Novell is now a part of Micro Focus

eDirectory Rights Assignment Recommendations

Articles and Tips: article

Jeff Fischer
Research Engineer
Novell AppNotes
jficher@novell.com

01 Jan 2003


Last month we discussed eDirectory rights and methods to grant and block rights within the eDirectory tree. This month, we'll talk about some recommendations to properly and more easily manage rights assignments.

Network administrators must be sure that users have the necessary rights to perform their jobs. It is also the responsibility of the network administrator to verify that users do not have excessive rights to the network. Network administrators should be proactive in managing rights to network resources and plan the network for additional network resources that will be added later.

Network rights should be planned so that when each user, printer, server, or other network resource is added to the tree; such additions involve minimal overhead in adjusting the network and existing security policies to provide access to the new resources.

Common Pitfalls of Rights Assignments

Having control of the network is critical to the network's efficiency and ease of administration. A network administrator must be aware of the capabilities of the network software, as well as common pitfalls that can lead to problems.

Common problems on the network occur when users have been granted too many rights. The following list outlines some of the common pitfalls of rights assignments.

All Properties versus Selected Properties.

You should use caution when you assign rights to the All Properties option for eDirectory property rights. If you need to assign more than just Read and Compare rights to eDirectory properties, you should consider using the Selected Properties option and granting the rights you need to specific properties.

Rights granted by the Selected Properties option overwrite any rights granted through the All Properties option. This allows flexibility when planning rights assignments. You can grant Read rights to all properties and get more specific by selecting properties and granting the rights necessary for specific tasks. You'll see a few examples of this in the rest of the article.

Object Trustees or Access Control List (ACL).

The Object Trustees or Access Control List (ACL) property can pose a potential security hole on the network. If the Write right is granted to the ACL property through All Properties or Selected Properties, users essentially have the right to assign themselves as trustees of any object on the network, even grant themselves Supervisor privileges.

Add/Remove Self Property Right.

The Add/ Remove Self property right can also pose a threat if it is not managed correctly. You should not make an assignment through All Properties with the Add/ Remove Self property right. This gives users the right to make themselves a member of a group that potentially has more rights than their user object. More specifically, you should not grant the user the Add/Remove Self right to their Group Membership property.

Security Equivalence Assignments.

Security Equivalence assignments should be temporary assignments only. Security Equivalence is an easy way to temporarily assign an object the rights they need to perform a specific task. But you should never rely on a security equivalence assignment to grant the object permanent rights. For example, if the object to whom the user is equivalent to is deleted from the tree, then the user would lose his or her rights.

The Admin Object.

Do not use the Admin object. For tight security, you should rename the Admin object or grant another user Supervisor rights to [Root] and deactivate the Admin user object.

Supervisor Object Right to a Server Object.

Be careful when you assign the Supervisor object right to a Server object. The Supervisor right is the only right that flows down to the file system, so if this right is granted, the user will also have Supervisor rights to the file system.

Inherited Rights Filters.

Inherited Rights Filters (IRFs) require careful planning in order to implement them properly. For example, suppose that only one user has Supervisor rights to administer a container and other rights are being filtered by an IRF. If the user object is deleted, you may lose the ability to administer that section of the tree.

This scenario could occur if the user who administers a container leaves the company and their User object is deleted. If an IRF is in place so that no one else has rights to that container, then that container will no longer be administrable.

Leveraging eDirectory and Managing Network Rights

As the size of a network grows, the overhead of rights administration becomes increasingly more difficult and requires more planning. No administrator wants to make trustee assignments and administer rights assignments for each network user.

Although certain individual rights assignments are inevitable and necessary as each user has a specific requirements for their job, many rights assignments can be generalized for several users. This is a preferred method of managing rights because it simplifies the overhead involved in managing network rights. Here are some recommendations to help you leverage eDirectory and manage network rights.

Group Objects.

Group objects are one of the most effective ways to manage rights within the eDirectory tree. As an administrator, you can create Group objects in several locations in the tree, and assign properties and rights that may pertain to several users within the network. Then, each user that needs this assignment can be made a member of the group and they will receive the rights you have assigned to the group without having to assign the rights to each User object individually.

Rights granted to a group for a network resource are added to other rights that a user may have received from trustee assignments or other memberships. Once the Group object has been created in the tree, the only task you have to perform is to make users a member of the group.

Follow these steps to add users to a Group object in ConsoleOne.

  1. Right-click on a Container object and select New > Group. Type in a new name for the group, such as "dev_users", and then check Define Additional Properties as shown in Figure 1.

    2. Creating a Group object through the ConsoleOne utility

  2. Click OK .

  3. Click the Members tab.

  4. Click the Add button to add a user as a member of the group.

  5. Select the user you want to add, as shown in Figure 2.

    6. Adding a user to a Group through the Members tab

  6. Click OK .

  7. Click Apply . The user has been made a member of the group and will receive any rights assigned to the group (see Figure 3).

    Making a user a member of a group gives the user any rights assingned to the group

Container Rights

. Use a container to provide basic rights assignments to everyone in the container. Because rights flow down through branches of the tree, you can assign rights to a Container object and its members will inherit all of the rights that you assigned to the container.

For example, if you want the users of a container to have rights to a printer or other resources, you could assign the container as a trustee of the printer with the necessary rights. Another common example would be to assign a container as a trustee of a public folder on a server so that the users of a department can store and share files. To do this through the ConsoleOne utility, follow these steps:

  1. Right-click the Container object and select Properties.

  2. Click the Rights to Files and Folders tab.

  3. Click Add to add an assignment.

  4. Browse to and select a resource, such as the Common folder on a network volume.

  5. Click OK .

  6. Assign the rights you desire each user of the container to have. In Figure 4, I have assigned the container as a trustee with the Read, Write, Create, Erase, and File Scan rights so that the users will be able to see, read, write to, create, and delete files from the Common folder.

Granting all users in a container rights to the Common folder

Planning Rights.

Plan rights assignments from the top level of the tree. Begin by assigning the minimum rights at the highest level in the tree and then adding more rights to network resources as it becomes necessary.

By default, users receive only minimum rights to other objects. This should be sufficient for most occasions. As more resources become available on the network and users' needs for specialized resources increase (such as team folders, specific printers, and other resources), you as the administrator will be required to manage these resources.

Use Inheritance.

You can use inheritance to provide minimum rights to many people in the tree without having to grant trustee assignments to specific users. Inheritance Rights Filters can be applied to block inheritance to certain locations in the tree.

Conclusion

This column has present some general recommendations to help you more easily assign rights to users on the network so that they will have sufficient rights to perform their jobs. Next month we'll discuss more about specific rights assignments to help administer your Directory tree, and we'll talk about role-based administration in more detail.

* Originally published in Novell AppNotes

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

© Copyright Micro Focus or one of its affiliates