Tiger offers three normal types of accounts: administrator accounts, standard accounts, and managed accounts. (A special fourth type of account, called root, is not accessible from the Accounts preference pane.)
You can see the types of accounts set up on your Macintosh by viewing the Accounts pane in System Preferences, as shown in Figure 1. (To open System Preferences, choose it from the Apple menu or click its icon in the Dock.)
Before you start creating new accounts, you need to understand these different account types, what rights each one has, and how you would use each type. Table 1 (next page) summarizes the powers and limitations of these accounts, Table 2 helps you quickly match different types of users to the different types of accounts, and the rest of this section explains the account types in more detail.
Table 1. Overview of What Account Owners Can Do
Account Type | Account Owner Can | Account Owner Cannot |
|---|---|---|
|
| |
|
| |
|
| |
|
|
Note
Technically speaking, managed accounts are merely a variant of standard accounts, but I follow the example of the Accounts preference pane which uses both terms in its interface.
Note
Panther distinguished between managed accounts and simplified accounts. In Tiger, both of these types of accounts are called managed accounts. The difference between the two was that simplified accounts could only access a Simple Finder (see later in Simplified Account for more on the Simple Finder), whereas a managed account was one for which there were some limitations set.
Table 2. How to Match Account Types to User Types
Account Type | Works Well For |
|---|---|
A super-user who needs access to every file and every program and service on the Mac. | |
The person who manages the Macintosh by installing software, creating user accounts, and solving problems when things go wrong. | |
Everyday users who need to access files in a home folder, run software, create documents, and share files with other users on the Mac. | |
Users whose access should be restricted, either to prevent harm to the system or to limit what they can do with the computer. For instance, a managed user might have a special, limited Dock or be unable to receive email from unapproved correspondents. |
An administrator is, in the Unix world, a person who manages a computer or a group of computers. Administrators have accounts that give them the power to make system-wide changes, create, manage, and delete user accounts, and change settings that normal users can’t access. In Tiger, administrators have all these rights and more.
After you first install Mac OS X, or when you first turn on a new Mac, the Mac OS X Setup Assistant greets you and walks you through the setup process. You may not realize it, but when this assistant asks for a user name and password to create your first account, it sets up an account for you with administrator status.
This makes sense, because if you are the only user on your Mac you must be its administrator; if not, you won’t be able to access all its settings, install software, or perform other administrative tasks required to maintain your Mac.
In addition to accessing her own files (which is true of all account types), an administrator can do the following:
Create, manage, and delete user accounts.
Change permissions for files and folders.
Access secure parts of System Preferences, and make changes that affect global system operations.
Install all software using the Apple Installer or third-party installers. (Some programs don’t require authentication for installation and others can be installed by simply copying them to any folder.)
Add fonts to the
/Library/Fontsfolder, to provide system-wide access. (A standard user can add fonts to his~/Library/Fontsfolder, so he can use these fonts, but other users can’t use them, unless they install them in their own~/Library/Fontsfolders.)Create new folders in locations on the startup volume other than inside her home folder.
Access mounted remote volumes on a Mac where she has an administrator account. Non-administrators can access only their home folders and other users’ Public folders, but users with administrator accounts on the Mac they connect to can also access any mounted volumes: internal or external hard disks, mounted network volumes, and even an iDisk mounted on another Mac.
Access certain system-level utilities, such as NetInfo Manager and Directory Access. (See the sidebar on the next page for details.)
Access, change, or delete any files on the Mac. If you want to access, change, or delete files in the System or Library folders you are prompted to authenticate, and you can enter your administrator password to carry out the task. This approach has pros and cons. It’s great to be able to access restricted files and folders without dropping into Terminal and using the command line, but since the first account on any Mac is an administrator account, this gives many people the power to make potentially damaging mistakes.
As I discussed just earlier, administrators have virtually unlimited power in working with a Mac. In contrast, standard users have far less power. However, a standard user can:
Access any files in his home folder or its sub-folders, creating new files and deleting others, and creating new folders at any location within his home folder.
Access the Mac’s Shared folder, as well as the Public folders of any other users on the same Mac, and copy files from these folders to his own home folder. He can also copy files to the Drop Box folders inside other users’ Public folders.
Copy files to and from, as well as create folders on, shared volumes where permissions have been ignored. (See Share Files via a Shared Volume for more on ignoring permissions on a volume.)
Change settings in non-secure panes in System Preferences such as Appearance, Desktop & Screen Saver, Dock, Dashboard & Exposé, Sound, and .Mac. He cannot, however, change preferences that affect the overall system, such as those in Network, Sharing, or Startup Disk.
Note
It may not always seem that way, but there is a logic to Apple’s use of preference panes that present some protected functions that are accessible only to administrators and some unprotected functions that can be changed by any user. Take the Print & Fax preference pane: standard users can change the default printer and paper size, set up printers, and turn on faxing, but they cannot change any settings on the Sharing tab, since these settings affect the entire computer. The Security pane is another example; standard users can adjust FileVault settings, but they cannot make changes in the bottom part of the Security pane that affect all accounts on the computer. Rather than split such related functions among several preference panes, Apple grouped them and limited access to aspects that impact the computer as a whole.
When you set limits to a standard user’s account, the account becomes a managed account, as shown in Figure 2. Limits may be minor, such as not allowing the user to burn CDs or DVDs, or more wide-ranging, such as limiting the user’s access to certain programs.
You set limits (which Tiger calls parental controls), in the Parental Controls pane of the Accounts system preferences. A big change in Tiger, as far as user accounts is concerned, is the new capability to limit certain aspects of using Mail, iChat, Safari, and Dictionary (Figure 2, next page).
Even though Tiger no longer uses the term “simplified account,” I think it's useful to keep this name for an account that is set to use only Simple Finder. An account with this type of parental control has a different interface and very different rights from other managed accounts.
With Simple Finder running, as shown in Figure 3 (next page), the user sees only a minimal Dock and can access only applications in the My Applications folder in the Dock. (When you set up the account, you can choose which applications she can use.) This is the best way to set up a user account for a young child.
The Simple Finder is truly simple. The Dock contains three folders: My Applications, My Documents, and Shared. My Applications, whose window is shown above, contains aliases to the applications the user is allowed to access. My Documents, the middle folder you see in the Dock, lets the user store personal documents, and Shared, the rightmost folder in the Dock (the /Users/Shared folder), lets the user share documents with other users.
Figure 3.
If an administrator, needs to access files or perform other operations when a user is running Simple Finder, he can choose Finder > Run Full Finder, then authenticating. This switches the interface to the normal Finder, with the exception of the Dock, which remains as shown in Figure 3 (next page). This allows the administrator to copy files, for example, from a shared volume to the user’s Documents folder. Choosing Finder > Return to Simple Finder switches back to the minimal Finder access.
The root account is a special superuser account available on all Unix-based systems. The root user has the ultimate power to access and change any files, or to perform any operations on the system without authenticating. The root account is authorized to do anything.
You do not access or configure the root account in the Accounts preference pane; the root user account exists automatically on Mac OS X. See Activate the Root Account to learn more about using the root account.