Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Print Service Administration For Version 10.4 or Later
21222324252627282930
24 Chapter 1 Overview of File Services
ACL Permission Propagation
Workgroup Manager provides a command that lets you force the propagation of ACLs.
While this is done automatically by Workgroup Manager, there are cases when this
command comes in handy:
You can use this command to handle exceptions. For example, you might want ACLs
to apply to all descendants except for a subtree of your folder hierarchy. In this case,
you define ACEs for the root folder and set them to propagate to all descendants.
Then, you select the root folder of the subtree and use the command to remove the
ACLs from all descendants of that subtree. In the example below, the items in white
had their ACLs removed by the propagation command.
You can use this command to reapply inheritance in cases where you removed a
folder’s ACLs and decided to reapply them.
You can use this command to clear all ACLs at once instead of having to go through
a folder hierarchy and manually remove ACEs.
For more information on how to use this command, see “Propagating Permissions” on
page 46.
Rules of Precedence
When you add ACEs to an ACL, order is important. Mac OS X Server uses the following
rules to control access to files and folders:
If a file or folder has no ACEs defined for it, Mac OS X Server applies the standard
POSIX permissions.
If a file or folder has one or more ACEs defined for it, Mac OS X Server starts with the
first ACE in the ACL and works its way down the list until the requested permission is
satisfied or denied. After evaluating the ACEs, Mac OS X Server evaluates the
standard POSIX permissions defined on the file or folder. Then, based on the
evaluation of ACL and standard POSIX permissions, Mac OS X Server determines
what type of access a user has to a shared file or folder.
Deny Permissions Override Other Permissions
When you add ACEs, Workgroup Manager places Deny permissions above Allow
permissions because they have precedence over allow permissions. When evaluating
permissions, whenever Mac OS X Server finds a Deny permission, it ignores all other
permissions the user has in the same ACL and applies the Deny permission.