[LaGow]

I found an interesting tidbit when reviewing the "200 Features" list that Apple published while ramping up Tiger's release:

Access Control Lists (ACL)
Go beyond the limitations of traditional UNIX file permissions and enjoy greater flexibility over assigning access permissions to files, folders and network services.

Can anyone speculate how these might work?

[Millennium]

Originally Posted by LaGow

I found an interesting tidbit when reviewing the "200 Features" list that Apple published while ramping up Tiger's release:

Access Control Lists (ACL)
Go beyond the limitations of traditional UNIX file permissions and enjoy greater flexibility over assigning access permissions to files, folders and network services.

Can anyone speculate how these might work?

Basically, they build upon the standard Unix permissions. You still have the traditional owner, group, and "everyone else" permissions, using the owner and group associated with the file. However, you can also specify additional users and groups and assign permissions to them apart from this.

This article goes into details about FreeBSD's ACL model. OSX's ACLs will probably either be identical or very nearly identical to this model. The article is very CLI-oriented, but there's not much of a way around that since no one has said anything about Tiger's GUI for this sort of thing. However, it should give you a basic idea of what they do.

[LaGow]

Interesting. I assume we can't expect an Apple GUI for this since the feature is listed under the Unix heading of Apple's Tiger feature list. I had thought this feature might contribute to an easier file-security implementation (with the content of another, ahem locked, thread in mind), but it looks like this feature might have been impemented with Windows feature parity in mind.

[Millennium]

Windows feature-parity is part of it, anyway. Windows has had an ACL implementation for a long time, though it doesn't do much good since Microsoft doesn't set it up effectively by default. OSX can do better than that, though it's unlikely they'll actually use ACLs on the system files.

The thing is, ACLs aren't really easier to use for simple setups. When you have a large organization with complex security needs, they are much easier to manage than classic Unix permissions, simply because you don't have to set up a unique group for every unique set of people which might have access to a file. When you have only one or two humans using the machine, however, the utility of these lists becomes very low indeed; they're not harmful, but they're not going to get used for much. It's possible that you'll be able to work with ACLs using the Get Info dialog, though, similar to how you work with permissions nowadays.

[LaGow]

That makes sense. Thank you.

[larkost]

As Millennium indicated, ACL's aren't useful for the majority of users in the majority of cases... it would just cause confusion. However, I think that Apple has put the in for 2 reasons:

There are rare cases where it is easier to do something with an ACL than either messing with groups or playing with sudo (although the later is probably the most flexible of all the systems).

Apple is positioning 10.4 Server as an easier-than-Windows2003 NT replacement, and they had to have ACLs to be credible there. Since it had to be worked into the system anyways, why not let 10.4 client have it as well.

[OmniX]

Can anyone comment on whether there will be a GUI for managing ACL's in Tiger Client? I would assume there's some admin app in Tiger Server, but wonder whether the Finder (or something else) in Tiger Client will have this capability...

[SS3 GokouX]

If there isn't one built-in, I'm sure someone will make a nice donationware app to manage them easily.

[wadesworld]

I'm sure ACL's were important for government purchases.

Wade