Lion Server Access Control List Permissions - dummies

Lion Server Access Control List Permissions

By John Rizzo

Access Control Lists (ACLs) in Lion Server provide finer shades of what read and write mean than POSIX does. For example, you can set write permissions to enable a group to edit files but not to create new folders. You can also enable users to edit a file but not to delete it.


Thirteen permissions are in Apple’s implementation of ACLs. Here’s how to access it in the Server app:

  1. Click the name of your server in the left column under Hardware.

  2. Click the Storage tab and browse for and select a shared folder.

  3. Click the gear icon and select Edit Permissions from the pop-up menu.

  4. Click the Add (+) button and start typing the name of an existing user or group.

    The Server app finishes the name.

  5. Click the triangle to the left of the user or group name.

    You see the 13 permissions grouped by type, as well as 4 types of inheritance.

The 13 permissions are as follows:

  • Administration:

    • Change Permissions: Users can change standard POSIX permissions even if they aren’t owners.

    • Change Owner: Users can change the file’s or folder’s ownership to themselves or to someone else.

  • Read:

    • Read Attributes: Users can view the file’s or folder’s attributes, including filename, date created, and size.

    • Read Extended Attributes: Users can view the file’s or folder’s attributes, or metadata, added by third-party developers.

    • List Folder Contents (Read Data): Users can view the folder’s contents and open files.

    • Traverse Folder (Execute File): Users can open subfolders and run programs in the folder.

    • Read Permissions: Users can view the standard POSIX permissions of the file or folder with the Mac Finder’s Get Info window (select the file or folder and choose Finder→Get Info) or with Terminal commands.

  • Write:

    • Write Attributes: Users can change the file’s or folder’s standard attributes.

    • Write Extended Attributes: Users can change the file’s or folder’s other attributes.

    • Create Files (Write Data): Users can create and edit files.

    • Create Folder (Append Data): Users can create subfolders.

    • Delete: Users can delete files or folders.

    • Delete Subfolders and Files: Users can delete subfolders and files within the selected folder. You set these permissions on folders only. Files inherit permissions from the folder they’re in.

You can use ACLs only on storage devices formatted in the HFS+ file system. If you want to use ACLs on a particular storage device that’s formatted differently, you have to first reformat that drive in HFS+.

To take advantage of ACL permissions in Lion Server, you must use the Server app. You can’t set or manage ACL permissions with Server Admin. This is the opposite of how previous versions of Mac OS X Server handled ACLs.

With this staggering array of permissions, you can easily lose track of who gets access to what and how. The best practice is to base your permission structure on group permissions. Don’t set individual user permissions unless you need an exception, either with more permissive or more restrictive access.

A good plan is to try to assign permissions to groups only once. Then if you need to change individuals’ access, just add or remove them from groups.