How to Set SACL Permissions in Lion Server
Using service access control lists (SACLs) in Lion Server, you can prevent specific users from accessing AFP and SMB and/or protocol services. Removing a user or group from an SACL listing for SMB, for instance, prevents that user or group from accessing all share points shared with SMB. You can also prevent users from accessing other services, including iCal and Profile Manager. SACLs are permissions to use a service.
For file sharing, SACLs are a way to control behavior. For example, if you want your Mac users to always use AFP to connect to the file server, you can ban them from the SMB service.
To configure SACLs, do the following:
In Server Admin, select your server listed in the left column.
Click Access in the toolbar, and then click the Services tab.
Select one of the two radio buttons on the left to restrict services:
For All Services limits access to all services listed.
For Selected Services Below limits access for individual services.
Select one of the two radio buttons on the right to choose a level of restriction for users and groups:
Allow All Users and Groups allows access to the service(s) by all.
To restrict access, click Allow Only Users and Groups Below. Select one or more services. Then click the Add (+) button to bring up the Users & Groups palette and drag users and groups to the list.
To restrict access to services for administrators, click the Administrators tab. Here, you can also turn users and groups of users into administrators for a particular service. Drag a user and group over to the Allow to Administer or Monitor list.