Many of the functions in file system security are similar in function to NDS security.

Articles and Tips: qna

01 Feb 1999

Dear Ab-end: I'm just getting into managing NetWare 5 on my network. I understand that NDS security is separate from file system security. However, many of the functions in file system security are similar in function to NDS security. Can you give me some insight into what those differences are and how they can be better managed by a system administrator?

—Insecure on Security

Dear Insecure: Because NDS security and file system security are separate, file system administration of NDS objects can be handled by one network administrator or divided among various network administrators. This enables the option of "container" network administration.

For example, one administrator can be responsible for managing the resources of the network and creating workgroups. A different administrator controls the file system. NetWare 5 and NDS allow this type of administrative separation.

Let's look at the similarities and differences between NDS security and file system security. Then we'll answer your question by showing you how to control access to NDS Objects.

First, both NDS security and file system security have the following concepts in common:

Trustees
Rights
Inheritance
Inheritance Rights Filter (IRF)
Effective rights

As in file system security, a user must be made a trustee of an object and then granted rights in order to access the object of its properties.

The differences between the two security systems are:

NDS security has two distinct sets of rights: object and property.
In all but one case, rights do not flow from NDS into the file system.
In NDS security, both the Supervisor object right and the Supervisor property right can be blocked by an IRF.

So how do you control access to NDS objects? Keep in mind that only those users who regularly manage NDS objects need additional NDS security. But if you need to assign additional NDS rights to users, here are some guidelines to follow:

Start with the default assignments. Defaults are in place to give users access to the resources they need without giving them access to resources they don't need.

Avoid assigning rights through the All Properties option. This protects private information about users and other resources on the network. Although assigning property rights through the All Properties option may seem easier, this option grants many property rights that users do not need.
Use Selected Properties to assign property rights. This allows you to assign more specific rights and helps you avoid security problems.
Use caution when assigning the Write property right the Object Trustees (ACL) property of any object. Accessing ACL property can create a breach in NDS security because any user with the Write property can make anyone a supervisor of that object.
Use caution when granting the Supervisor object right to a server object. This should only be done after careful consideration because this right gives the object Supervisor file system rights to all volumes linked to that server.
Remember that granting the Supervisor object rights implies granting the Supervisor rights to all properties. For some container administrators, you might want to grant all object rights except the Supervisor right, and then grant property right through the Selected Properties option.
Use caution when filtering Supervisor rights with an IRF. If the network administrator who has the Supervisor rights to the container administrator's user object deletes the user object of the container administrator, that branch of the NDS tree can no longer be managed.

* Originally published in Novell AppNotes

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.