"Custom" Permissions

Similar Messages

• Regarding creating SharePoint custom permissions not permission level

  Hi All,
  i want to create or manage custom permissions under permission level.
  like
  for list items Manage Lists and add items etc.
  Thanks in advance.
  Kindly suggest me some suggestion
  Varsha Patil

  Use SPSecurityTrimmedControl control to for specific users or group. But still SPSecurityTrimmedControl will not work for full control so you also need to customize permission for full controls users.
  First go to permission level page and modify the permission for full control. uncheck the permission for whom you don't want to show this control (refer below link to know about base permission)
  http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions.aspx
  Then do the same for custom permission level. and now assign this custom permission to group. Later use  SPSecurityTrimmedControl in above menu and then hide/show control for users.
  http://social.technet.microsoft.com/Forums/en-US/9496525a-3f8f-47e3-a3c0-73d9a1670b0d/how-to-make-the-site-actions-menu-invisible-to-certain-users?forum=sharepointgenerallegacy
  http://social.msdn.microsoft.com/Forums/en-US/0dba2a60-204d-44d9-968f-84cd41f52e2d/how-to-hide-site-actions-menu-for-user-group?forum=sharepointcustomizationlegacy
  Hemendra:Yesterday is just a memory,Tomorrow we may never see
  Please remember to mark the replies as answers if they help and unmark them if they provide no help

• Custom Permissions Repair.?

  To V.K. or anyone else that can help me.,
  I have experienced three external firewire drives in a locked, 'custom permissions' state. I can not access, unlock or run a repair permissions on those drives. I was very hopeful in that by following the terminal commands detailed in another thread, I successfully unlocked one of the three drives, my 1TB Movies drive.
  But using the same procedures for the next two drives has not worked, my Time Machine Drive (single 750GB) and my Media Drive (750GB in a Dual Drive, mirrored array) storing all of my music and pictures.
  Trying the suggested Terminal commands, in order, out of order, even after entering the user password requested, always returns:
  No such file or directory
  Please advise.
  I am hopeful but still very concerned, since everything I have ever done creatively, is at stake.
  Thank you in advance
  Message was edited by: Damien-007

  V.K.,
  The problem is that, in a few cases, the upgrade to Leopard fails to properly run the scripts that also "upgrade" the existing accounts, and more importantly, convert the (old) Netinfo database to the Directory Services paradigm. Most users who upgrade do not experience this little glitch, but the OP evidently did.
  On the face of it, a user in this situation could either ignore the discrepancy (after all, a "Tigerish" GID would match the user's files, causing no immediate problems), or the user could change their GID rather easily in the "Accounts" GUI, then chown all their files.
  But there would still be the issue that the old Netinfo database wasn't properly converted. What other problems might exist? Would a new user, created after the failed upgrade, be created with the proper properties? Is the Directory Services flat-file structure in place as it should be, or is something broken? If the "account upgrade" scripts failed during the installation, what else might have failed? Are we absolutely certain that the resultant installation is flawless?
  The fact is, that we just don't know what might be wrong. With the appropriate knowledge, and some time spent at the affected machine, we could undoubtedly answer these questions, but it would be a tedious, time-consuming process. The point is moot anyway, because we are not sitting at that computer, and this is not something that lends itself well to a tutorial via these forums.
  In the end, the OP would be better served (IMO, ) by the recommendation to format and reinstall "from scratch." Beyond the need to subsequently reinstall any third-party applications, this need not be a big "headache," and I would also supply the necessary instructions for restoring the user data to the new installation. Because the restoration methods I regularly recommend involve "chowning" the restored data anyway, any discrepancies in this regard are accounted for.
  Everyone knows that file ownership is important. Less well-known is the fact that group ownership and membership can sometimes be just as important. Discrepancies in this regard can cause what appear to the casual user as permissions problems, when in fact they are problems of ownership. I don't know the OP's history as well as you evidently do, but I wouldn't be surprised if this is what compelled him/her to start changing permissions (and using the "Apply to all" function) in the first place.
  I'm not "format happy," and I see no reason to erase and reinstall unless there is some compelling reason. On the other hand, I think it is a waste of time to "fix this," "adjust that," "troubleshoot these," when a couple hours spent formatting and reinstalling can, in effect, "wave a magic wand" and make all the problems go away.
  Scott

