Novell is now a part of Micro Focus

How to Verify Default Rights in NDS

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 24 Sep 2003

When a new object is created, the Default ACL Assignments for its class are read and applied to the object. Only a handful of classes have these assignments. The only way to determine what the Default ACL Assignments for any class would be is to check it in the schema. Here is how you do it:

  1. At the system console, load DSBROWSE. There currently is not a version of DSBROWSE for DS 6.x or earlier. DSBROWSE is for DS versions 7.x and higher. Depending on your patch levels, you may have to download it from
  2. In DSBROWSE go to Schema Browse -> Schema Root -> Class Definitions.
  3. From here, pick the class you wish to check. We will use User as our example.

    User -> View Attributes -> ID Schema Value -> View Value Details ->

    Press ENTER to decode the attribute data -> Default ACL Assignments. You can then view the details of each assignment.

It is possible that some objects do not have even the default trustee assignments. This can occur if the trustee assignment has been deleted, or if the object was created before a change in the Default ACL Assignments was made. It is possible that over time code changes to the Default ACL Assignments for a class may be made, but this would be very rare. If there are trustees in the trustees list other than the defaults listed, they probably have been added by an application or another user.

If you are having rights-related issues, consider removing them from the object in question until your rights issues are resolved. Then add them back in, verifying that they are not giving or taking away rights to your objects. CAUTION: You need to understand how rights function before making modifications to trustee assignments. For more information, see TID 10012759: "How to Understand Effective Rights of NDS".

Default Rights

Here are some of the default effective rights from NDS 8.6.2. This is not a comprehensive list - merely a guide for some of the more common objects. If you see more than this, either the Default ACL Assignments have changed, or additional rights have been granted to an object either at this level or higher up the tree. To check them:

  1. Login to the server as Admin or Admin equivalent.
  2. Run ConsoleOne or NWADMIN.
  3. For each of the objects listed below, right-click on the object and go to Trustees of this Object.
  4. In the window, there is a list of trustees. To see what the effective rights of a given trustee are on this object, select the trustee in the window and click the "Effective Rights" button.
  5. This will give the information on what the effective rights are for that trustee. Match the Effective Rights in your list with the list below.


  • Admin gets gets all rights to All Attribute Rights and Entry Rights
  • Public gets Browse on Entry Rights and Compare and Read on several specific properties. See TID #10060465 - What are the default rights of [Public]? for a list. Obviously these same rights assignments will flow down to other objects unless blocked.

All Containers

  • Container gets browse on Entry Rights for itself, and what it inherits from Public.

Server Objects

  • Server gets gets all rights to All Attribute Rights and Entry Rights
  • Public gets what it inherited from its previous assignment at ROOT, in addition to Read on the Network Address property.

Volume Objects

  • [Root] gets read on Host Server and Host Resource Name properties, in addition to what it inherits from Public.

User Objects

  • Public gets what it inherited from its previous assignment at ROOT, in addition to read on Message Server.
  • [Root] gets read on Network Address and Group Membership properties, and browse on Entry Rights.
  • User gets read on All Attribute Rights, read and write on Login Script, read and write on Print Job Configuration, in addition to what it inherits from Public.

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates