Working with Access Control Lists

For more advanced, more flexible permissions, you can create an access control list (ACL). Windows clients and servers also use ACLs, which can give you compatibility in mixed-platform networks.

An ACL is a list of users and groups that have access to a share point and its permissions and inheritance settings. Each entry in the list is an access control entity (ACE), which consists of a user or group and its associated permissions and inheritance settings.

Here’s a simple ACL with two ACEs you might set for a share point:

Permission

Applies To

User: ronmckernan

Read/write

This folder

Group: students

Read

This folder

Look familiar? That’s because this ACL reproduces the standard POSIX permissions for a folder. One user (like the owner) has read/write permissions, and one group has read permissions. “Applies to this Folder” means no inheritance, as with POSIX permissions.

A limitation of POSIX permissions is that you can assign only one group and one user (the owner) access to a shared folder. With an ACL, however, you can continue to add users and groups to the list. In the following, I added a teachers group with read/write privileges and a second user with write-only access:

Permission

Applies To

User: ronmckernan

Read/write

This folder

User: Tim Constanten

Write

This folder

Group: teachers

Read/write

This folder

Group: students

Read

This folder

Further deviating from POSIX ...

Get OS X Mountain Lion Server For Dummies now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.