• Mailbox contributor and custom permissions

  Hi,
  We upgraded to Exchange 2013 last month and have recently encountered an issue setting permission on calendars.
  In 2010 our guidance counselors gave contributor permissions to students. Students could see there free and busy time and could add an item. They could not edit, delete or see any details and this worked great.
  Since upgrading to 2013 whenever any tries to grant contributor permissions in outlook it immediately changes to custom? The user who has been granted rights can't add any items to that calendar. Changing that users rights to any other predefined right such
  as say owner or editor works fine and shows as that appropriate right. Trying to change it back to contributor thought and it immediately shows as a custom right in outlook.
  I have tried setting rights via power shell and in power shell it will report as contributor but shows as custom in outlook. I have also tried just setting the individual rights and not the predefined ones via both outlook and power shell and it makes on
  difference.
  Has anyone else run across this?
  We are running Exchange 2013 CU6 and our clients are Outlook 2013 as well.
  Thanks!

  Hi,
  I uploaded a video of the behavior I was talking about so you can see how the contributor permission changes to custom automatically. 
  It appears that anytime a right is custom the "Write" section CreateItem, EditItem, etc does not work. The "Read" section of custom rights appears to function as normal you can change from free/busy to full details and that works fine. 
  Thank for any help!
  http://youtu.be/SQEi6ZYZD68

• Volumes show Locked Icon and no access priviledges to "custom" permissions

  Help!
  Since I upgraded and then migrated to Leopard I have been having issues with ownerships and priviledges.
  Constantly was getting cannot move or trash or change due to lack of priviledges but two days ago 4 of my 8 drives have a locked icon on the volume icon and when I try to access them I get a "you do not have access priviledges to this "FOLDER"" message when I try to open the drive?? There is a lot of reuired info and data on these drives and I need to access them!
  When I go to GET INFO and look at the permissions they are all "CUSTOM" and when I try to modify or add myself to the list my name comes up but does not add to the list.
  I also see 2 (TWO) "system" and one "everyone" on the list??
  Some drives only have one "system" but all show custom as priviledges??
  PLEASE HELP!

  run the following commands in terminal
  sudo chflags nouchg /Volumes/"drive-name"
  sudo chmod 775 /Volumes/"drive-name"
  put the name of the external instead of "drive-name" in the above. keep the quotes. you'll have to enter your admin password (which you won't see). that's normal. repeat for every affected drive.

• How can i change custom permissions on a drive?

  I have screwed up my permissions on 2 of my external drives,  VERY important info on both.
  The disk icons have a small lock in the corner and I cannot read or write to them. 
  Get info brings up a permissions window that says "Custom"  where the read write should be. 
  It will not let me change these.  Please help!

  Open Terminal in the Utilities folder. At the prompt enter:
  sudo chown root:admin
  Put a space after "admin" then drag the Desktop icon of one of the external drives into the Terminal window. Press RETURN. You will be prompted for your admin password. It is not echoed to the screen. Press RETURN again. Enter the following command in the Terminal window:
  killall Finder
  Press RETURN.
  If this works OK then repeat for the other drive. If it does not work then download BatChmod and use it to fix the permissions on the external drives.

• How can I change 'Custom' permissions for TM backup disc?

