Authentication in AFS is done via the Kerberos network security system. Once a user is validated to Kerberos via an AFS password, a "ticket" or "token" is given to that user, which will permit the user to access all services specified by the ACL (Access Control List) for that user in any given AFS directory.
If a user gets a Permission Denied message when trying to access some file, it could be because that user's token has expired. To re-authenticate to Kerberos without logging out use the command:
kinit && aklog
Users
There are several built-in AFS users, including system:anyuser and system:authuser.
system:authuser -- any one who is logged in to an AFS cell (e.g., cad.njit.edu) and has a token for that cell.
system:anyuser -- any one who is logged in to an AFS cell, regardless of whether this user has a token or not.
system:administrators -- staff who administer the AFS system.
A user has all four AFS permissions (lida) in the login directory, and always has the administer (a) right on that directory, and on any directory owned by that user -- this right cannot be removed by the user.