Controlling Access to Lion Server Services with SACLs - dummies

Controlling Access to Lion Server Services with SACLs

By John Rizzo

A method of controlling file access in Lion Server is service access control lists (SACLs). SACLs control access to the available services, such as AFP and SMB file sharing, as well as other services such as e-mail and Address Book Server. If you set an SACL permission for a protocol, all the folders shared with that protocol get that permission.

SACLs are another layer of permissions on top of POSIX permissions and ACLs. With SACLs, you can prevent certain users and groups from having access to share points that use one or more of the protocols. Removing a user or group from a protocol’s SACL prevents him from accessing share points with that protocol, including home folders.

You set SACLs using Server Admin. You can select individual services to add users and groups to or apply access to all services. You can also set administrators for individual services, or for all services.

To configure SACLs, do the following:

  1. In Server Admin, select your server listed in the left column.

  2. Click Access in the toolbar and then click the Services tab.

    The Server Admin Administrators window appears.


  3. Select one of the two radio buttons on the left to restrict services:

    • For All Services limits access to all services listed.

    • For Selected Services Below limits access for individual services.

  4. Select one of the two radio buttons on the right to choose a level of restriction for users and groups:

    • Allow All Users and Groups allows access to the service(s) by all.

    • To restrict access, click Allow Only Users and Groups Below. Then click the Add (+) button to bring up the Users & Groups palette, and drag users and groups to the list.

  5. Click Save.

By clicking the Administrators tab, you can also turn users and groups of users into administrators for a particular service. Drag a user and group over to the Allow to Administer or Monitor list.

The use of SACLs is optional. The default setting of each protocol’s SACL is to list all users as having access to all available services. If you don’t want to bother with it, just pretend it doesn’t exist.