Specifications
ACL Permission Propagation
Server Admin provides a feature that lets you force the propagation of ACLs. Although
this is done automatically by Server Admin, there are cases when you might want to
manually propagate permissions:
You can propagate permissions to handle exceptions. For example, you might want Â
ACLs to apply to all descendants except for a subtree of your folder hierarchy. In this
case, you dene ACEs for the root folder and set them to propagate to descendants.
Then, you select the root folder of the subtree and propagate permissions to
remove the ACLs from descendants of that subtree.
In the following example, the items in white had their ACLs removed by manually
propagating ACLs.
You can propagate permissions to reapply inheritance in cases where you removed Â
a folder’s ACLs and decided to reapply them.
You can propagate permissions to clear all ACLs at once instead of going through Â
a folder hierarchy and manually removing ACEs.
When you propagate permissions, the permissions of bundles and root-owned les Â
and folders are not changed.
For more information about how to manually propagate permissions, see “Propagating
Permissions” on page 55.
Rules of Precedence
Mac OS X Server uses the following rules to control access to les and folders:
 Without ACEs, POSIX permissions apply. If a le or folder has no ACEs dened for it,
Mac OS X Server applies standard POSIX permissions.
 With ACEs, order is important. If a le or folder has ACEs dened for it, Mac OS X
Server starts with the rst ACE in the ACL and works its way down the list until the
requested permission is satised or denied.
You can change the ACE order from the command line using the chmod command.
 Allow permissions are cumulative. When evaluating Allow permissions for
a user in an ACL, Mac OS X Server denes the user’s permissions as the union of
all permissions assigned to the user, including standard POSIX permissions.
26 Chapter 2 Setting Up File Service Permissions