Basics of NDS Rights and File System Rights
(Last modified: 13Feb2003)
This document (10059007) is provided subject to the disclaimer at the end of this document.
goal
Basics of NDS Rights and File System Rights
fact
Novell NetWare 4.11
NetWare 5.x
Novell Directory Services
fix
Types of Rights
NDS rights
These rights specify who can access the information stored in the NDS database. To find out what on object's NDS rights are, right click it in NWAdmin, select "trustees of this object," highlight the object, and click "effective rights."
Object rights: These are given to an object to gain access to another object'they flow down the tree. NDS objects can receive the following rights:
Supervisor: grants full privileges to the object and has complete access to all the object's properties.
Browse: Allows an object to see another object in the tree.
Create: Grants the right to create an object below this object in the tree.
Delete: Grants the right to erase (delete) an object from the tree.
Rename: Allows an object to rename an object.
Property rights: Property (or attribute) rights affect how another object can access information about an object. Access can be granted to certain properties (attributes) or to all properties of a particular object. NDS allows the following property rights to be granted to an object:
Supervisor: grants all other rights at the property level of an object.
Compare: allows an object to test for a value match and returns a true or false. Compare is a subset of the read right'if you have read rights, you automatically have compare rights at the property level.
Read: Allows an object the value of a property. The Compare right is implied in the Read right.
Write: Allows an object to modify, add, change, or delete a property value.
Add or delete Self: Allows objects to add or remove themselves as a value of a property. This right is included in the Write right. This right is used only for properties where your user can be listed as a value, such as group memberships or mailing lists.
File System Rights: These rights specify who can access files stored on the server. To view these rights, right click the file, directory or volume, select "Details" (or "Details of [root] directory" if it is the volume object), then "trustees of the root directory" or "trustees of this directory."
Supervisor: Grants all rights to the directory, its files, and subdirectories. The Supervisor file right can't be blocked with an IRF (Inherited Rights Filter). Users with this right can grant other users rights to the directory, its files, and subdirectories. Users who have this right can also grant other users any rights to the file and can change the file's IRF.
Read: Grants the right to open files in the directory and read the contents or run the program.
Write: Grants the right to open and write to an existing file.
Create: Grants the right to create a file and to salvage a file after it has been deleted.
Erase: Grants the right to erase (delete) the file.
Modify: Grants the right to change the attributes and name of the file, but does not grant the right to change its contents.
File Scan: Grants the right to see the file with the DIR or NDIR directory command, including the directory structure from that file to the root directory.
Access Control property: Contains the Access Control List (ACL), or the list of objects that have rights to this object. If an object has the Write or Supervisor right to this property, the object can give itself any right to the other object. This list includes the following information about the objects that have rights to this object:
* Which object has rights
* When the object was created
* What rights the object has
A. Inheritance Rights Filters are listed here in the ACL.
B. DS rights are stored in the DETs (Directory Entry Tables).
C. The DETs contain the server-specific object ID information. (You cannot copy one volume's DET to another volume. Client utilities, NWAdmin, Filer, or Ncopy don't update a copy the DET information when a sub-directory is moved to another volume. The DET is static in terms of trustee assignments for a given directory.
Note: If an SMS-compliant .product backs up the file system, the trustee assignments are restored to a different volume DET etc.
D. Any time you must reinstall DS or restore directory services, the DETs become invalid. To recover, you must restore from a sins compliant tape backup. Tape backups store the fully distinguished name. The server will do a resolve name and populate the DET with the correct new object ID.
Listed below are some common tasks and the rights required to perform them:
Task Required Rights
Read from a closed file Read
See a file name File Scan
Search a directory File Scan
Write to a closed file Write, Create, Erase
Create and write to a file Create
Copy files into a directory Create
Remove an empty directory Erase
Delete a file Erase
Change directory or file attributes Modify
Rename a file Modify
Change the Inherited Rights Mask Access Control
Change trustee assignments Access Control
Modify a directory's disk space Access Control
Install a server into the tree Supervisor object rights to the topmost container in the partition where the server will reside
Trustees
A trustee assignment is a direct, explicit assignment of rights to a particular object. An object that's been granted rights to manage another object is said to be a trustee of that object. To view trustee assignments, right click on the object and select "Trustees of this object." To view trustee assignments for a file or directory, right click it and select "Details," then "Trustees of this file."
