TITLE
    Mac OS X Server: Macintosh Manager, Access To Applications Not Allowed
Article ID:
Created:
Modified: 		24990
9/7/99
9/13/99
TOPIC

    Using Macintosh Manager software, user access can be configured to allow access to certain application programs while denying access to all other application programs. However, I have found that users are sometimes able to open application programs that are not in the user's Workgroup approved items. Not all applications behave this way; some applications deny access, stating that the user does not have enough access privileges. Can you explain?

DISCUSSION

    There are several settings that can cause this. First, the Administrator has the option to allow applications to be opened by other applications (sub-launched), on a per application basis. This option is accessed by choosing Application Preferences from the Configuration menu. For the sake of tighter security, the default setting is to not allow applications to be sub-launched.

    If an Administrator sets the option to allow sub-launching of an application, then that application can be opened from the Restricted Finder. Macintosh Manager does not see this situation as a security risk and allows it to happen.

    To work around this, simply disable the "Allow this Application to be opened by other Applications" option for all applications that you do not want users to be able to access. The application will show up in Application Preferences once it has been added to any workgroup.

    To enable helper applications for something such as a web browser without granting access to the helper application itself, enable the "Applications can open other applications, such as helper applications" option in the Security tab of the Computers tab. This setting does not apply to the shell application (Finder or Panels) so it will not override the approved application settings for the workgroup. Finder and Restricted Finder are environments where the Finder is shell application and the Panels environment has Panels as its shell application.

    A user will also be able to launch non-approved items in the following situations:

    • The application or an alias to the application is in the Apple menu and the workgroup has access to other items in the Apple menu. This is set in the Apple Menu section of the Privileges tab of the Workgroups tab.
    • The application or an alias to the application is in the Control Panels folder and the workgroup has access to Control Panels. This setting is also in the Apple Menu section mentioned above.
    • The application or an alias to the application is in the Startup or Shutdown Items folder and the workgroup can open items in this folder. This setting is in the Options tab of the Workgroups tab. Note: The checkbox is labeled Startup Items but pertains to both folders.
    • The workgroup is set for "members can open any items on local volumes." If this is set any member of the workgroup can launch any application on a local volume. This setting is in the Items tab of the Workgroups tab. Local volumes do not include AppleShare, CD-ROM, or removable media (such as floppy or Zip) volumes.
    • The workgroup has an approved document created by a non-approved application. This can be done by dragging a document into the approved items list. Approving a document will automatically approve the creator application. Removing the document from the approved items list will also remove approval for the application, if the application and other documents are not approved.

Document Information
Product Area: Mac OS System Software
Category: Mac OS X Server
Sub Category: Macintosh Manager

Copyright © 2000 Apple Computer, Inc. All rights reserved.