Languages

Lion Server: Access control entries (ACEs)

Access control entries (ACEs) in Lion Server

Learn about about access control lists (ACLs).

An ACE is an entry in an ACL that specifies, for a group or a user, access permissions to a file or folder and the rules of inheritance.

What’s stored in an ACE

An ACE contains the following fields:

  • User or Group. An ACE stores a universally unique ID for a group or user, which permits unambiguous resolution of identity.
  • Type. An ACE supports two permission types, Allow and Deny, which determine whether permissions are granted or denied.

    In the Server app, you can only set the Allow permissions type. You can use the ls and chmod command-line tools to set the deny permissions type. For information, see their man pages.

  • Permission. This field stores the settings for the 13 permissions supported by the Apple ACL model.
  • Inherited. This field specifies whether the ACE is inherited from the parent folder.
  • Applies To. This field specifies what the ACE permission is for.

Explicit and inherited ACEs

The Server app supports two types of ACEs:

  • Explicit ACEs, which are those you create in an ACL. See Set folder access permissions.
  • Inherited ACEs, which are ACEs you created for a parent folder that were inherited by a descendant file or folder.
Note: Inherited ACEs cannot be edited unless you make them explicit.

Understanding inheritance

ACL inheritance lets you specify how permissions pass from a folder to its descendants.

The Apple ACL inheritance model

The Apple ACL inheritance model defines four options that you select or deselect in the Server app to control the application of ACEs (in other words, how to propagate permissions through a folder hierarchy):

Inheritance option Description
Apply to this folder Apply (Administration, Read, and Write) permissions to this folder
Apply to child folders Apply permissions to subfolders
Apply to child files Apply permissions to the files in this folder
Apply to all descendants Apply permissions to all descendants
Note: If you want an ACE to apply to all descendants without exception, you must select the “Apply to child folders” and “Apply to child files” options in addition to this option.

Mac OS X Lion propagates ACL permissions at two well-defined times:

  • At file or folder creation time—when you create a file or folder, the kernel determines what permissions the file or folder inherits from its parent folder.
  • When initiated by administrator tools—for example, when using the Propagate Permissions option in the Server app.

The following figure shows how the Server app propagates two ACEs (managers and design_team) after ACE creation. Bold text represents an explicit ACE and regular text represents an inherited ACE.


Diagram shows Jupiter folder has explicit “managers” ACL entry, which is inherited by all its descendant folders and files. Jupiter’s gread-grandchild folder also has “lander team” ACL entry, which its child inherits. Another child folder of Jupiter has “design team” ACL entry, which its child inherits.

ACL inheritance combination

When you set inheritance options for an ACE in the Server app, you can choose from 12 unique inheritance combinations for propagating ACL permissions.

