Creating Administrator Access Groups
In order to use Directory Services authorization to determine access privileges, you
need to create groups and assign them privileges. There are two ways of doing this:
Method #1
You can create groups and assign them privileges through the mcx_setting attribute
on any of the following records: any computer record, any computer group record, or
the guest computer record.
To create an administrator access group:
1
Create groups as usual.
If you are using Mac OS X Server, you use Workgroup Manager to make them.
2
After you have created groups, you edit either the computer record of the computer to
be administered, its computer group record, or the guest computer record.
3
Use a text editor, or the Apple Developer tool named Property List Editor to build the
mcx_setting attribute XML. The XML contains some administrator privilege key
designations (ard_admin, ard_reports, etc.), and the groups that you want to possess
those privileges. The following privilege keys have these corresponding Remote
Desktop management privileges:
70
Chapter 5
Understanding and Controlling Access Privileges
In the XML, you name a privilege key and make the value the name of the group or
groups you want to possess the privilege.
Use the sample XML below to make your management/key designation XML.
4
When you have created the snippet of XML, enter the whole snippet into a computer
record or computer group record.
If you are using Workgroup Manager, you enable the preference to “Show All Records
Tab and Inspector” and use the Inspector to copy the entire snippet of XML the value
which corresponds to the “MCXSettings” attribute name.
Management Privilege
ard_admin
ard_reports
ard_manage
ard_interact
Generate reports
X
X
X
Open and quit applications
X
X
Change settings
X
X
Copy items
X
X
Delete and replace items
X
X
Send messages
X
X
X
Restart and shut down
X
X
Control
X
X
Observe
X
X
Show being observed
X
X
Chapter 5
Understanding and Controlling Access Privileges
71
For more information on using Workgroup Manager, and Open Directory, see their
documentation at:
www.apple.com/server/documentation
The following is the sample XML format you need to use to assign management
privileges via MCX keys. It assigns the above “ard_interact” privileges to the groups
named “some_group” and “staff.” It also assigns the “ard_manage” privileges to the
group named “staff,” the “ard_admin” privileges to the group “my_admin_group,” and
leaves no group with the “ard_reports” privilege set. Here’s the XML:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple
Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-
1.0.dtd"> <plist version="1.0"> <dict>
<key>mcx_application_data</key>
<dict>
<key>com.apple.remotedesktop</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>ard_interact</key>
<array>
<string>some_group</string>
<string>staff</string>
</array>
<key>ard_manage</key>
<array>
<string>staff</string>
</array>
<key>ard_admin</key>
<array>
<string>my_admin_group</string>
</array>
<key>ard_reports</key>
<array>
</array>
</dict>
</dict>
</array>
</dict>
</dict>
</dict> </plist>
This example attribute defines four privileges, although any of them may be left out.
72
Chapter 5
Understanding and Controlling Access Privileges
Method #2
You can create groups with special names that correspond to the privilege keys
above: ard_admin, ard_reports, ard_manage, and ard_interact. The corresponding
privileges are automatically assigned to these specially named groups. If you have
already created these groups for use with Apple Remote Desktop 2, they will continue
to work as expected with Apple Remote Desktop 3.