Service Level Security, Setting Sacl Permissions | Apple 10.6

You can determine which services other admin group users can modify. To do this, the administrator making the determination must have full, unmodified access.

The process for setting administration level privileges is found in “Tiered Administration Permissions” on page 149.

Service Level Security

You use a Service Access Control List (SACL) to enforce who can use a service. It is not a means of authentication. It is a list of those who have access rights to use a service.

SACLs allow you to add a layer of access control on top of standard and ACL permissions.

Only users and groups in an SACL can access its corresponding service. For example, to prevent users from accessing AFP share points on a server, including home folders, remove the users from the AFP service’s SACL.

Server Admin in Mac OS X Server allows you to configure SACLs. Open Directory authenticates user accounts and SACLs authorize use of services. If Open Directory authenticates you, the SACL for login window determines whether you can log in, the SACL for AFP service determines whether you can connect for Apple file service, and so on.

Setting SACL Permissions

SACLs allow you to specify which users and groups have access to Mac OS X Server services, including AFP, FTP, and Windows file services.

To set SACL permissions for a service:

1Open Server Admin.

2Select the server from the Servers list.

3Click Settings.

4Click Access.

5To restrict access to all services or deselect this option to set access permissions per service, select “For all services.”

6If you deselected “For all services,” select a service from the Service list.

7To provide unrestricted access to services, click “Allow all users and groups.” If you want to restrict access to certain users and groups:

ÂÂ Select “Allow only users and groups below.”

ÂÂ Click the Add (+) button to open the Users & Groups window.

ÂÂ Drag users and groups from the Users & Groups window to the list.

8Click Save.

Chapter 4    Enhancing Security

75

Image 75

Apple 10.6 manual Service Level Security, Setting Sacl Permissions, To set Sacl permissions for a service