  I have recently had some big problems with permissions on the main disk of my G5 iMac. After fixing permissions, Time Machine then reported that my backup disk (an external 300Gb FireWire disk) was read-only and so backups couldn't take place, and the icon for the disk has a padlock shown on it. Looking at the Get Info for the disk and unlocking 'Sharing and Permissions', I see a line saying 'You have custom access', and that all permissions shown are set to 'Custom'. I don't know what this means - and worse, I can't change the permissions to any of the normal settings (Read & Write, Read Only, Write only (drop box)), and I can't check 'Ignore ownership of this problem'.
  I am thus unable to do any backup. The system worked fine for at least a year before this. Has anyone any idea what 'custom' means and what I should do. I haven't found anything that seems relevant by searching this forum.

  Time Machine uses special "deny everybody everything" permissions. You should not change them.
  FIrst, do a +Repair Disk+ (not permissions) on the TM volume via DIsk Utility (in your Applications/Utilities folder).
  If that doesn't correct it,
  If you only have a partial backup, or don't need the ones you've done, the simplest thing to do is just erase the disk/partition.
  If you don't want to erase it, here's a workaround:
  First, you need to find the name of the hidden file that's causing the problem Click here to download the +Time Machine Buddy+ widget.
  It shows the messages from your logs for one TM backup run at a time, in a small window. If it shows a message like this: "You do not have appropriate access privileges to save file “.<nnnnnnn>” in folder <Name>"* skip to *Open the Terminal App* below.
  If not, Click here to download the +Tinker Tool+ app. It allows you to change the Finder to show hidden files (among many other things). Select the first option under Finder, then click +Relaunch Finder+ at the bottom. Reverse this when done.
  In a Finder window, select your Time Machine drive/partition. The very first file shown should have a name consisting of a period (dot) followed by 12 numbers and/or letters. (This is your Mac's Ethernet address). Copy or make a note of it.
  Open the Terminal app (in your Applications/Utilities folder).
  In Terminal, the prompt looks like this: user-xxxxxx:~ <your name>$
  (where <your name> is your short user name). It's followed by a non-blinking block cursor (unless it's been changed via Terminal > Preferences).
  At the prompt, type the following exactly as shown, substituting the name of your TM drive exactly, including any spaces, between the quotes; and the string of numbers & letters from the message where the series of x's are (keep the dot):
  <pre> sudo chmod 644 /volumes/"TM drive name"/.xxxxxxxxxxxx</pre>
  example: sudo chmod 644 /volumes/"TM Backups"/.0a1b2c3d4e5f
  Press Return. You'll get some warnings and a request for your Administrator's password. Type it in (it won't be displayed) and press Return again.
  Then try a +Back Up Now+ from the TM icon in your Menubar, or by control-clicking (right-clicking) the TM icon in your dock.

• Everyone Deny Custom permissions being randomly applied

  What are the correct User Home folder permissions within Server Manager?
  As I understand it you need _guest group Read Only in the ACL, with username Read Write, Staff Read Only, Everyone No Access.
  Is that correct? And if so, why does the Everyone Deny Custom ACL permission keep getting randomly applied to the subfolders within the Home folders (but not the Home Folders themselves, or the Users folder). It seems to result in users not being able to access their own desktops or anythign within the Home Folder once logged in (but lets them log in).
  It was all working fine yesterday, and nothing has been changed since then, yet all of a sudden this extra Deny permission is propagated everywhere.
  Any thoughts?

  It turns out that Everyone Deny is a standard permission set that is added by OS X once the user logs on. Thinking about it, it makes sense - deny everyone with the exception of the user.
  Answered my own question, lol. Well done me.

• I have 2 sets of permissions, how do I delete one?

  I have five Macs, one G4 and 4 - G5's. G5s are running Snow Leopard 10.6.8.
  Five graphic designers, who back up their work on a Mac XServer 10.6.6
  Permissions on the designer's Macs are set to read/write for everyone.
  Designer A backs up his job to the XServer, then Designer B needs to edit it, so she attempts to pull it off the XServer.
  Permission denied for only some of the files, not all.
  I guess I need some guidance on the proper way to administer the ACL on the Xserve.
  I have set up an ACL group on the server. The strange thing is, there are 2 sets of permissions showing, one seems normal, but the other is labeled "Custom".
  Is there any way I can log in as something other than the Administrator, and "wipe out" the custom permissions?
  I usually do not mess around in the Terminal.
  Thank you for any insights...

