Administration privileges – Apple Mac OS X Server (version 10.2.3 or later) User Manual

Users and Groups

121

Directory and File Access by Other Users

The UID, in conjunction with a group ID, is also used to control access by users who are
members of particular groups.

Every user belongs to a primary group. The primary group ID for a user is stored in his user
account. When a user accesses a directory or file and the user is not the owner, the file
system checks the file’s group privileges.

m If the user’s primary group ID matches the ID of the group associated with the file, the

user inherits group access privileges.

m If the user’s primary group ID does not match the file’s group ID, Mac OS X searches for

the group account that does have access privileges. The group account contains a list of
the short names of users who are members of the group. The file system maps each short
name in the group account to a UID, and if the user’s UID matches a UID of a group
member, the user is granted group access privileges for the directory or file.

Administration Privileges

A user’s administrator privileges are stored in the user’s account. Administrator privileges
determine the extent to which the user can view information about or change the settings of
a particular Mac OS X Server or a particular directory domain residing on Mac OS X Server.

Server Administration

Server administration privileges control the powers a user has when logged in to a particular
Mac OS X Server. For example:

m A server administrator can use Server Status and can make changes to a server’s search

policy using Directory Access.

m A server administrator can see all the AFP directories on the server, not just share points.

When you assign server administration privileges to a user, the user is added to the group
named “admin” in the local directory domain of the server. Many Mac OS X applications—
such as Server Status, Directory Access, and System Preferences—use the admin group to
determine whether a particular user can perform certain activities with the application.

Local Mac OS X Computer Administration

Any user who belongs to the group “admin” in the local directory domain of any Mac OS X
computer has administrator rights on that computer.

Directory Domain Administration

When you want certain users to be able to use Workgroup Manager to manage only certain
user, group, and computer accounts residing in Apple’s directory domains, you can make
them directory domain administrators. For example, you may want to make a network
administrator the server administrator for all your classroom servers, but give individual
teachers the privileges to manage student accounts in particular directory domains.

LL0395.Book Page 121 Wednesday, November 20, 2002 11:44 AM