Administering Rights in ConsoleOne: Part 1
Articles and Tips: article
Research Engineer
Novell AppNotes
jfischer@novell.com
01 Nov 2002
Previously, we discussed features of the ConsoleOne utility and how to perform basic network administration tasks using the utility. We'll continue the discussion this month by learning about rights and how to grant rights to objects in ConsoleOne.
Rights are the privileges granted to an object on the network. For example, anytime a user accesses a file stored on a server, that user must have the necessary rights to access the file. Rights, then, control access to all resources on the network.
Granting Rights
When you assign rights, you always link them with a specific user, group, or other Novell eDirectory object that is the trustee (possessor) of the rights. You can grant rights to two classifications of objects:
File System Objects. Examples of file system objects are the files and folders that users need access to every day to perform their jobs.
eDirectory Objects. These are objects specific to Novell eDirectory. Examples of these objects are users, groups, and containers.
Each time a user accesses any resource on the network, eDirectory calculates the user's effective rights assignment and verifies that the user has appropriate rights to access the resource. Users are given access only if they have the necessary rights. If they do not have the necessary rights, the user's request for the resource is rejected by eDirectory and the user receives an error message.
This table outlines the file system rights that can be granted to trustees and an explanation for each.
|
Right
|
Description
|
|
Supervisor |
Grants the trustee all rights to the file or folder (directory). |
|
Read |
Grants the trustee the ability to open and read the file or folder contents. This includes the ability to execute program files. |
|
Write |
Grants the trustee the ability to open and write to or modify the file or folder. |
|
Create |
Grants the trustee the ability to create new items and salvage deleted items in the folder. |
|
Inheritable |
Makes the rights to the selected property flow to all objects below. |
|
Erase |
Grants the trustee the ability to delete the file or folder. |
|
Modify |
Grants the trustee the ability to change the name and attributes of the file or folder. |
|
File Scan |
Grants the trustee the ability to see the file or folder, including its path back to the root of the volume. |
|
Access Control |
Grants the trustee the ability to change the trustee assignments and inherited rights filter of the file or folder. |
Assigning Rights Explicitly
The effective rights a trustee has on an object are calculated from several types of rights assignments. First, the user can receive an explicit trustee assignment to a resource, which gives the user additional access to a network resource. Let's look at two ways of how to accomplish this using ConsoleOne. (We'll discuss other methods next month.)
Controlling Access to the NetWare File System by Resource
If you want to use ConsoleOne to grant users access to resources of the NetWare file system, such as files and applications, as well as volume/directory access, perform the following steps:
Right-click the resource (such as a file or folder) to which you wish to control access, then click Properties.
Note: Select a volume or folder to control access to all the resources below it.
Assigning trustee rights
On the Trustees page (Figure 1), edit the list of trustees and their rights assignments as needed. For example, if you want the trustee to be able to see and open any files in a directory, assign the trustee Read and File Scan rights only. The trustee will be able to view and open the files but will not be able to modify files or create new files in the folder.
To add an object as a trustee, click Add Trustee, select the object, then click OK. Under Access Rights, assign the trustee's rights. This would be necessary when you have a user that needs access to a specific folder that did not previously have access to that directory.
To modify a trustee's rights assignment, select the trustee, then under Access Rights, modify the rights assignment as needed. For example, if a user only has the File Scan and Read rights to an object, the user will not be able to modify the file. This may not be very practical.
Depending on the application, assign the Write right to the file so the user can make modifications to the file. And depending how the application modifies its files, you may need to assign Create, Erase, and Modify rights as well.
To remove a user object as a trustee to a resource, select the object, and click Delete Trustee. Then answer Yes to the deletion question.
Note: The deleted trustee will no longer have explicit rights to that file or folder, but they still may have effective rights through inheritance or security equivalence (we'll discuss this in next month's column).
When you are finished, click OK.
Controlling Access to the NetWare File System by Trustee
To use ConsoleOne to grant access to files and applications or volume/directory access through the user (or trustee), perform the following steps:
Right-click on a trustee (the object that possesses, or will possess, the rights to access a network resource, such as a user or group object), then select Properties.
On the Rights to Files and Folders page, click the Show tab and select the NetWare volume containing the file/directory/applications to which you wish to control access (Figure 2). Click OK.
Selecting the volume for access control
Edit the rights assignments as needed. Use the rights description table below to assign the necessary rights.
To add a rights assignment to the trustee on the highlighted volume, click the Add button and double-click the volume/folders until you reach the file or folder to which you wish to control access. Click OK. Then under Rights, assign the trustee's rights. In the example above, we started by giving the user the Read, File Scan, and Write rights, but the user will still not be able to save any new files in the current folder. Assign the Create right to the folder so that the user can add files to the folder.
