OS X combines traditional POSIX permissions with access control lists (ACLs). This combination provides great flexibility and fine granularity in controlling access to files and folders. However, if you’re not careful in how you assign privileges, it may be hard for you to keep track of how permissions are assigned.
With 17 permissions, you can choose from a staggering 98,304 combinations. Add to that a sophisticated folder hierarchy, many users and groups, and many exceptions, and you have a recipe for considerable confusion.
The following are useful tips and advice to help you get the most out of access control in OS X.
Keep it simple
You can complicate file access management unnecessarily, if you’re not careful. Keep it simple. If standard POSIX permissions do the job, use those, but if you must use ACLs, avoid customizing permissions if you don’t need to.
Use simple folder hierarchies if possible. A little strategic planning can help you create effective and manageable shared hierarchies.
Manage permissions at the group level
Assign permissions to groups first, and assign permissions to individual users only when there’s an exception.
For example, you can assign all teachers in a school district Read and Write permissions to a specific share point, but deny Anne Johnson, a temporary teacher, permission to read a specific folder in the share point’s folder hierarchy.
Using groups is the most efficient way of assigning permissions. After creating groups and assigning them permissions, you can add or remove users without reassigning permissions.
Gradually add permissions
Assign only necessary permissions and then add permissions only when needed. As long as you use Allow permissions, OS X combines the permissions.
For example, you can assign the Students group partial reading permissions on an entire share point. Then, where needed in the folder hierarchy, you can give the group more read and write permissions.
Use the Deny permission only when necessary
When OS X encounters a Deny permission, it stops evaluating other permissions the user might have for a file or folder and applies the Deny permission. Therefore, use Deny permissions only when absolutely necessary. Keep a record of these Deny permissions so that you can delete them when they aren’t needed.
Always propagate permissions
Inheritance is a powerful feature, so take advantage of it. By propagating permissions down a folder hierarchy, you save yourself the time and effort required to manually assign permissions to descendants.