Authentication services are able to confirm a user’s identity and validate that identity for other services. eDirectory uses that identity to control access to eDirectory information and uses access control lists to limit a user's rights to create, read, or modify a piece of eDirectory information.
A user that has not been authenticated has some access to the network because eDirectory confers public status on unauthenticated users. By default, these users have access to the information required to obtain a licensed connection to the server. However, the network administrator can grant additional rights to the user [Public], whose rights are given to all unauthenticated users.
The access control list (ACL) is the key component in controlling access to eDirectory information. The ACL determines which operations an entry can perform on another object and its attributes. In the eDirectory schema, the ACL attribute is a multivalued attribute type assigned as an optional attribute to the object class Top. Since all object classes inherit the characteristics of Top, all objects may have an ACL attribute.
The ACL attribute is an attribute on the object that is being accessed. Each assignment in the ACL attribute lists which entry has been granted rights to the object, what type of rights the entry has been granted, and what rights are being granted. When an entry has been granted rights to another object, the entry is called a trustee of that object.
This section describes the following characteristics of ACLs:
Each ACL contains a list of trustees for which access has been defined. Each entry in an ACL has the following fields:
The following figure shows how an access control list operates. In the figure, an ACL entry has been defined for a printer object. Attributes defined for the printer include the class, the ACL, the serial number, and the owner.
Figure 3-8 An Access Control List Operation
The ACL contains the names of the protected attribute, the trustee, and the privileges. Hector appears as the trustee two times in the list: once each for [Entry Rights] and Serial Number. At the object level ([Entry Rights]), Hector is assigned the Rename, Add, Browse, and Delete privileges. He is also assigned Compare and Read on the serial number attribute. These are his privileges regarding this particular printer as an eDirectory object. This access is to the eDirectory Information Base, not the printer or its queues. The printer and queue access are controlled by the printer’s access control mechanisms, not the ACLs of eDirectory.
Object rights give a trustee rights to the eDirectory object as a whole, not just to its attributes. When dealing with security, it is important to remember that there are two distinct parts of every object: the object itself, and its properties. The syntax used to denote rights to an object is [Entry Rights]. The rights a user (or any other object) might have to another object include Browse, Create, Delete, Inheritance Control, Rename, and Supervisor. These rights are described below.
In NetWare 5.x, Inheritance Control rights allow the user to control whether [Entry Rights] granted in an ACL are inherited. If inherited, the user can exercise the rights granted in the ACL on subordinate objects. NetWare 5.x allows you to either allow inheritance or block inheritance. (NetWare 5.x utilities and their documentation call this right Inheritable.)
Attribute rights allow access to the data associated with an object. (NetWare utilities and their documentation call attributes, properties, and attribute rights, property rights.)
A user (or other object) can be given rights to access specific pieces of data about an object, or rights to access all information of that object. For example, if User A needs to be able to see the name, addresses, and phone numbers of User B, you can grant User A rights to each of those attributes of User B. You can also grant User A rights to all of the attributes of an object. The syntax used to denote rights to all attributes of an object is [All Attributes Rights]. If rights are given to a specific attribute, the syntax used is merely the name of that attribute. Both [All Attributes Rights] and rights to specific attributes use the same rights in a bit mask.
These attribute rights are described below:
In NetWare 5.x, Inheritance Control rights control whether the user inherits the other rights granted to a specific attribute or to [All Attributes Rights]. The bit can be set to allow or to block inheritance on both [All Attributes Rights] and specific attributes.
In NetWare 5.x, this right enables the creation of managers who have rights to manage specific attributes, such as phone numbers, addresses, and passwords, without granting Supervisor rights to the objects. If the right is granted at the container level, the right can be inheritable to an entire branch of the eDirectory tree.
An important aspect of the privilege set is the relationship between the Read and Compare privileges. Compare is considered a subset of the Read privilege. If a subject has the Read privilege, it also has the Compare privilege, whether or not Compare has been explicitly assigned to the subject. However, having the Compare privilege alone does not grant the subject the Read privilege.
The administrator can create access control lists (ACL) values to assign rights or privileges to an object or attributes. The object receiving the rights assignment is called a trustee. The assignments are known as trustee assignments, or more informally as ACLs. eDirectory uses these trustee assignments in conjunction with Section 3.3, Inheritance and Section 3.3.2, Inheritance Masks to compute the effective rights a given trustee has on a given object. The given object is the object whose ACL attribute contains the trustee assignment.
The trustee assignments are created as values of the multivalued ACL attribute attached to an eDirectory object. Trustee assignments are optional.
In NetWare® 4.x, trustee assignments made to objects flow down the eDirectory tree. For example if object X is given rights to a container object A that contains object B then X gets the same rights on object B that it has on object A. However, Object B could have an inheritance mask to filter some privileges. If so X will have only the rights to access B that pass through the filter.
NetWare 5.x adds new functionality. Trustee assignments to objects can flow down the eDirectory tree just as they did in NetWare 4.x and they can be blocked with inheritance masks. However, inheritance can also be disabled with the Inheritance Control right.
In NetWare 4.x, trustee assignments made for attributes do not flow down the tree unless the assignment is for all attributes. Assignments made to specific attributes do not apply to subordinate objects or attributes of those subordinate objects.
NetWare 5.x adds new functionality. The creator of the ACL determines whether the inheritance of rights to all attributes or to specific attributes is enabled or blocked. Because NetWare 5.x allows the inheritance of rights to specific attributes, network administrators can set up managers of specific eDirectory attributes, such as phone numbers, passwords, addresses, without granting Supervisor rights to the objects.
Since a trustee can have privileges to both an object and its attributes, the combination of these privileges may determine the operations available to the subject. Some operations on attributes require that privileges be assigned at both the object and the attribute levels.
Also, some operations (such as search, list, or move) can involve more than one object. It may be useful to take a closer look at the privileges involved in specific operations. The following table summarizes the privileges required at both the object and attribute level to perform a particular operation.
Table 3-1 Required Access Privileges
It should be noted that the Supervisor privilege on an object or attribute gives the subject all privileges allowing any of the functions to be performed. However, if the Supervisor privilege is inherited, it can be restricted by an inheritance mask.
ACL values can be used to allow objects to change the ACL itself. Objects given certain privileges to the ACL can access it and change the rights within it. The privileges assigned in the ACL can be not only for the ACL but for the object of the ACL and all other attributes of that object.
Be careful in granting the Write, Self, and Supervisor privileges. Supervisor gives all privileges, Write allows an object to change the ACL values, and Self allows an object to add and delete itself to the value.
The Self privilege can be granted to ease the burden of managing certain attributes of objects. Giving objects the ability to add themselves to certain lists (attributes) of objects eliminates the need for a manager to add and delete those objects. An example would be a distribution list. If you made a multivalued attribute called Party Group and gave [Root] the Self privilege to that attribute, objects wishing to join your Party Group could add themselves to the group. No one could delete others from the group, but they could add or delete their own object as desired.You would want to maintain all privileges to the Party Group attribute yourself so you could read, add and delete any object at any time. This would allow you to choose to let the individuals manage their membership in the group, or manage it yourself.