Understanding Effective Directory Services Rights
Novell Cool Solutions: Feature
Digg This -
Posted: 30 Sep 2003
How Effective Directory Services Rights are Calculated or How Object A gets Rights to Object B:
In order to understand how effective rights are derived from the tree, one must first understand that rights come from many sources--each source being independent and cumulative. Secondly, one must understand the rules of implied rights, inheritance with filters, and especially, security equivalence. This document will explain the appropriate rules in that order, and then put them all together. This document assumes a basic understanding of NDS rights as taught in the CNE 520 intraNetWare 4.11 Administration course.
The examples assume the following tree structure:
[Root] |____O=Acme |____CN=Bob (user) |____CN=John (user) |____CN=Mary (user) |____CN=LaserPrinter (group)
If a property assignment has Supervisor (S) right, then the assignment implies ALL rights; thus Compare (C), Read (R), Write (W), and Add/Delete Self (A) rights are implied. In addition, Read implies Compare, and Write implies Add/Delete Self:
Property [S ] -> Property [Scrwa] (lower case are implied rights) Property [ R ] -> Property [ cR ] Property [ W ] -> Property [ Wa]
Rights given to All Property should be considered default rights for all properties; thus if no rights are given to a selected property, the selected property has the same rights as All Property.
If an object assignment has Supervisor (S) right, then the assignment implies ALL object rights, and ALL property rights--EVERYTHING.
Object S -> object [Sbcdr] and every property [scrwa]
Bob has All-Property [ R ] rights to John Bob has Login Script [ W ] rights to John What are Bob's rights to John's Login Script and Surname properties? Login Script [ Wa] Surname [ cr ] (uses the default All-Property) Now, Bob has object [S ] rights to John added. What are Bob's rights? Login Script [scrWa] Surname [scrwa]
One source of rights are explicit assignments made to an Object. The other sources are explicit assignments made to the Object's security equivalents. Only explicit security equivalents are listed by NetAdmin and NWAdmin. Implicit equivalents are the Object's parents including [Root], and [Public]
.Bob.Acme is explicitly made security equivalent to .John.Acme. John has object Browse [ B ] rights to Acme. [Public] has object Create [ C ] rights to Acme. [Root] has object Delete [ D ] rights to Acme. Acme has object Rename [ R] rights to Acme. Therefore, Bob has [ BCDR] rights to Acme because John [Public] [Root] Acme [ B ] + [ C ] + [ D ] + [ R] = [ BCDR]
Bob is a security equivalent of John. John has explicit rights to Acme. All objects are equivalent to [Public]. [Root] and Acme are parents of Bob. Again, whether an equivalent is explicit or implicit, each equivalent is independent and accumulative.
Equivalence is not Transferred
Security equivalence is not transitive, meaning, just because Bob is equivalent to John, doesn't mean Bob is equivalent to John's equivalents. Bob gets only the rights explicitly assigned to John.
John is a member of the LaserPrinter group (groups are the most common way of assigning equivalents). John gets whatever rights are assigned the LaserPrinter group. Although Bob is equivalent to John, Bob does not get rights assigned to the laserPrinter group.
Object and All Property trustees of a container are inherited, by all of its children. Selected properties are not inherited. An explicit assignment to one of the children will override the inherited one.
Bob is given Supervisor rights to Acme. By inherited rights, Bob has Supervisor rights to John, Bob, LaserPrinter group, and every other object below Acme.
Inherited Rights Filters (IRF)
Inherited rights can be filtered out with an IRF. Unlike the file system, Supervisor right CAN be filtered.
Bob has Supervisor rights to Acme. If you don't want Bob to inherit Supervisor rights to John, you can either put an IRF on John, or explicitly assign Bob's rights to John.
Putting it All Together
Rights can be assigned from object A to object B in eight different ways.
- A is a trustee of B
- One of A's parents is a trustee of B
- A is equivalent to C which is a trustee of B
- [Public] is a trustee of B
- A is a trustee of one of B's parents
- One of A's parents is a trustee of one of B's parents
- A is equivalent to C which is a trustee of one of B's parents
- [Public] is a trustee of one of B's parents
NOTE: IRFs can NOT filter out 1 - 4 because no inheritance exists.
NOTE: IRFs CAN filter out 5 - 8 because rights are inherited from B's parents.
All eight ways could be summed up in this master statement:
A (and its equivalents) have rights to B (or its parents).
Bob is security equivalent to John Bob has All-Property [S ] to John Bob has Login Script [ R ] to John John has Login Script [ W ] to John
What are Bob's Login Script rights to John?
Bob John ------- ------- All-Property [S ] Login Script [ R ] [ W ] ------------- ------- ------- Effective Login Script [ cR ] + [ Wa] = [ cRWa]
Bob would get [S ] from All Property, but this doesn't apply because an explicit Login Script assignment exists.
Same example as above, but take away Bob explicit Login Script [R]. Now what are the rights?
Bob John ------- ------- All-Property [S ] Login Script [ W ] ------------- ------- ------- Effective Login Script [Scrwa] + [ Wa] = [ScRWa]
Bob now gets [S] from All Property, so Bob has [Scrwa]. John has [Wa]. Add the sources together: Bob has [ScrWa].
Bob, John, and Mary are best friends and Acme's network administrators. They have all rights to the tree. Worried that one of them might forget their password, or quit, or die, they explicitly granted each other security equivalence and all rights. John and Mary become even better friends and get married. A fight ensues over a laser printer. John and Mary get a divorce. John and Mary fear retaliation against their objects in the tree, so they remove the security equivalence, and explicitly assign NO rights to each other. Unfortunately they discover that the effective rights remain the same. What happened?
Mary explicitly has no rights to John's object. (So far, so good) Mary is equivalent to all of her parents. Mary has all rights to [Root] (Uh Oh) Therefore, Mary inherited all rights to John from Root. If Mary and John take away their rights to [Root], they can't do their administrator jobs, so they put IRF's of NOTHING on their objects. NO rights will be inherited from above. Unfortunately they discover that the effective rights remain the same. What happened?
Mary is equivalent to Bob. Bob has all rights to John's object. (Uh Oh) Therefore, Mary got all rights to John through Bob. John and Mary still want Bob to have all rights to them, without giving the rights to each other.
John and Mary remove Bob's security equivalents, but keep the explicit rights. Finally, they achieved their goal.
As you can see, rights issues can get complicated. If you understand this document, you can use tools such as NWAdmin or NetAdmin and trace through the process one right at a time. Or, better yet, you can use a utility such as DSRights to cut to the chase. DSRights shows the entire flow of how one object derives rights from the tree to another object.