Implicit Inheritance (Inherited Rights):
· Rights flow downward from parent to child.
· Only rights assigned through the Object and All Property options are inherited.
· Rights assigned through the Selected Property option are not inherited.
Explicit (don't flow down through tree, effect only the current container)
**Rights granted through the Selected Properties option overwrite rights granted through the All Properties option for the selected property.
Effective Rights: User rights that can actually be exercised in a given directory, subdirectory, file, or object. A user's trustee rights determine effective rights. If the trustee rights have been assigned, they become the effective rights. If no trustee rights have been assigned, the rights "held in common" determine the effective rights.
Public
[Public] is a special trustee in NDS. It refers to all objects in the tree, as well as any workstation that is attached, but not yet authenticated. For this reason, granting additional rights to [public] should be avoided. The Browse right given to [Public] allows unauthenticated users to browse the tree to find their user object.
Inherited Rights Filter (IRF)
By setting an IRF, the rights that are unchecked are blocked. That means no inherited rights will flow down from higher levels in the tree.
· Assign new trustee assignment at lower level
· Implement an IRF
· In the file system, the Supervisor right cannot be blocked
· In the Directory Services, database the supervisor right can be blocked
Rights can be obtained by the following:
· Explicit Rights assignments
· Groups & Organizations
· Security Equivalences
· Containers where the user exists
· Public Trustees
· [root]
· Inherited rights from those listed above
Default Rights
[Root]
· Admin has all rights
· Public has browse right
Any Container
· Container has browse right for itself
Server Object
· Server has all rights but create right to itself
· Public has browse right
Volume Objects
· [Root] has browse right
Troubleshooting common rights issues:
· Admin not having enough rights - os2nt or aclutil
· Users having all rights
Check the following:
· Is the user security equal to ADMIN?
· Is the user a trustee or a member of a group that is a trustee with supervisor rights or the Write property right to the server object?
· Is the user a trustee or a member of a group that is a trustee of an Organization or Organizational Un.it above the server object with the Supervisor or Write property right to the object?
· Is the user a trustee or a member of a group that is a trustee of the [Root] with supervisor rights to the server object?
· Is the user below an Organization or an Organizational Unit that is a trustee with Supervisor rights to an Organization or Organizational Unit above the server object?
· Is the user below an Organization or an Organizational Unit?
· Is that is a trustee with Supervisor rights to the [Root]?
· Is [Root] a trustee with Supervisor rights to Organization or an Organizational Unit that's above the server object?
· Has [Public] been added as a trustee to the Organization, and Organizational Unit the Server Object, or the Volume Objects?
Common cause of issues:
This is a rights issue. Someone has unknowingly given the users rights to the file system through the NDS tree. This happens when either the Supervisor object right or the Write property right to the Server object has been granted to the user.
A user can get these rights one of two ways:
· A specific rights assignment to the server object.
· A specific rights assignment or association to an object in the tree and these rights flow down to the server object.
Basic Commands for the Rights.exe DOS utility
Open a DOS prompt on your workstation. Go to the drive that your server is located on (the directory that you want to see what rights you have). Type in "rights". This will show what rights you have to this directory.
Open a DOS prompt on your workstation. Go to the drive where the server is located (the directory for which you want to view the rights). To see what rights you have to the directory, enter "rights".
"Rights /I" shows the following information:
Inherited rights filter
Inherited from above
Equivalent to
Effective Rights
To see what other options are available enter, use:
Rights /?
The following shows what rights a different user has:
Rights . /name=.cn=woodruf.o=novell /i.
document
| Document Title: | Basics of NDS Rights and File System Rights |
| Document ID: | 10059007 |
| Solution ID: | NOVL34770 |
| Creation Date: | 06Dec2000 |
| Modified Date: | 13Feb2003 |
| Novell Product Class: | NetWare Novell eDirectory |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.