  As Templeton Peck says, the proper way is to use the repartitioning facility, but this will result in loss of data.
  However, SubRosaSoft do make a utility, Volume Works ($10), that will do this resizing on the fly. A complete back up would be prudent in either case.

• Permissions are not shown correctly in Get Info on Snow Leopard client, using Tiger server w/ ACL's

  Invoking "Get Info" on a file or folder which is on a shared volume hosted by a G5 running Server 10.4 fails to show meaningful permissions when done from a 10.6 iMac.  It says only that the user has "custom permissions", which is true since there are ACL's in operation.  However, the Owner and Group POSIX settings are not shown, only the Everyone setting shows, making it impossible to determine which user created the file (in order to resolve issues when permissions prevent intended action).  The same file or folder will show Owner and Group on 10.5 systems, as well as at the 10.4 Server itself, so we do have a workaround.  I have noticed, though, that I have run into permissions restrictions where I should not, such as creating a folder on a shared volume using a 10.6 system, and then not being able to save into that folder from the same system/user.
  Is there something about the implementation of ACL's in Tiger that confounds Snow Leopard's Finder?

  Hi,
  I did two things to get it working, and haven't taken the time to sort out which did it.  But it is working so it's good enough for me.
  First I followed TeenTitan's suggestion, and also checked "Allow printing from the internet".  I'm behind a firewall so not too concerned I'll get someone's odd photo on the printer.
  Second I went back to server admin, selected the queue under queues in the Print service, then selected IPP and deselected LPR.  Bonjour went grey but stayed checked.
  After this I see the printer with "@ server name" appended, and it added the printer drivers like it should.
  So all working well.

• PC Permissions issues with 10.5 server

  We are having some permission problems for our PC users.
  Here is what typically happens. User is working within a job folder. Within this job folder are a couple of other folders to organize the job parts. The user will modify some of the files and then move them to a new folder. Once they have been moved the user can no longer see these files. Opening this folder it appears as if it empty. Going to the server and opening the folder you can see the files. The folder appears to have custom permissions for some reason. Getting info on the job folder and reapplying the permissions fixes it.
  More background
  In Server Admin all the users for this share have read & write permissions and they are all listed under the ACL section of Permissions. Along with the associated groups just in case. Under POSIX the group is set to read & write as well. Guest access has been turned off.
  The PCs connect to the server using the direct ip address like this:
  \\192.168.x.x\share name
  They then enter their username and password.
  So far Mac users are not having a problem and it is only for PC users.
  Maybe I need to look under protocal options and smb to set something there.
  Any suggestions would be helpful
  Thanks
  Steve

  Hi itoster
  I think you are on to something. I did fix my issue and it is in a similar way.
  Every time you create a new user they automatically become part of the workgroup group. When I set up the shares I only gave permissions to the group I created and deny the workgroup (this is under ACL part of permissions). Well once I gave workgroup access to the shares everything is working fine. I'm not sure yet how this effects the permissions for the shares since everyone is part of workgroup and workgroup has access to all shares. Whew!!
  I hope this helps and if other people can confirm this is how it works for them it would be helpful.
  Steve

• Cannot change permissions to external hard drives

  My usb partitions are all set to "custom" permissions and they cannot be changed no matter what I have tried. I tried creating new Administrator accounts but I cannot assign any new accounts or settings to the partitions. They merely appear on the desktop with a lock icon on them.
  What caused this issue is I wanted to remove the annoying "unknown user" under permissions for an external partition. It would not allow me to do that so I tried to apply disk permissions to "all enclosed items". This did not help either so I tried repairing disk permissions and it appeared to start to fix a trillion disk permission errors that would take 2 hours estimated to do so. It suggested canceling and reinstalling the OS after backing up your files.
  So I took that suggestion, cancelled the repairing process, but was not able to back up my files because of this change to the partitions that all now appear with a lock.
  I have a feeling it will require some Terminal commands to reapply new permissions to the partitions, which I would need help doing.
  Thanks for any assistance.

