The most fundamental level of security lies within the operating system itself. Any interaction with the system requires some form of authentication.
The first level is user authentication. Mac OS X implements role-based user accounts. Three account types are available on Mac OS X client machines (machines not a part of a Windows domain or Mac OS X Server infrastructure), whose options can be configured in the Accounts area in the System Preferences application.
Limited The most restricted type of account, limited users might only be able to see certain parts of the file system, and only run applications approved by an administrative user. As of Mac OS X v10.4, system administrators can also restrict network access to lists of approved websites and email addresses.
Standard Most users on a machine will fall into this category. Standard users are allowed to run any applications that are installed in directories they have access to, but can only write to their home directories and directories that have been set up for them by a system administrator. Standard users are also restricted from making any configuration changes that affect anything beyond their user account (such as network settings).
Administrator This account type allows the user to make systemwide changes to the machine, change permissions of files and directories they do not directly own, and manage accounts. Every Mac OS X computer must have at least one administrative account.
Being a UNIX-like operating system, Mac OS X naturally inherits a UNIX-style file system permission system. Every file and folder on the machine has three levels of access with three possible settings each. Persons familiar with UNIX, Linux, and BSD systems will feel right at home with this environment. Refer to Table 1 for details on Mac OS X permissions. Fortunately for those not familiar with the
chown GNU commands, the MAC Finder provides an interface for managing permissions in the Get Info window. In the info window for any file or folder on the computer, there is an Ownership & Permissions area listing all possible permissions variables for the given object. The three levels of access for each file and folder are Owner, Group, and Everyone (or Other). The owner is usually the user who created the object on the system. Groups are logical collections of users on a machine. On Mac OS X Client machines, groups cannot be created or modified; however, two key groups are automatically created and maintained to assist with machine administration:
All administrator level users automatically belong to the Admin group.
All other users belong to the Staff group.