Specifications

Chapter 2 Setting Up File Service Permissions 27

After evaluating ACEs, Mac OS X Server evaluates the standard POSIX permissions

dened for the le or folder. Then, based on the evaluation of ACL and standard POSIX

permissions, Mac OS X Server determines the type of access a user has to a shared

le or folder.

Tips and Advice

Mac OS X Server combines traditional POSIX permissions with ACLs. This combination

provides great exibility and a ne level of granularity in controlling access to les and

folders. However, if you’re not careful in how you assign privileges, it’ll be very hard for

you to keep track of how permissions are assigned.

With 17 permissions, you can choose from a staggering 98,304 combinations. Add to

that a sophisticated folder hierarchy, many users and groups, and many exceptions,

and you have a recipe for considerable confusion.

This section oers useful tips and advice to help you get the most out of access control

in Mac OS X Server and avoid the pitfalls.

Manage Permissions at the Group Level

Assign permissions to groups rst, and assign permissions to individual users only

when there is an exception.

For example, you can assign all teachers in a school district Read and Write permissions

to a specic share point, but deny Anne Johnson, a temporary teacher, permission to

read a specic folder in the share point’s folder hierarchy.

Using groups is the most ecient way of assigning permissions. After creating groups

and assigning them permissions, you can add and remove users from groups without

reassigning permissions.

Gradually Add Permissions

Assign only necessary permissions and then add permissions only when needed.

As long as you’re using Allow permissions, Mac OS X Server combines the permissions.

For example, you can assign the Students group partial reading permissions on an

entire share point. Then, where needed in the folder hierarchy, you can give the group