How to Set ACL Permissions in OS X Lion’s Server App
How to Set Basic Permissions in OS X Lion’s Finder’s Get Info Window
How to Set Basic Permissions in OS X Lion’s File Sharing Pane

Rules of Precedence in Lion Server File Permission Structures

If a user complains that she can’t access a certain share or save a file, look at your Lion Server permission structure and the inheritance. You may have one type of inheritance unexpectedly taking precedence over another.

For example, check the groups that the user belongs to and whether any Deny permissions are set. The issue is that if you have multiple sets of permissions and inheritance, only one can apply for any given shared folder and user or group. Some permissions take precedence over others.

Here are some rules that define which permissions take precedence:

  • Standard POSIX permissions apply automatically if no ACL exists for a certain file or folder. If you don’t specify any permissions to a newly created share point (and none are inherited), the default POSIX permissions and inheritance rules are applied.

  • Deny permissions take precedence. When the server sees a Deny permission, it applies it regardless of other rules or precedence. This can unintentionally block access for a user.

  • ACL entries are first-come, first-served. The order in which users and groups are listed in the ACL matters. If a user belongs to multiple groups in the list, the group listed higher takes precedence over one listed lower. So if the first entry doesn’t give a user the right to delete a file even though another permission farther down in the list does, the user can’t delete a file in the folder.

  • Mac OS X Server adds all the Allow permissions. Mac OS X counts all the permissions that allow the user to do things and gives them to the user. If a user has one set of permissions and belongs to a group that has different permissions, she gets the Allow permissions of both.

    After looking at all the ACL permissions that might apply to a user for a given folder, the server looks at the POSIX permissions for any Allow permissions that might apply. Mac OS X Server then adds them to create the access to the file for the particular user or group.

blog comments powered by Disqus
How to Propagate Permissions to Subfolders in Lion’s Server App
Controlling Access to Lion Server Services with SACLs
Client Print Protocols Supported by Lion Server
How to Set Up RSS to Monitor Print Servers Using Lion Server CUPS
Security in Lion Server File-Sharing Protocols