Contents

Mac OS X Server 019-1410/2009-08-15 Contents Enhancing Security Administration Tools Installation and Deployment Initial Server Setup Ongoing System Management Monitoring Your System Index Push Notification Server Contents What’s in This Guide About This Guide To see the most recent server help topics Using Onscreen Help Getting Started Document Road Map Preface About This Guide Getting Additional Information Getting Documentation Updates Standards System Requirements for Installing Mac OS X Server ÂÂ iCal Server What’s New in Mac OS X Server Understanding Server Configuration Methods What’s New in Server Admin Snmp NFS Radius Supported Standards System Overview and Supported Standards System Overview and Supported Standards Mac OS X Server’s Unix Heritage Determining Your Server Needs Planning Server Usage Setting Up a Planning Team Determining Whether to Upgrade or Migrate Determining Services to Host on Each Server Identifying Servers to Set Up Planning Server Usage Defining a Migration Strategy Migrating from WindowsDefining an Integration Strategy Defining Physical Infrastructure Requirements Defining Server Setup Infrastructure Requirements Setting up basic server infrastructure Minimizing the Need to Relocate Servers After Setup Defining Backup and Restore PoliciesMaking Sure Required Server Hardware Is Available Understanding Backup and Restore Policies Understanding Backup Types Understanding Restores Understanding Backup Scheduling Defining a Backup Verification Mechanism Other Backup Policy Considerations Understanding Time Machine as a Server Backup Tool Command-Line Backup and Restoration Tools ÂÂ Wiki ÂÂ Xgrid ÂÂ Remote Access Settings ÂÂ Software Update Opening and Authenticating in Server Admin Server Admin M N Server Admin Interface Customizing the Server Admin Environment Server Assistant is used for Server Assistant Workgroup Manager Server Preferences Workgroup Manager Interface Customizing the Workgroup Manager Environment Server Monitor For additional information, see Server Monitor Help ICal Service Utility Interface ICal Service Utility Media Streaming Management System Image Management Command-Line Tools RAID AdminServer Status Widget Podcast Capture, Composer, and Producer Xgrid Admin Apple Remote Desktop About Physical Security Enhancing Security About Network Security Firewalls and Packet FiltersNetwork DMZ MAC Filtering VLANs Payload Encryption Transport Encryption About File Security File and Folder PermissionsAbout File Encryption Secure Delete About Authentication and Authorization ÂÂ Secure Shell SSH You have several options for authenticating users Single Sign-On Public and Private Keys About Certificates, SSL, and Public Key Infrastructure About Certificate Authorities CAs Certificates About Identities About Self-Signed CertificatesAbout Intermediate Trust Certificate Manager in Server Admin To configure clients to trust a certificateFrom the command line Enhancing Security Readying Certificates To request a signed certificate Creating a Self-Signed CertificateRequesting a Certificate from a Certificate Authority To create a self-signed certificate To create a CA Creating a Certificate Authority Enhancing Security To import an existing OpenSSL style certificate Using a CA to Create a Certificate for Someone ElseImporting a Certificate Identity To create a certificate for someone else Editing a Certificate Managing Certificates To delete a certificate Distributing a CA Public Certificate to ClientsDeleting a Certificate To distribute your certificate to your clients To renew an expiring certificate Using CertificatesRenewing an Expiring Certificate Replacing an Existing Certificate Generating a Key Pair for SSH Key-Based SSH LoginTo do this, run the following commands in Terminal SSH and SSH Keys Key-Based SSH with Scripting Sample Setting Administration Level Privileges Administration Level Security Service Level Security Setting Sacl PermissionsTo set Sacl permissions for a service Security Best Practices Password Guidelines Creating Complex Passwords Installation Overview Confirm you meet the requirements Gather your information Prepare the target disk Set up the environment Start up the computer from an installation disk Start the installer Gathering the Information You Need Set Up Services SSH During Installation Setting Up Network ServicesAbout the Server Install Disc Connecting to the Directory During Installation Preparing an Administrator Computer Mac OS X Server Install DiscAdministration Tools CD About Starting Up for Installation To install Mac OS X Server v10.6 administration toolsBefore Starting Up Starting Up from the Install DVD To start up the computer with the installation discStarting Up from an Alternate Partition Prepare the disks and partitions on the target computer Create a restorable image of the Install DVD Restore the image to the alternate partition To create an image of the Install DVD To restore the image to a free volume To access the computer with Server Assistant Remotely Accessing the Install DVD To access the computer with VNC To access the computer using Screen SharingTo access the computer with SSH Identify the target server Identifying Remote Servers When Installing Mac OS X Server Starting Up from a NetBoot Environment To create a NetInstall image from the Install DVD Preparing Disks for Installing Mac OS X Server Create a NetInstall image from the Install DVD Start up the computer from the NetBoot server ÂÂ Mac OS Extended Journaled, Case-Sensitive aka Hfsx Choosing a File System About Hard Disk Partitioning Partitioning a Disk To partition a disk using Disk Utility About Creating a RAID Set So the command is You cannot create a RAID set from the startup disk To create a RAID set using Disk Utility Diskutil createRAID mirror setName format device device For example Installing Server Software Interactively To install server software locally Installing Locally from the Installation Disc To install on a remote server by using Server Assistant Installing Remotely with Server Assistant Installing Remotely with Screen Sharing and VNC To change a remote computer’s startup disk Changing a Remote Computer’s Startup Disk To use installer