Publishers of technology books, eBooks, and videos for creative people

Home > Articles > Apple > Operating Systems

Like this article? We recommend

When Owner, Group, and Everyone Aren’t Enough: Access Control Lists

In Mac OS X Server 10.4, Apple introduced access control lists (ACLs) to make assigning permissions to share points and the items that they contain both easier and more flexible. ACLs allow you to assign more then one user and more than one group permission to access a share point, folder, or file (a capability built into Windows and Novell servers for years). You can also assign more granular permissions to each user or group that is listed in an ACL for a particular item.

Unlike traditional Mac OS permissions (sometimes referred to as POSIX permissions), ACLs cannot be configured from the Mac OS X Finder. They must be specified either in Workgroup Manager’s Sharing pane or by using the ls and chmod Unix commands. To add, modify, or remove a given user or group’s entry in an access control list (also called an access control entry or ACE), select the item in Workgroup Manager as you would select a share point or a folder you want to make into a share point. Click the Access button and then drag the account names for the users or groups to which you want to assign permissions into the Access Control list box. By default, each added user or group receives Read permission to the item, and you can assign specific permissions by selecting the appropriate user or group in the list box and clicking the Edit button (which has a pencil icon).

Access control entries can be used to set 17 varying levels of permission to a share point or folder. You can also choose how those permissions are applied to the files and folders within an item by choosing from four inheritance options that can be combined to result in 12 different application scenarios. Note that inheritance can be complicated by permissions that the item may be inheriting from a higher-level item in the Mac OS X file structure, and users can be members of multiple groups (in which case varying levels of permission are generally cumulative). Apple’s Mac OS X Server File Services Administration Guide contains detailed information on both the individual ACL permissions and inheritance options, as well as how they interact with each other.

  • + Share This
  • 🔖 Save To Your Account