Filter
Top Products
Chapter 4 Enhancing Security 75
You can determine which services other admin group users can modify. To do this,
the administrator making the determination must have full, unmodied access.
The process for setting administration level privileges is found in “Tiered
Administration Permissions” on page 149.
Service Level Security
You use a Service Access Control List (SACL) to enforce who can use a service. It is not
a means of authentication. It is a list of those who have access rights to use a service.
SACLs allow you to add a layer of access control on top of standard and ACL
permissions.
Only users and groups in an SACL can access its corresponding service. For example,
to prevent users from accessing AFP share points on a server, including home folders,
remove the users from the AFP service’s SACL.
Server Admin in Mac OS X Server allows you to congure SACLs. Open Directory
authenticates user accounts and SACLs authorize use of services. If Open Directory
authenticates you, the SACL for login window determines whether you can log in,
the SACL for AFP service determines whether you can connect for Apple le service,
and so on.
Setting SACL Permissions
SACLs allow you to specify which users and groups have access to Mac OS X Server
services, including AFP, FTP, and Windows le services.
To set SACL permissions for a service:
1 Open Server Admin.
2 Select the server from the Servers list.
3 Click Settings.
4 Click Access.
5 To restrict access to all services or deselect this option to set access permissions per
service, select “For all services.”
6 If you deselected “For all services,” select a service from the Service list.
7 To provide unrestricted access to services, click “Allow all users and groups.”
If you want to restrict access to certain users and groups:
Select “Allow only users and groups below.” Â
Click the Add (+) button to open the Users & Groups window. Â
Drag users and groups from the Users & Groups window to the list. Â
8 Click Save.