Note: For more information about the information contained in this article, contact us for a professional consultation.
Prior to OS X Lion, Server Admin was used to manage permissions in OS X Server environments. Gone are the permissions settings in Server Admin and anything else dealing with managing file shares. These have been moved into the swanky new Server application. At first glance it may seem that Apple doesn’t want you managing permissions granularly as each share that is created in Server only allows you to configure permissions for the root of the share, and then has limited access to ACL options. But after looking around a little bit, you will find that Apple hasn’t abandoned GUI permission controls just yet.
From the Server app, click on the name of the server in the sidebar under the HARDWARE section. Then click on the Storage tab and browse to a location on the file system in need of different permissions. Click on the cogwheel icon and then click on Edit Permissions… to bring up the new permissions screen. Here, you can add users and groups into ACEs, enter the name for users and groups and granularly assign the settings to be applied.
But as this is all a bit new, a few things are missing. There’s no list of users and groups, so you need to type the short name of items you’re adding. If they don’t exist then they will be grey but will create anyway. Use the id command to verify that objects don’t exist. There’s no Effective Permissions Inspector, so troubleshooting permission problems might require a bit more legwork than before. Also, there’s no deny options any more. While I typically found deny ACEs to just be a big pain, they were useful at times. POSIX permissions are still the last 3 items in the list and you can double-click on any object to change the short name for a user or group (you are again typing the new name rather than dragging an object into the field).
Overall, my suspicion is that this is going to cause users to create more shares and just manage permissions at the share level, propagating permissions whenever there’s a problem. While doing so is not a bad idea for smaller environments, it doesn’t scale well. There are a few options for different applications and tools to get easier management of permissions. One such is batchmod, a long term favorite that can be used to propagate, clear ACLs, unlock files and clear extended attributes. And of course, there are still the good ‘ole standbys of chmod, chown and xattr that can be used to granularly manage permissions.
Adjusting to the new changes in Lion Server can be a considerable change for many administrators. If you need assistance, please contact your 318 Professional Services Manager or firstname.lastname@example.org if you are not yet a customer.