Services for Macintosh

Previous Topic Next Topic

File Permissions

Access to network files and directories is controlled with permissions. With the Windows 2000 security system, you specify which users can use which directories and files and how they can be used. The Macintosh-style permissions differ in that they can be set for volumes and folders only, not files.

The set of permissions available for Windows 2000 users differs from the set of permissions available for the Macintosh. Services for Macintosh automatically translates permissions so that permissions are enforced for both Windows 2000 and Macintosh users.

The Windows 2000 Server Administrator account always has full permissions on Services for Macintosh volumes.

Types of Permissions

Windows 2000 users and administrators use Windows 2000 permissions. Macintosh users set Macintosh-style permissions on the folders they create.

In Windows 2000, new files and new subdirectories inherit permissions from the directory in which they are created.

Macintosh files inherit the permissions set on folders. Any Windows 2000 permissions specified for a file are recognized by File Server for Macintosh, even though the Macintosh user does not see any indication in the Finder that these permissions exist.

Macintosh operating systems prior to OS 8.5 use the following four types of permissions for a folder:

See Files   Allows a user to see what files are in the folder and read those files.

See Folders   Allows a user to see what folders are contained in the folder.

Make Changes   Allows a user to modify the contents of files in the folder, rename files, move files, create new files, and delete existing files.

Cannot Move, Rename, Or Delete   Prohibits these actions on a folder.

The Macintosh OS 8.5 supports the following Windows 2000 access privileges:

Read-Only   Allows a user to see an item, but not delete, change, or replace it.

Write-Only   Allows a user to add items.

Read and Write   Allows a user to add, delete, and save changes to items.

None   Prevents access to, or adding, items.

A Macintosh user cannot give these permissions to multiple users and groups. Instead, permissions are assigned to three categories of users:

Owner   The user who created the folder.

User/Group   Similar to the Windows 2000 Server group associated with the folder. Every folder on a server can have one group associated with it at any one time. The group can be a special group, such as users or administrators, or it can be any other group on the server.

Everyone   All other users of the server, including user accounts with guest access.

The Macintosh security scheme is based on the idea that every folder on a server falls into one of three types: private information (accessible only by the owner of the folder); group information (accessible by a single workgroup); and public information (accessible by everyone).

For example, consider a folder containing information that all members of a certain group should see, but that only one person can change. The person allowed to change the information should be the Owner of the folder and should have See Files, See Folders, and Make Changes permissions. The workgroup that users the folder should be the group associated with the folder and should have only See Files and See Folders permissions. Because no one else has a need to see the folder's contents, the Everyone category should not be selected.

Although a folder's owner is often a member of the group associated with the folder, this is not required.

With both Macintosh-style and Windows 2000 Server–style permissions, users' access to folders can be defined differently for each directory and subdirectory within a directory tree. For example, you could give a user See Files, See Folders, and Make Changes permissions for one folder, only the See Files permission for a subfolder of that folder, and no permissions at all for another subfolder.

Handling File-Level Permissions

With Windows 2000 Server, Windows 2000 users can assign permissions separately for each file within a directory. The Macintosh, however, does not support file-level permissions. When a file has file-level permissions, those permissions apply to Macintosh users only if the permissions are more restrictive than those assigned for the directory that contains the file.

For example, if a Macintosh user has See Files, See Folders, and Make Changes permissions for a directory (which appears as a folder), the user can read and make changes to files in the directory. However, if the user has only Read permission for a particular file in a directory, the user can only read the file, not make changes to it.

Translating Permissions

Services for Macintosh translates permissions so that those set by a Windows 2000 user are translated into the equivalent Macintosh permissions, and vice versa. When a Windows 2000 user sets permissions for a directory or a Macintosh user sets permissions for a folder, permissions are translated as shown in Table 13.4.

Table 13.4 Translations of Directory and File Permissions

Windows 2000 Permissions Macintosh Permissions
Read See Files, See Folders (or both)
Write, Delete Make Changes

The following guidelines apply:

Setting Permissions from a Macintosh
or a Windows 2000 Computer

A folder's owner can set permissions for the folder. Both the folder's owner and the server administrator can also use Windows 2000 to set permissions for folders on the server. The folder's owner can set permissions for the folder (directory) from Windows 2000 because the owner of every folder (directory) has the P (Change Permission) permission on that folder.

Volume Passwords

Services for Macintosh provides an extra level of security through Macintosh-accessible volume passwords. A volume password is a password you can assign to a Macintosh-accessible volume when configuring it. Any Macintosh user who wants to use the volume must type the volume password in addition to the user logon password. Windows 2000 users do not have to know the volume password to gain access to the directory that corresponds to the Macintosh-accessible volume.

Volume passwords are case-sensitive. When you create a new Macintosh-accessible volume, the default is to have no volume password. Volume passwords are optional.

Because of a constraint with the Macintosh System 6 and Macintosh System 7 Finder, you cannot automatically mount a volume with a volume password at startup or by double-clicking an alias. You also cannot automatically mount a volume if the user originally connected to the volume using Microsoft UAM.

© 1985-2000 Microsoft Corporation. All rights reserved.