling access to the directory's contents in additional ways. The letters must be uppercase.
all Equals all seven permissions (rlidwka).
none No permissions. Removes the user/group from the ACL, but does not guarantee they have no permissions if they belong to groups that remain on the ACL.
read Equals the r (read) and l (lookup) permissions.
write Equals all permissions except a (administer), that is, rlidwk.

As you can see, AFS permissions are quite flexible.