Abstract-- Sharing data among collaborators in widely distributed systems remains a challenge due to limitations with existing methods for defining groups across administrative domain boundaries with various file systems. Groups in traditional systems are bound to particular domains or file systems using centralized storage locations either beyond ordinary users' ability to manage, inaccessible outside a closed system, or both. We present a method for users to independently create and manage groups on any networked workstation using global user identities and to control access to shared data and storage resources based on group membership, regardless of domain boundaries or underlying file systems. Decentralized groups are decoupled from shared user databases and centralized authentication servers through the use of a virtual user namespace. We describe how owners of shared resources can define security policies through the use of caching, and demonstrate how each caching policy r...