Multi user Environment - wollardj/Mandrill GitHub Wiki

I’ve had many discussions within the past year with multiple Mac admins about how user-level permissions could be applied on a per-file basis. Of course ACLs and POSIX-style user/group permissions always came up, but given that most Munki repos consist of hundreds if not thousands of files, it’s not reasonable to expect admins to grant or deny rights to a user or group on a per-file basis. Instead, I’ve opted for regular expression pattern matching. If you’re thinking I don’t know regex, but I’ve heard it’s hard, it’s not as hard as you might think!

Most of the time, we approach the problem of granting permissions in terms of patterns anyway. For example: I want to give John full access to all the scienceLab* manifests, and read-only access to everything else. That would be a pattern, would it not? In Mandrill, the rule patterns would look like this:

The checkboxes above make that particular regex pattern ready-only to the end user. To save screen real-estate a label will be presented when the user lets their mouse hovers over the checkbox.

manifests/scienceLab matches all files whose full path starts with /Users/Shared/munki_repo/manifests/scienceLab. If we wanted this rule to mean only the scienceLab manifest, you’d just throw a $ after scienceLab, which you can think of as meaning, ‘and nothing else after scienceLab’. Since the readonly checkbox is unchecked, John has full access to files matching this rule.

(catalogs|pkgsinfo|manifests) matches pretty much everything in the munki repo, and is read as “catalogs or pkgsinfo or manifests”. Since the readonly checkbox is selected, files matching this rule are immutable for John. In addition, John can neither create nor delete files matching this rule.

Orginal Article: Joe's Blog