When standard POSIX permissions aren’t enough, use access control lists (ACLs). An ACL is a list of access control entries (ACEs), each specifying the permissions to be granted or denied to a group or user and how these permissions are propagated throughout a folder hierarchy.
ACLs in OS X let you set file and folder access permissions for multiple users and groups in addition to standard POSIX permissions. This makes it easy to set up collaborative environments with smooth file sharing and uninterrupted workflows, without compromising security.
ACLs provide an extended set of permissions for a file or folder, to give you more granularity when assigning privileges than standard permissions would provide. For example, rather than giving a user full write permissions, you can restrict him or her to create only folders and not files.
Only the Mac OS Extended volume format provides local file system support for ACLs. In addition, only SMB and AFP protocols provide network file system support for ACLs in Windows and Apple networks, respectively.
Apple’s ACL model supports 13 permissions for controlling access to files and folders, as described in the following table.
Permission name | Type | Description |
|---|---|---|
Change Permissions | Administration | User can change standard permissions. |
Take Ownership | Administration | User can change the file’s or folder’s ownership to himself or herself. |
Read Attributes | Read | User can view the file’s or folder’s attributes (for example, name, date, and size). |
Read Extended Attributes | Read | User can view the file’s or folder’s attributes added by third-party developers. |
List Folder Contents (Read Data) | Read | User can list folder contents and read files. |
Traverse Folder (Execute File) | Read | User can open subfolders and run a program. |
Read Permissions | Read | User can view the file’s or folder’s standard permissions using the Get Info or Terminal commands. |
Write Attributes | Write | User can change the file’s or folder’s standard attributes. |
Write Extended Attributes | Write | User can change the file’s or folder’s other attributes. |
Create Files (Write Data) | Write | User can create files and change files. |
Create Folder (Append Data) | Write | User can create subfolders and add data to files. |
Delete | Write | User can delete files or folders. |
Delete Subfolders and Files | Write | User can delete subfolders and files. |
In addition to these permissions, the Apple ACL model defines four types of inheritance that specify how these permissions are propagated:
Apply to this folder: Apply Administration, Read, and Write permissions to this folder.
Apply to child folders: Apply permissions to subfolders.
Apply to child files: Apply permissions to the files in this folder.
Apply to all descendants: Apply permissions to descendants.
The ACL use model
The ACL use model focuses on access control at the folder level, with most ACLs applied to files as the result of inheritance.
Folder-level control determines which users have access to the contents of a folder. Inheritance determines how a defined set of permissions and rules pass from the container to the objects in it.
Without this model, administration of access control would quickly become unmanageable, because you would need to create and manage ACLs on thousands or millions of files.
Controlling access to files through inheritance also frees apps from maintaining extended attributes or explicit ACEs when saving a file, because the operating system applies inherited ACEs to files.
You can set ACL permissions for files and folders in addition to standard permissions. For more information about how OS X uses ACL and standard permissions to determine what users can and cannot do to a file or folder, see Access control entries (ACEs).
ACL management
You create and manage ACLs for share points, files, and folders in the Storage tab of the Server app. For information about setting up and managing ACLs, see Set folder access permissions.
If you use the File Sharing service pane, you are setting POSIX permissions. The Get Info window in the Finder displays the logged-in user’s effective permissions, but you can’t change ACLs there.
In addition to using the Server app to set and view ACL permissions, you can also use the ls and chmod command-line tools. For information, see their man pages.