  you should never use "apply to enclosed items" on a system drive or on system created folders. that includes the Applications folder, your home directory, your desktop folder etc. Use it only on folders you create yourself. to unlock the external drives you need to run the following terminal commands (copy and paste please)
  sudo chflags nouchg /Volumes/"drive name"
  sudo chmod 775 /Volumes/"drive name"
  Put the name of the affected drive in the above. KEEP the quotes. You'll be prompted to enter your admin password (which you won't see). that's normal.

• Permissions issues with iTunes12.1.2 and OSX10.10.3

  I've been unable to open iTunes from the Dock or Application folder for a month or so. The fix given by many here to run from the pkg contnets folder works, but I have to use it every time I want to re-open iTunes. When I look at the permissions in the Get Info window, I see Everyone twice, once with "custom"permissions and once with "read only". System has "Read and Write" permissions and then there's something called wheel that has "Read Only". Is there something that I can change in these permissions that will fix the problem.
  Thanks

  Better yet, try reinstalling iTunes using one of the following:
  Apr. 2015 Niel post: Re-install iTunes application - https://discussions.apple.com/message/28055467#28055467 - delete the old application first, with instructions on how to do that. 
  April 2015 LincDavis post with a bit more detail on the method Niel outlines - https://discussions.apple.com/message/28101611#28101611
  A similar technique by Ben.d using Terminal to delete the application - https://discussions.apple.com/message/28036630#28036630  Normally you don't have to delete an old application but this time it seems to be necessary for some.

• Setting MS Access Permissions

  I have a MS Access 2013 web app hosted on the Microsoft Office Sharepoint 2013 site.  I want the team members to be able to add/modify/delete only within the web forms.  How do I set permissions so that other team members cannot delete or update
  the actual application and the application data outside of the web form?  What permissions should I use?  I tried to create a new group with custom permissions, for example group "XYZ".  When I tried to add permissions to group "XYZ",
  I was not given a choice of using the custom permissions that I set up.
  Thank you in advance.

  Hi,
  According to your post, my understanding is that you wanted to set Microsoft Access Permissions.
  If you already created an app and now you've decided you want your app to have unique permissions from the site where you created it, see Set
  permissions for an Access app on Office.com.
  More information:
  Set permissions on an Access Web App
  Set permissions for an Access App - SharePoint 2013
  Best Regards,
  Linda Li
  Linda Li
  TechNet Community Support

