The sales team need VPN for travel. The finance department needs Windows File Sharing. Freelancers need to deliver work via FTP, but they shouldn’t ever be able to log in from the console. Your server needs to offer a variety of services, but you don’t want to offer every service to every user with an account. Using the access panel built into the Server Admin application, you can set finely grained controls over which users and groups can utilize which services.

While these restrictions can be determined on a user-by-user basis, this approach can quickly become hard to manage. The more scalable option is to utilize groups, either from existing directory services or created specifically for this purpose on the local machine.

With your access model planned, open Server Admin as an administrative user and highlight your server name in the left column. Then choose the Access button from the strip along the top right, and you’ll see a list of the services available to regulate.

Simply uncheck “Use same access for all services” then choose a service on the left, adding users and groups to the list on the right with the plus button. When you’ve configured the services to your satisfaction, hit “Save” to enforce your policy.

The procedure is deceptively straightforward. Login Window can easily be configured to lock all users out of the machine, for instance, so it’s best to have a strategy for each service individually.

There’s also one service Server Admin doesn’t control access to at all. Just like individual client machines, the ability to remotely control your server is regulated in the System Preferences under the Sharing pane. Select “Apple Remote Desktop” from the list presented, then click “Access Privileges…” for the full complement of options.

With this approach, you can get some granular control over which services are available to which individuals, improving your security while diminishing your workload.