Administration privileges – Apple Mac OS X Server (Administrator’s Guide) User Manual

Users and Groups

125

Directory and File Owner Access

When a directory or file is created, the file system stores the UID of the user who created it.
When a user with that UID accesses the directory or file, he or she has read and write
privileges to it by default. In addition, any process started by the creator has read and write
privileges to any files associated with the creator’s UID.

If you change a user’s UID, the user may no longer be able to modify or even access files and
directories he or she created. Likewise, if the user logs in as a user whose UID is different
from the UID he or she used to create the files and directories, the user will no longer have
owner access privileges for them.

Directory and File Access by Other Users

The UID, in conjunction with a group ID, is also used to control access by users who are
members of particular groups.

Every user belongs to a primary group. The primary group ID for a user is stored in his user
account. When a user accesses a directory or file and the user is not the owner, the file
system checks the file’s group privileges.

m If the user’s primary group ID matches the ID of the group associated with the file, the

user inherits group access privileges.

m If the user’s primary group ID does not match the file’s group ID, Mac OS X searches for

the group account that does have access privileges. The group account contains a list of
the short names of users who are members of the group. The file system maps each short
name in the group account to a UID, and if the user’s UID matches a UID of a group
member, the user is granted group access privileges for the directory or file.

Administration Privileges

A user’s administrator privileges are stored in the user’s account. Administrator privileges
determine the extent to which the user can view information about or change the settings of
a particular Mac OS X Server or a particular directory domain residing on Mac OS X Server.

Server Administration

Server administration privileges control the powers a user has when logged in to a particular
Mac OS X Server. For example:

m A user who is a server administrator can use Server Status and can make changes to a

server’s search policy using Directory Access.

m A server administrator can see all the AFP directories on the server, not just share points.

When you assign server administration privileges to a user, the user is added to the group
named “admin” in the local directory domain of the server. Many Mac OS X applications—
such as Server Status, Directory Access, and System Preferences—use the admin group to
determine whether a particular user can perform certain activities with the application.