to install server software 105 Installing Multiple Servers Most Efficient Methods of InstallationMore Interactive Methods of Installation Upgrading a Computer from Mac OS X to Mac OS X Server How to Keep Current Postponing Server Setup Following Installation To postpone setting up Mac OS X ServerInformation You Need Connecting to the Network During Initial Server Setup Configuring Servers with Multiple Ethernet PortsAbout Settings Established During Initial Server Setup ÂÂ Create Users and Groups Specifying Initial Open Directory Usage Not Changing Directory Usage When Upgrading ÂÂ Configure ManuallyÂÂ Import Users and Groups Binding a Server to Multiple Directory Servers Setting Up a Server as a Standalone Server To interactively connect to an additional directory server Setting up Servers Interactively Select the target servers from the configuration list To set up servers interactively Using Automatic Server Setup Creating and Saving Setup Data To create a setup data file How a Server Searches for Saved Setup Data Files Using Encryption with Setup Data Files Setting Up Servers Automatically Using Data Saved in a File To set the server serial number To use setup data from a file remotelyCreate the saved setup folder on the remote server Restart the remote server Handling Setup Errors From the command-line Setting Up ServicesAdding Services to the Server View To change services to administer To set up a user account Setting Up Open DirectorySetting Up User Management Setting Up All Other Services Setting Up an Administrator Computer Computers You Can Use to Administer a Server Insert the Mac OS X Server Admin Tools CD Using a Non-Mac OS X Computer for Administration Working with Pre-v10.6 Computers from v10.6 Servers Using the Administration Tools Ports Open By Default Ports Used for Administration Adding and Removing Servers in Server Admin Server Admin Basics Grouping Servers Using Smart Groups Grouping Servers ManuallyTo create a server group To create a server smart group Working with Settings for a Specific Server Toolbar button Shows 132 ÂÂ Directory Service ÂÂ Firewall ÂÂ Mobile Access ÂÂ NetBootUnderstanding Mac OS X Server Names Dhcp Directory Service and Kerberos Mobile Access Proxy Services NetBootFirewall Web ÂÂ MySQL Certificates for Web and Wiki Services MySQLWiki 138 Mailing List Certificates for Mail ServicesÂÂ Certificates for collaboration services Imap and POP Address Book Service ICal ServiceIChat Service Certificates for Collaboration Services To change the DNS name of the Podcast Producer computer To change the IP address of the Podcast Producer computer Xgrid Software Update ServerPrint Push Notification To change the DNS name Changing the Server’s DNS Name After SetupChanging the IP Address of a Server Changing the Server’s Computer Name and the Local Hostname Administering Services From the command lineTo change computer name and local hostname To export service settings Adding and Removing Services in Server AdminImporting and Exporting Service Settings To add or remove a service in Server Admin To configure service access SACLs Controlling Access to Services Managing Sharing Using SSL for Remote Server Administration Tiered Administration Permissions Defining Administrative Permissions Workgroup Manager BasicsTo assign permissions Administering Accounts Opening and Authenticating in Workgroup ManagerWorking with Users and Groups 152 Defining Managed Preferences To display the inspector Working with Directory Data General Service Configuration AssistantsCritical Configuration and Data Files Assistants are available for the following services Mail-POP/IMAP Server Dovecot Firewall ServiceMail Service IChat Server NAT Service MySQL Service Tomcat App Server OpenDirectory ServiceNotifications QuickTime Streaming Server Wiki and Blog Server Improving Service AvailabilityWeb Service Eliminating Single Points of Failure Using Xserve for High Availability Following is the Energy Saver panel of System Preferences Setting Up Your Server for Automatic RestartUsing Backup Power Using UPS with Xserve Automatic restart options are To enable automatic restartEnsuring Proper Operational Conditions Providing Open Directory Replication Link Aggregation Link Aggregation Scenarios About the Link Aggregation Control Protocol Lacp Computer to Switch To create a link aggregate Setting Up Link Aggregation in Mac OS X Server To monitor the status of a link aggregate Monitoring Link Aggregation Status Load Balancing Viewing Running Daemons Using launchd for Daemon ControlÂÂ mDNSresponder local network service discovery process Daemon Overview 170 Planning Monitoring Response Planning a Monitoring Policy Using with Server Status Widget Using Server MonitorTo configure the Server Status widget Using RAID Admin for Server Monitoring Using Console for Server MonitoringUsing Disk Monitoring Tools Using Network Monitoring Tools To see a status overview for one server Using Server Status Notification in Server AdminMonitoring Server Status Overviews Using Server Admin To set a notification Following shows a sample Overview pane for a single server Using Remote Kernel Core Dumps 177 Setting up a core dump server Setting Up a Core Dump Server Setting Up a Core Dump Client Setting up a core dump clientRestart the computer for the settings to take effect About Simple Network Management Protocol Snmp Configuring Common Core Dump Options Configuring snmpd To enable SnmpEnabling Snmp reporting To enable and configure Snmp Customize data Restart snmpd to take changes About Notification and Event Monitoring Daemons Additional Information about SnmpTools to Use with Snmp There are two main notification daemons syslogd and emond Syslog Logging To start debugging at startup Directory Service Debug LoggingSyslog Configuration File Open Directory Logging To run slapd in debugging mode To enable client-side loggingAdditional Monitoring Aids AFP Logging About Push Notification Server Push Notification Server Starting and Stopping Push Notification To enable Push Notification Changing a Service’s Push Notification Server Click Save, then restart the serviceTo change the existing push notification server Index 192 193 194 195 196 197