I've been tasked with setting up an AFP share on a server running Mountain Lion. My question is mostly about best practices and to find out if I'm doing this right. My only prior experience has been (very) basic NFS and SMB shares focused mostly on Linux.
So here's the situation.
There will be (to start) approximately 7 or 8 users that will need access to various parts of the share. I basically need two access levels (for now). One that can access everything (an admin), and one that can only access a subset of everything. Pretty standard right?
In the sharing dialog, I can add shared folders and add users to the specific shares. So I've created the the shares and I was just going to add all the 2 or 3 admin users to all the shares, then the remaining users to the specific shares they need access to. The UI doesn't seem to expose anything of the nature, but can I manage the users independently of the shared folders? Put another way: can I mark a folder as belonging to a particular group and assign users to that group in order to grant them access to that particular share?
Best Answer
My recommendation for best practices would be to use Server.app ($20 on the App Store) to perform file sharing. The benefit of using Server.app is that it supports more advanced file sharing configuration. For example: you can set ACLs (Access Control Lists - a list of permissions) on different folders for the group access that you want in System Preference -> Sharing. However, by default those ACEs (Access Control Entry - a single permissions entry in an ACL) will not support permissions inheritance. Permissions inheritance keeps file permissions in the share point set correctly (so that the entire group continues to have read/write access). The absence of inheritance becomes problematic when one user of the group has written a file to the share, and another user attempts to modify it - by default, the ACL that specifies read/write at the root of the share will not have inherited permissions to descendant files/folders
The best way to manage the permissions on a share point is usually to do it by creating groups. That way, you can set the permissions on share points to allow group access to the folder/share. This makes it easy to provide users access to that share in the future, as you'd simply add them into the group. For example: most "normal" users (including the "admin" users) should be part of a group that's allowed access to the general-use shares (or all shares, as you've mentioned). Your "admin" users will be part of a group that has access to the other "restricted" share points. Setting each of those groups up as an entry (ACE) in Server.app -> File Sharing will allow permissions inheritance to occur.
If you really want to use the System Preferences -> File Sharing setup to serve files, I'd recommend using System Preferences -> Users & Groups to create groups to control access. However, be aware that you will likely run into permissions problems somewhere down the road.
Although you can use
chmodon the command line to specify ACLs that do support inheritance, it's a little bit cumbersome for some users.