• Permissions

  Here is a summary of the permissions system the way I understand it. I hope it helps save anyone out there some of the time and trouble I've had to endure to understand Permissions.
  I) POSIX:
  Get info
  The 'Get Info' window is a user-friendly way to view and manage permissions on files and directories. But it is a little confusing to understand.
  You can tell if you've really messed around too much with the permissions of a file or directory if the Get Info window lists your Sharing and Permissions as 'custom'. You shouldn't have any 'custom' permissions settings if you are new to managing permissions.
  For all beginners, there should only be three listings in the 'Get Info' window. The reason this confuses people is because everyone wants to see themselves as the owners of their computer's files and directories, and nobody wants to see 'everyone' with access to important files and folders.
  First listed is the file's (or directory's, if you selected a directory) owner. There is only one owner for each file or directory, but the owner can be changed in terminal with chown (provided you have the needed privileges).
  Next listed is the primary group to which the owner of the file or directory belongs. A user can only belong to one primary group, but the primary group of a user can be changed with usermod in terminal.
  Next listed is all other users. This is the account that mostly ruins people as everyone wants 'everyone' to have no access to their computer. The main problem is that the need for 'everyone' to have permissions on some important files is not correctly understood by most people.
  Using File Hierarchies to Manage Permissions
  It is easier to accept the need for 'everyone' to have access to important directories once you realize that the file and directory permissions are also managed via the file and directory hierarchies. So, regardless of who has permissions on a file or directory, if it is copied or moved to a directory to which 'everyone' has no access, and you are the only one with permissions, then the moved or copied file cannot be accessed by anyone until you move it back out of your directory. The role of file hierarchies in managing permissions is a very important part of the system, but most people are not aware of how it works.
  It is similarly easier to understand the need for 'everyone' to have access to important directories with two different examples. Say, for example, you add a new user to your system. The system will automatically copy directories into that user's home folder for that user to use. But if the directories are not accessible by 'everyone', then that user will not have access to any of the copied resources.
  For another example of the need for 'everyone' to have access to important directories, consider what happens when you attempt to assign 'no access' to 'everyone' on your System folder. Now, you yourself cannot access the folder and you have to reboot your system with disks. You cannot simply add yourself as the owner of the System file, because the system needs to access that file at start-up. The System is one important user on your system which you cannot do without! So the System must be the owner of the System directory. The System automatically belongs to a group called 'wheel' which allows for the connection of other 'Systems' to your 'System' through a common group. Is the 'System' did not belong to any group, you could never share resources, files, directories, or executables (like a printer, for example) with other 'System' users. So your computer automatically includes a 'wheel' group and a 'System' (YOUR 'System') that belongs to that group. Now then, you are not your system. Your system is your system. In order to use your system, you have to have a user account. Also, you have to have access to your System folder. Since the System folder necessarily belongs to your system, and the system is necessarily installed as a member of the 'wheel' group (otherwise you would not be able to network), then there is only one more permission through which you can gain access to your system, and that is the 'everyone' group. This is because there are only three reserved places on the permissions bits. There is one place for the file (or directory) owner, one place for the primary group of that owner, and one place for 'everyone' else.
  The three-entry 'limits' to the permissions system (owner, group, everyone) make much more sense when you realize that the directory and file heirarchy permissions are meant to be used as the other half of the permissions assignments. Where the most important owner ('System') of a directory (system) must be the most accessible (to 'everyone'), all other groups and users can impose more restrictions on files and folders (directories) that they create, as well as those which they have imported into their own files and folders, using the file hierarchies to manage permissions.
  Terminal ls -l command
  When in terminal, you use the ls command to see a list of the files in the current directory. However, when you at the -l option to the ls command, you also get to see the file and directory permissions for each file or directory in the current directory.
  The permissions for a file start with a -, and the permissions for a directory start with a 'd'. That is followed by 9 dashes or letters. The letters are for 'read' 'write' and 'execute' (rwx). The first three are for the file or directory owner. The second three are applied to the file or directory owner's primary group. The second three are applied to everyone. However, if a file which 'everyone' can read is in a folder to which 'everyone' has no access, then there will be no access to that particular file, even though the permissions for 'everyone' assign access. That's because the permissions assignments to a file or folder are only half of the permissions management. The other half is the arrangement of the files and folders, through the hierarchical assignment of permissions restrictions. That is the fact about permissions systems that confuses everyone.
