How NAL Assigns File Rights
Articles and Tips: tip
01 Jan 2002
With NAL 2.5 and NAL 3.0 (shipped with the releases from ZENworks 1.0 to ZENworks 2), an application object can be assigned file rights. This is implemented in an NWADMN32 snap-in and is configurable on the "File Rights" tab on an Application object.
These file rights are actually assigned directly to the NDS entities (users, user groups, containers, workstations, workstation groups) that are associated with the application object. The file rights of these NDS entities will be changed when one of the following three events occurs:
When file rights are granted to or removed from an Application object. All entities listed in the Association tab will be granted/revoked the file rights trustee assignment that was specified at the moment the administrator clicks the "OK" button.
When a new entity is associated to an application object, where the application object already has file assignments in the "File Rights" tab. The new entity will be granted the file rights when the administrator clicks on "OK" to save the changes out either to the NDS entity or to the application object.
When the application object is deleted. All file rights listed in the "File Rights" tab will be revoked from the NDS entities that were associated to the Application Object.
Once file rights have been granted to the user (or other NDS entity), the files/directories can be accessed through any means. These include the following access methods:
Launching a DOS prompt and mapping a drive to the file system location.
Launching any variant of Windows Explorer (Network Neighborhood, My Computer, Windows Explorer, EXPLORER.EXE, and so on) and either browsing to the server and its volume or by browsing to an existing drive mapping to the file system location.
Any other file system utility that can handle either drive letters or file system providers.
Administrators should take great care not to grant users file system rights to applications or data beyond the minimum rights required to run and properly use the application.
Special care should be taken when giving the Erase, Access Control, or Supervisor rights, since users can then delete files/directories (Access Control will allow adept users to grant themselves additional rights, including the Erase right).
Novell Client Engineering has investigated the possibility of assigning file rights to Application objects in such a way so that they are only granted at the time of the application launch from the NAL NDS object. They have also investigated methods so that these file rights are only valid for the NAL application's session ID.
After significant research and consideration, it has been determined that the introduction of these features in the current Novell Clients will not only be time-intensive, but due to our dependence on non-Novell architectures and methods, will also most likely introduce significant file access instability into the Novell Clients. Novell Client Engineering will consider this functionality for the next generation of the client if they can provide this without sacrificing stability.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.