Apple 10.6 manual Service Level Security, Setting Sacl Permissions

You can determine which services other admin group users can modify. To do this, the administrator making the determination must have full, unmodified access.

The process for setting administration level privileges is found in “Tiered Administration Permissions” on page 149.

Service Level Security

You use a Service Access Control List (SACL) to enforce who can use a service. It is not a means of authentication. It is a list of those who have access rights to use a service.

SACLs allow you to add a layer of access control on top of standard and ACL permissions.

Only users and groups in an SACL can access its corresponding service. For example, to prevent users from accessing AFP share points on a server, including home folders, remove the users from the AFP service’s SACL.

Server Admin in Mac OS X Server allows you to configure SACLs. Open Directory authenticates user accounts and SACLs authorize use of services. If Open Directory authenticates you, the SACL for login window determines whether you can log in, the SACL for AFP service determines whether you can connect for Apple file service, and so on.

Setting SACL Permissions

SACLs allow you to specify which users and groups have access to Mac OS X Server services, including AFP, FTP, and Windows file services.

To set SACL permissions for a service:

1Open Server Admin.

2Select the server from the Servers list.

3Click Settings.

4Click Access.

5To restrict access to all services or deselect this option to set access permissions per service, select “For all services.”

6If you deselected “For all services,” select a service from the Service list.

7To provide unrestricted access to services, click “Allow all users and groups.” If you want to restrict access to certain users and groups:

ÂÂ Select “Allow only users and groups below.”

ÂÂ Click the Add (+) button to open the Users & Groups window.

ÂÂ Drag users and groups from the Users & Groups window to the list.

8Click Save.