Rules of Precedence in Lion Server File Permission Structures - dummies

Rules of Precedence in Lion Server File Permission Structures

By John Rizzo

If a user complains that she can’t access a certain share or save a file, look at your Lion Server permission structure and the inheritance. You may have one type of inheritance unexpectedly taking precedence over another.

For example, check the groups that the user belongs to and whether any Deny permissions are set. The issue is that if you have multiple sets of permissions and inheritance, only one can apply for any given shared folder and user or group. Some permissions take precedence over others.

Here are some rules that define which permissions take precedence:

  • Standard POSIX permissions apply automatically if no ACL exists for a certain file or folder. If you don’t specify any permissions to a newly created share point (and none are inherited), the default POSIX permissions and inheritance rules are applied.

  • Deny permissions take precedence. When the server sees a Deny permission, it applies it regardless of other rules or precedence. This can unintentionally block access for a user.

  • ACL entries are first-come, first-served. The order in which users and groups are listed in the ACL matters. If a user belongs to multiple groups in the list, the group listed higher takes precedence over one listed lower. So if the first entry doesn’t give a user the right to delete a file even though another permission farther down in the list does, the user can’t delete a file in the folder.

  • Mac OS X Server adds all the Allow permissions. Mac OS X counts all the permissions that allow the user to do things and gives them to the user. If a user has one set of permissions and belongs to a group that has different permissions, she gets the Allow permissions of both.

    After looking at all the ACL permissions that might apply to a user for a given folder, the server looks at the POSIX permissions for any Allow permissions that might apply. Mac OS X Server then adds them to create the access to the file for the particular user or group.