eDirectory Rights Assignment Recommendations
Articles and Tips: article
01 Jan 2003
Last month we discussed eDirectory rights and methods to grant and block rights within the eDirectory tree. This month, we'll talk about some recommendations to properly and more easily manage rights assignments.
Network administrators must be sure that users have the necessary rights to perform their jobs. It is also the responsibility of the network administrator to verify that users do not have excessive rights to the network. Network administrators should be proactive in managing rights to network resources and plan the network for additional network resources that will be added later.
Network rights should be planned so that when each user, printer, server, or other network resource is added to the tree; such additions involve minimal overhead in adjusting the network and existing security policies to provide access to the new resources.
Common Pitfalls of Rights Assignments
Having control of the network is critical to the network's efficiency and ease of administration. A network administrator must be aware of the capabilities of the network software, as well as common pitfalls that can lead to problems.
Common problems on the network occur when users have been granted too many rights. The following list outlines some of the common pitfalls of rights assignments.
All Properties versus Selected Properties.
You should use caution when you assign rights to the All Properties option for eDirectory property rights. If you need to assign more than just Read and Compare rights to eDirectory properties, you should consider using the Selected Properties option and granting the rights you need to specific properties.
Rights granted by the Selected Properties option overwrite any rights granted through the All Properties option. This allows flexibility when planning rights assignments. You can grant Read rights to all properties and get more specific by selecting properties and granting the rights necessary for specific tasks. You'll see a few examples of this in the rest of the article.
Object Trustees or Access Control List (ACL).
The Object Trustees or Access Control List (ACL) property can pose a potential security hole on the network. If the Write right is granted to the ACL property through All Properties or Selected Properties, users essentially have the right to assign themselves as trustees of any object on the network, even grant themselves Supervisor privileges.
Add/Remove Self Property Right.
The Add/ Remove Self property right can also pose a threat if it is not managed correctly. You should not make an assignment through All Properties with the Add/ Remove Self property right. This gives users the right to make themselves a member of a group that potentially has more rights than their user object. More specifically, you should not grant the user the Add/Remove Self right to their Group Membership property.
Security Equivalence Assignments.
Security Equivalence assignments should be temporary assignments only. Security Equivalence is an easy way to temporarily assign an object the rights they need to perform a specific task. But you should never rely on a security equivalence assignment to grant the object permanent rights. For example, if the object to whom the user is equivalent to is deleted from the tree, then the user would lose his or her rights.
The Admin Object.
Do not use the Admin object. For tight security, you should rename the Admin object or grant another user Supervisor rights to [Root] and deactivate the Admin user object.
Supervisor Object Right to a Server Object.
Be careful when you assign the Supervisor object right to a Server object. The Supervisor right is the only right that flows down to the file system, so if this right is granted, the user will also have Supervisor rights to the file system.
Inherited Rights Filters.
Inherited Rights Filters (IRFs) require careful planning in order to implement them properly. For example, suppose that only one user has Supervisor rights to administer a container and other rights are being filtered by an IRF. If the user object is deleted, you may lose the ability to administer that section of the tree.
This scenario could occur if the user who administers a container leaves the company and their User object is deleted. If an IRF is in place so that no one else has rights to that container, then that container will no longer be administrable.
Leveraging eDirectory and Managing Network Rights
As the size of a network grows, the overhead of rights administration becomes increasingly more difficult and requires more planning. No administrator wants to make trustee assignments and administer rights assignments for each network user.
Although certain individual rights assignments are inevitable and necessary as each user has a specific requirements for their job, many rights assignments can be generalized for several users. This is a preferred method of managing rights because it simplifies the overhead involved in managing network rights. Here are some recommendations to help you leverage eDirectory and manage network rights.
Group objects are one of the most effective ways to manage rights within the eDirectory tree. As an administrator, you can create Group objects in several locations in the tree, and assign properties and rights that may pertain to several users within the network. Then, each user that needs this assignment can be made a member of the group and they will receive the rights you have assigned to the group without having to assign the rights to each User object individually.
Rights granted to a group for a network resource are added to other rights that a user may have received from trustee assignments or other memberships. Once the Group object has been created in the tree, the only task you have to perform is to make users a member of the group.
Follow these steps to add users to a Group object in ConsoleOne.
Right-click on a Container object and select New > Group. Type in a new name for the group, such as "dev_users", and then check Define Additional Properties as shown in Figure 1.
Click OK .
Click the Members tab.
Click the Add button to add a user as a member of the group.
Select the user you want to add, as shown in Figure 2.
Click OK .
Click Apply . The user has been made a member of the group and will receive any rights assigned to the group (see Figure 3).
Making a user a member of a group gives the user any rights assingned to the group
Creating a Group object through the ConsoleOne utility
Adding a user to a Group through the Members tab
. Use a container to provide basic rights assignments to everyone in the container. Because rights flow down through branches of the tree, you can assign rights to a Container object and its members will inherit all of the rights that you assigned to the container.
For example, if you want the users of a container to have rights to a printer or other resources, you could assign the container as a trustee of the printer with the necessary rights. Another common example would be to assign a container as a trustee of a public folder on a server so that the users of a department can store and share files. To do this through the ConsoleOne utility, follow these steps:
Right-click the Container object and select Properties.
Click the Rights to Files and Folders tab.
Click Add to add an assignment.
Browse to and select a resource, such as the Common folder on a network volume.
Click OK .
Assign the rights you desire each user of the container to have. In Figure 4, I have assigned the container as a trustee with the Read, Write, Create, Erase, and File Scan rights so that the users will be able to see, read, write to, create, and delete files from the Common folder.
Granting all users in a container rights to the Common folder
Plan rights assignments from the top level of the tree. Begin by assigning the minimum rights at the highest level in the tree and then adding more rights to network resources as it becomes necessary.
By default, users receive only minimum rights to other objects. This should be sufficient for most occasions. As more resources become available on the network and users' needs for specialized resources increase (such as team folders, specific printers, and other resources), you as the administrator will be required to manage these resources.
You can use inheritance to provide minimum rights to many people in the tree without having to grant trustee assignments to specific users. Inheritance Rights Filters can be applied to block inheritance to certain locations in the tree.
This column has present some general recommendations to help you more easily assign rights to users on the network so that they will have sufficient rights to perform their jobs. Next month we'll discuss more about specific rights assignments to help administer your Directory tree, and we'll talk about role-based administration in more detail.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.