Category Icon

Creating Administrator Access Groups

In order to use Directory Services authorization to determine access privileges, you need to create groups and assign them privileges. There are two ways of doing this:

Method

You can create groups and assign them privileges through the mcx_setting attribute on any of the following records:  any computer record, any computer group record, or the guest computer record.

To create an administrator access group:

  1. Create groups as usual.

    If you are using Mac OS X Server, you use Workgroup Manager to make them.

  2. After you have created groups, you edit either the computer record of the computer to be administered, its computer group record, or the guest computer record.
  3. Use a text editor, or the Apple Developer tool named Property List Editor to build the mcx_setting attribute XML. The XML contains some administrator privilege key designations (ard_admin, ard_reports, etc.), and the groups that you want to possess those privileges. The following privilege keys have these corresponding Remote Desktop management privileges:
    Management Privilege ard_admin ard_reports ard_manage ard_interact
    Generate reports
    X
    X
    X
    Open and quit applications
    X
    X
    Change settings
    X
    X
    Copy items
    X
    X
    Delete and replace items
    X
    X
    Send messages
    X
    X
    X
    Restart and shut down
    X
    X
    Control
    X

    X
    Observe
    X

    X
    Show being observed
    X

    X

    In the XML, you name a privilege key and make the value the name of the group or groups you want to possess the privilege.

    Use the sample XML below to make your management/key designation XML.

  4. When you have created the snippet of XML, enter the whole snippet into a computer record or computer group record.

    If you are using Workgroup Manager, you enable the preference to "Show All Records Tab and Inspector" and use the Inspector to copy the entire snippet of XML the value which corresponds to the "MCXSettings" attribute name.

The following is the sample XML format you need to use to assign management privileges via MCX keys. It assigns the above "ard_interact" privileges to the groups named "some_group" and "staff." It also assigns the "ard_manage" privileges to the group named "staff," the "ard_admin" privileges to the group "my_admin_group," and leaves no group with the "ard_reports" privilege set. Here's the XML:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>
<key>mcx_application_data</key>
<dict>
<key>com.apple.remotedesktop</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>ard_interact</key>
<array>
<string>some_group</string>
<string>staff</string>
</array>
<key>ard_manage</key>
<array>
<string>staff</string>
</array>
<key>ard_admin</key>
<array>
<string>my_admin_group</string>
</array>
<key>ard_reports</key>
<array>
</array>
</dict>
</dict>
</array>
</dict>
</dict>
</dict> </plist>

This example attribute defines four privileges, although any of them may be left out.

For more information on using Workgroup Manager, and Open Directory, see their documentation at:

www.apple.com/server/documentation

Method

You can create groups with special names that correspond to the privilege keys above:  ard_admin, ard_reports, ard_manage, and ard_interact. The corresponding privileges are automatically assigned to these specially named groups. If you have already created these groups for use with Apple Remote Desktop 2, they will continue to work as expected with Apple Remote Desktop 3.