Mac OS X users manage their authorization rights

Even if you don’t want to enforce strict usage policies, you will still create accounts on Mac OS X for your users. The choices you make regarding user account types are fundamental decisions that have far-reaching implications for the rest of your system deployment because a user’s capability to do things on Mac OS X is directly related to the account type.

In fact, the most basic form of usage management is the “standard” user account type. Users with standard accounts, unlike those with administrator accounts, cannot make substantial changes to the system without administrator authorization. You can exert even more control over your users by using network-based accounts or client management techniques.

Home Folder Management

To log in and use the Mac OS X interface, a user must have a read/write home folder. The system must have a location to store user items while the user is logged in to the computer. Therefore, all users, even guest users, must have a home folder where they can store their personal items. Just as the choices you make regarding user account types have far-reaching implications, so do your choices for home folder management. In many fullsystem deployments, the contents of the users’ home folders are the only items that vary from system to system and the only items that the users are allowed to modify. Because of the inherent variability in the users’ home folders, a specific management strategy is needed. Mac OS X v10.5 supports home folders stored on the local system drive, on an external storage device, on a mounted network volume, and on a local system and network hybrid known as a synchronized mobile home folder. All these home folder storage options, except for storage on the local system drive, require you to use network-based user accounts and client management techniques.

File System Permissions

Mac OS X uses file system permissions as the primary mechanism for controlling access to files and folders. The default permissions already provide a very secure storage environment. However, you can further restrict user access by adjusting file system permissions to better suit your needs. It’s not uncommon to configure custom permissions as part of a system deployment.

Authorization Management

Mac OS X uses a combination of technologies to manage authorization rights. These systems allow a user to bypass certain file system permissions to perform certain administrative tasks. These technologies include the /etc/authorization database, the /etc/sudoers file, and application of the suid and guid permission settings. Again, the Mac OS X default settings provide a very secure environment, but you can tweak these settings for your system deployment if your needs require.

Client Management

When administrators need to restrict a user’s ability to access features on a computer, their typical approach is client system management. Mac OS X includes a sophisticated set of Managed Client for Mac OS X (MCX) settings. An administrator can centrally manage a wide range of preferences and configurations using MCX settings. Further, MCX settings can be accessed locally or hosted from a shared network directory service.

Mac OS X can access MCX settings hosted on a Mac OS X server running directory services or any properly configured third-party Lightweight Directory Access Protocol (LDAP) service, including Microsoft’s Active Directory (AD). A major benefit of managing MCX settings from a network directory service is that you can easily change configuration settings after your initial deployment. Planning and implementing this type of client management system is the best way to enforce usage policies and maintain a consistent configuration across your deployed systems.