To modify a rights assignment, select the file or folder to which you wish to control access, and under the Rights tab, modify the trustee's rights as needed.
To remove a rights assignment to the selected trustee, select the file or folder to which you wish to control access and click on the Delete button. Then answer Yes.
Note: The trustee will no longer have explicit rights to the file or folder but they might still have effective rights through inheritance or security equivalence.
Repeat Steps 2 and 3 as needed to edit the trustee's rights assignments on other NetWare volumes. When you are finished with this trustee, click OK.
Controlling Access to Novell eDirectory by Resource
The concepts for administering eDirectory resources and file system resources are basically the same. However the rights a trustee can possess are different to reflect an eDirectory object instead of a file system object. The following table lists the eDirectory rights trustees can possess.
|
Right
|
Description
|
|
Supervisor |
Grants all access privileges. |
|
Browse |
Enables an object trustee to see the object in the eDirectory tree. |
|
Create |
Enables an object trustee to create objects below this object in the eDirectory tree. |
|
Delete |
Enables an object trustee to delete the object from the tree. |
|
Rename |
Enables an object trustee to change the name of the object. |
|
Inheritable |
Enables an object trustee to inherit the assigned object rights to other objects within the eDirectory container. (We'll discuss Inheritance in further detail next month). |
If you want to use ConsoleOne to grant access to an eDirectory resource, such as a container or a user group object, perform the following steps:
Right-click the eDirectory resource (object) to which you want to control access and click the Trustees of This Object (Figure 3). Edit the list of trustees and their rights assignments as needed.
Assigning trustees to an eDirectory object
Note: Choose a container to control access to all the objects below it.
By assigning a trustee the Browse right, the trustee will be able to see the object while browsing the tree. By removing the Browse right, the object will not be visible in the eDirectory tree to non-trustees. We'll discuss how to do this in next month's article.
To modify a trustee's rights assignment, select the trustee and click the Assigned Rights tab, then modify the rights assignment as needed. Once you are finished, click OK.
To add an object as a trustee to the selected eDirectory resource, click the Add Trustee button. Then select the object, click OK and assign the trustee's rights as needed. For example, if you assign the Rename right to a trustee, the trustee will have the right to rename the object in the tree. Once you are finished, click OK.
Note: When creating or modifying a rights assignment (in the Rights Assigned To dialog box), you can grant or deny access to the object as a whole, to all the properties of the object, and to individual properties.
To remove an object as a trustee, select the object and click the Delete Trustee button, then select Yes.
Note: The deleted trustee will no longer have explicit rights to the object or its properties, but the trustee might still have effective rights through another security method such as inheritance or security equivalence.
When you are finished, click OK.
Controlling Access to Novell eDirectory by Trustee
To use ConsoleOne to grant access to an eDirectory resource, such as a container or a user group through the user (or trustee), perform the following steps:
Right-click the trustee (the object that possesses, or will possess, the rights to access a network resource, such as a user or group object) and select the Rights to Other Objects tab.
Selecting the object and context for a trustee search on the selected object
In the search dialog box (Figure 4), specify the part of the eDirectory tree to be searched for eDirectory objects to which the trustee may currently already have rights assignments. Click OK in the search dialog box.
The Search dialog box with its findings
A dialog box appears showing the progress of the search (Figure 5). When the search is done, the Rights to Other Objects page appears with the results of the search (Figure 6). Then you can edit the trustee's eDirectory rights assignments as needed.
The Rights to Other Objects page appears with the results of the search
To add a rights assignment, click the Add Object tab and select the object to which you wish to control access. Click OK and assign the trustee's rights as needed. Then click OK.
To modify a rights assignment, select the object to which you wish to control access and click the Assigned Rights tab. Modify the trustee's rights assignment as needed and click OK. For example, assign the Delete right to the trustee and the trustee will be able to delete the object from the tree.
When creating or modifying a rights assignment (in the Rights Assigned To dialog box), you can grant or deny access to the object as a whole, to all the properties of the object, and to individual properties. Click Help in the dialog box for details.
To remove a rights assignment, select the object to which you wish control access and click the Delete Object button, then click Yes.
Note: The trustee will no longer have explicit rights to the object or its properties, but the trustee may still have effective rights through another security method, such as inheritance or security equivalence.
Once you are finished with the assigned task, click OK.
Conclusion
In this column, we talked about eDirectory and file system rights. You also learned how to administer these rights using ConsoleOne.
In next month's column, we will continue our discussion of rights by talking about Inheritance, Inheritance Rights Filters, Security Equivalence, and Effective Rights.
* Originally published in Novell AppNotes
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.