Inheritance checkbox Inheritance

Apply to this folder checkbox Apply to this folder

Apply to this child folder checkbox Apply to child folders

Apply to this child files checkbox Apply to child files

Apply to all descendants checkbox Apply to all descendants

L0005_table1a.png

Inheritance checkbox Inheritance

Apply to this folder checkbox Apply to this folder

Apply to this child folder checkbox Apply to child folders

Apply to this child files checkbox Apply to child files

Apply to all descendants checkbox Apply to all descendants

L0005_table1b.png

Inheritance checkbox Inheritance

Apply to this folder checkbox Apply to this folder

Apply to this child folder checkbox Apply to child folders

Apply to this child files checkbox Apply to child files

Apply to all descendants checkbox Apply to all descendants

L0005_table2a.png

Inheritance checkbox Inheritance

Apply to this folder checkbox Apply to this folder

Apply to this child folder checkbox Apply to child folders

Apply to this child files checkbox Apply to child files

Apply to all descendants checkbox Apply to all descendants

L0005_table2b.png

Inheritance checkbox Inheritance

Apply to this folder checkbox Apply to this folder

Apply to this child folder checkbox Apply to child folders

Apply to this child files checkbox Apply to child files

Apply to all descendants checkbox Apply to all descendants

L0005_table3a.png

Inheritance checkbox Inheritance

Apply to this folder checkbox Apply to this folder

Apply to this child folder checkbox Apply to child folders

Apply to this child files checkbox Apply to child files

Apply to all descendants checkbox Apply to all descendants

L0005_table3b.png

Inheritance checkbox Inheritance

Apply to this folder checkbox Apply to this folder

Apply to this child folder checkbox Apply to child folders

Apply to this child files checkbox Apply to child files

Apply to all descendants checkbox Apply to all descendants

L0005_table4a.png

Inheritance checkbox Inheritance

Apply to this folder checkbox Apply to this folder

Apply to this child folder checkbox Apply to child folders

Apply to this child files checkbox Apply to child files

Apply to all descendants checkbox Apply to all descendants

L0005_table4b.png

Inheritance checkbox Inheritance

Apply to this folder checkbox Apply to this folder

Apply to this child folder checkbox Apply to child folders

Apply to this child files checkbox Apply to child files

Apply to all descendants checkbox Apply to all descendants

L0005_table5a.png

Inheritance checkbox Inheritance

Apply to this folder checkbox Apply to this folder

Apply to this child folder checkbox Apply to child folders

Apply to this child files checkbox Apply to child files

Apply to all descendants checkbox Apply to all descendants

L0005_table5b.png

Inheritance checkbox Inheritance

Apply to this folder checkbox Apply to this folder

Apply to this child folder checkbox Apply to child folders

Apply to this child files checkbox Apply to child files

Apply to all descendants checkbox Apply to all descendants

L0005_table6a.png

Inheritance checkbox Inheritance

Apply to this folder checkbox Apply to this folder

Apply to this child folder checkbox Apply to child folders

Apply to this child files checkbox Apply to child files

Apply to all descendants checkbox Apply to all descendants

L0005_table6b.png

ACL permission propagation

The Server app lets you force the propagation of ACLs. Although this is done automatically by the Server app, there are cases when you might want to manually propagate permissions:

  • You can propagate permissions to handle exceptions. For example, you might want ACLs to apply to all descendants except for a subtree of your folder hierarchy. In this case, you define ACEs for the root folder and set them to propagate to descendants. Then, you select the root folder of the subtree and propagate permissions to remove the ACLs from descendants of that subtree.

    In the following example, the items in white had their ACLs removed by manually propagating ACLs.


    Diagram shows a folder with several levels of descendants. One great-grandchild folder and its child file had their ACLs removed by propagation.
  • You can propagate permissions in order to reapply inheritance in cases where you removed a folder’s ACLs and decided to reapply them.
  • You can propagate permissions to clear all ACLs at once instead of going through a folder hierarchy and manually removing ACEs.
  • When you propagate permissions, the permissions of bundles and root-owned files and folders aren’t changed.

For more information about how to manually propagate permissions, see Propagate access permissions.

Rules of precedence

Mac OS X Lion uses the following rules to control access to files and folders:

  • Without ACEs, POSIX permissions apply. If a file or folder has no ACEs defined for it, Mac OS X Lion applies standard POSIX permissions.
  • With ACEs, order is important. If a file or folder has ACEs defined for it, Mac OS X Lion starts with the first ACE in the ACL and works its way down the list until the requested permission is satisfied or denied.
  • You can change the ACE order from the command line using the chmod command.
  • Allow permissions are cumulative. When evaluating Allow permissions for a user in an ACL, Mac OS X Lion defines the user’s permissions as the union of all permissions assigned to the user, including standard POSIX permissions.

After evaluating ACEs, Mac OS X Lion evaluates the standard POSIX permissions defined for the file or folder. Then, based on the evaluation of ACL and standard POSIX permissions, Mac OS X Lion determines the type of access a user has to a shared file or folder.

Last Modified: Jun 27, 2012
Helpful?
Yes
No
  • Last Modified: Jun 27, 2012
  • Article: PH8009
  • Views:

    5789
  • Rating:
    • 100.0

    (1 Responses)

Additional Product Support Information