Lion Server: Access control lists (ACLs)
Learn about access control lists (ACLs).
When standard POSIX permissions aren’t enough, use access control lists (ACLs). An ACL is a list of access control entries (ACEs), each specifying the permissions to be granted or denied to a group or user and how these permissions are propagated throughout a folder hierarchy.
ACLs in Mac OS X Lion let you set file and folder access permissions for multiple users and groups in addition to standard POSIX permissions. This makes it easy to set up collaborative environments with smooth file sharing and uninterrupted workflows, without compromising security.
ACLs provide an extended set of permissions for a file or folder, to give you more granularity when assigning privileges than standard permissions would provide. For example, rather than giving a user full write permissions, you can restrict him or her to create only folders and not files.
Only the Mac OS Extended volume format provides local file system support for ACLs. In addition, only SMB and AFP protocols provide network file system support for ACLs in Windows and Apple networks, respectively.
Apple’s ACL model supports 13 permissions for controlling access to files and folders, as described in the following table.
| Permission name | Type | Description |
|---|---|---|
| Change Permissions | Administration | User can change standard permissions. |
| Take Ownership | Administration | User can change the file’s or folder’s ownership to himself or herself. |
| Read Attributes | Read | User can view the file’s or folder’s attributes (for example, name, date, and size). |
| Read Extended Attributes | Read | User can view the file’s or folder’s attributes added by third-party developers. |
| List Folder Contents (Read Data) | Read | User can list folder contents and read files. |
| Traverse Folder (Execute File) | Read | User can open subfolders and run a program. |
| Read Permissions | Read | User can view the file’s or folder’s standard permissions using the Get Info or Terminal commands. |
| Write Attributes | Write | User can change the file’s or folder’s standard attributes. |
| Write Extended Attributes | Write | User can change the file’s or folder’s other attributes. |
| Create Files (Write Data) | Write | User can create files and change files. |
| Create Folder (Append Data) | Write | User can create subfolders and add data to files. |
| Delete | Write | User can delete file or folder. |
| Delete Subfolders and Files | Write | User can delete subfolders and files. |
- Apply to this folder: Apply (Administration, Read, and Write) permissions to this folder.
- Apply to child folders: Apply permissions to subfolders.
- Apply to child files: Apply permissions to the files in this folder.
- Apply to all descendants: Apply permissions to descendants. To learn how this option works with the previous two, see Access control entries (ACEs).
In addition to these permissions, the Apple ACL model defines four types of inheritance that specify how these permissions are propagated:
The ACL use model
The ACL use model focuses on access control at the folder level, with most ACLs applied to files as the result of inheritance.
Folder-level control determines which users have access to the contents of a folder. Inheritance determines how a defined set of permissions and rules pass from the container to the objects in it.
Without this model, administration of access control would quickly become a nightmare, because you would need to create and manage ACLs on thousands or millions of files.
Controlling access to files through inheritance also frees applications from maintaining extended attributes or explicit ACEs when saving a file, because the system applies inherited ACEs to files. For information about explicit ACEs, see Access control entries (ACEs).
ACLs and standard permissions
You can set ACL permissions for files and folders in addition to standard permissions. For more information about how Mac OS X Lion uses ACL and standard permissions to determine what users can and cannot do to a file or folder, see Access control entries (ACEs).
ACL management
In Mac OS X Lion, you create and manage ACLs in the Server app. The Get Info window in the Finder displays the logged-in user’s effective permissions. For information about setting up and managing ACLs, see Set folder access permissions and Control access to a shared folder.
In addition to using the Server app to set and view ACL permissions, you can also use the ls and chmod command-line tools. For information, see their man pages.
You define ACLs for share points, files, and folders using the Server app.