Workgroup Manager is a web application that gives Stanford community members a place to define groups of community members for use in various online applications, including web authentication. A workgroup is a list of members in a group, identified by their SUNet IDs, and given a name that uniquely identifies it. A workgroup may also contain subgroups — other workgroups identified by their name. In the example workgroups above, the first part stem of a workgroup's name, before the colon, is the workgroup's owner; the second part id is the specific name of the group.
The combination of the two parts stem:id creates a unique name that can be used to refer to the workgroup. You can set the traditional POSIX permission structure by identifying an owner and group for the share point.
Then use the appropriate pop-up menus to assign whether the owner and members of the assigned group have no access, write-only in which they can copy things to a drop-box style share point but not see anything in it , read-only or read and write.
You can also assign a permission to the "Everyone" group, which includes anyone who can access the server, including guest users if you allow guest access. You can also assign access via an ACL for the item. Select and drag users and groups into the "Access Control List" box.
You can then use the various pop-up menus next to each user or group to configure their access to the share point. For more granular control, you can select a user or group in the list and click the "Edit" button which looks like a pencil. You can also use the "Gear" menu to remove any ACLs inherited by the folder or share point and to make inherited permissions explicit -- meaning they won't be changed if the original ACL they were inherited from is changed.
Or you can propagate changes you make to other folders and can display the Effective Permissions Inspector. The Effective Permissions Inspector is a way to see which permissions any given user has. It takes into account group memberships and explicitly assigned permissions. The "Protocols" tab allows you to define the protocols that clients will be able use to access the share point. You can select each protocol using the pop-up menu on this tab and set various options, as well as determine whether the share point will be shared with each protocol.
For both AFP and SMB which is displayed in the menu as "Windows File Settings" , you can choose to share the item over the selected protocol, set custom names for the share point other than its folder name, and determine how permissions for newly created items should be set.
You can also choose to allow guest access, although this practice is strongly discouraged because of its inherent insecurity and lack of logging capability. For the SMB protocol, you can also choose to use strict and opportunistic locking. These options control how the server will react when multiple clients attempt to access the same files, or segments of files, simultaneously.
More information on strict and opportunistic locking and their use in Mac OS X Server can be found in this Apple tech note. NFS access to a share point is generally discouraged because it relies on client IP addresses rather than user accounts to assign permissions. If you must use NFS, be sure to use the "Map root" and "Map user to nobody" options as well as the option to force all clients to have read-only access.
Additional information on NFS options is available from Apple. The final tab that is available for a share point is the "Network Mount" tab. This tab allows you to create a mount record for the share point in Open Directory.
Mount records allow share points to be automatically mounted at start-up before users log in; such share points are sometimes referred to as auto-mounts. They are most frequently used for setting up network home folders, where access to a share point must be established before log-in, but can also be used for shared applications and shared library folders.
Shared application and library folders allow you to include centrally stored files in a computer's search path. If you create a shared library folder, for example, computers bound to Open Directory will access it along with the Library folder on their hard drives as well as the Library folder in the user's home folder. This provides a method for making system resources such as fonts or application support files available without having to install them on every computer.
However, it can cause system delays on workstations connected by moderate to slow network links. It can also add noticeable load to the server.
To have a mount record, the server must be an Open Directory master or replica, or be bound to Open Directory. To configure a mount record, select the "Open Directory" domain -- where you wish to configure the mount record -- from the "Where" pop-up menu.
If needed, click the padlock button to authenticate using an account that has administrative rights to the domain. Select the protocol that will be used to mount the share point -- AFP preferred or SMB secondarily -- and identify what it will be used for. To work with user, group or computer list accounts in Workgroup Manager, connect to your Open Directory master.
If you are working with a server that is not part of a directory services infrastructure, connect to the server on which you wish to manage local accounts. Then click the "Accounts" button.
Again, you will see two panes see Figure 4. The left-hand pane displays existing accounts as well as a search filter box. It also contains tabs for selecting whether user, group or computer list accounts are displayed. You can also choose to display the Inspector, which is covered later in this article. The right-hand pane displays the various options for a selected account. To edit an existing user, simply select the user in the accounts list; you can use the columns to sort users, and you can use the search filter box to search for specific users.
To create a new account, click the "New User" button in the tool bar. The following graphic illustrates information messages in the message area. A pop-up message displays when Windchill Workgroup Manager is minimized, or when an action is initiated from the CAD application. The following graphic displays an example of the pop-up message containing information that notifies a user of actions that have succeeded.
0コメント