  Terminal chmod command
  In terminal, you can change the permissions 'mode' assigned to a particular file or folder (or even an entire hierarchical structure) using the chmod command. There is a numbering system to correspond to the 10-letter (drwxrwxrwx) system. You can learn more about that online or by typing 'man chmod' into the terminal.
  Terminal chgrp command
  In terminal, if the owner of a file or directory belongs to more than one group, you can change the group that has permissions to the file or directory to one of the owners' non-primary groups. You can learn more about that by typing 'man chgrp' into the terminal.
  Terminal, editing  the /launchd-user.conf file
            You can set the 'umask' by editing the configuration file for the user. Editing configuration files is an important part of the system and a valuable skill to learn. Once you learn how to edit the user configuration file, you can easily change the default permissions mode that is assigned by that user to his or her new files and folders by changing the 'umask' variable. The umask variable uses a 4 digit number for permissions, just like the chmod command.
  Who are Users?
  There are several very important users on your system. Your computer itself is a user on your computer, called 'System'. There is a user called 'root' that gives you control over the 'System' (and consequently can destroy your entire system). 'Root' user is also a default member of the 'admin' group. When your system is first installed, it prompts you to add yourself as the first human 'user' and makes you the first human member of the 'admin' group, as well as a member of the 'staff' group. Your primary membership is to the 'staff' group, but you can also function as a member of the 'admin' group by entering your password when prompted or when required in a command. You can add any other users from that point and grant them admin privileges, or not, or membership in some other group with other privileges to access certain directories or files.
  What are the Groups?
  Groups like 'wheel' and 'daemon' are used to connect your system to network users without granting system privileges. Your computer 'System' is a user that belongs to the 'wheel' group. 'Root' user also belongs by default to the 'wheel' group and 'admin' group' and 'staff' group (so that if you, the hardware owner, log in as 'root' user, you can access everything on the hardware). The 'wheel' group is like an empty socket waiting for you to allow other network resources to connect with your system by adding them to the 'wheel' group. A user could be a member of the 'wheel' group without having privileges or permissions to anything on your system. Maybe such a user would only be given permissions to access a printer or a single folder on your system.
  'Everyone' is the group that most people want to eliminate. However, 'everyone' is necessary for the most important system resources, which can subsequently be assigned restricted access (when they are moved or copied to other, more restricted, files and directories) using the hierarchical assignment principle. 'Everyone' is the most misunderstood group identity.
  Apart from such default required groups, you can create any group you like, and many applications will add a group to your system for use with that application and its resources. You can see what groups are on your system (and what users belong to them) by reading the etc/group file.
  If a user is not assigned to any group, the computer assigns them to the default group called 'staff'.
  What is the best way to set up file and directory permissions?
  There is a utility called 'disk utility' which you can use to 'fix' your permissions if you messed around with them too much without knowing what you were doing (learning, obviously!). If you still have access to your system, and it is acting funky, and you have been messing around with permissions, 'disk utility' is likely to solve all of your trouble. If the permissions are too badly ruined (for example, if you assign 'everyone' 'no access' to your system folder, etc), and you have no way to login to the root user (root user can be both enabled and logged in through any terminal window using 'dsrootenable', if you have both an administrator password and a root user password) then you may have to reboot from disk or perform a new installation, since you likely have removed yourself from your own computer.
  Apart from the 'disk utility' defaults for important directories, there is no best way to set up permissions. When you combine the permissions mode of a file or directory with the hierarchical permission structure, there are many ways that intellectual property can be both protected and shared, according to the project and purposes.
  There are many possible arrangements for permissions, and each proposed scheme requires a bit of study to understand how security, privacy, collaboration, and sharing will be affected.
  II) ACL:
  Microsoft WindowsOS manages permissions differently (They use ACL's instead of POSIX). There, you assign each file or directory different permissions for each user or group. In Apple OS it is called 'ACLs' when you create custom permissions by removing or adding permissions for users or groups that are in conflict with the standard three-values permission system. Altering the permissions to create these 'custom' settings shows up with the 'ls -l' command as a '+' appended to the permissions bits (drwxrwx---+). The reason for the '+' (or the exceptions added to the standard security permissions) can be listed using the ls command with the -le switch.

  Mac OS X ACLs are based on a FreeBSD ACL implementation that extends the standard Unix/POSIX file system DAC security model.  The ACLs used in Windows' security model work differently, because the Windows' security model is based on security tokens that interact...well, to be honest, I've always felt that the Windows security model reminds me of the OS X preference domain model more than anything else.
  Otherwise, not bad at all.