1.9 eDirectory Rights

When you create a tree, the default rights assignments give your network generalized access and security. Some of the default assignments are as follows:

  • User Admin has the Supervisor right to the top of the tree, giving Admin complete control over the entire directory. Admin also has the Supervisor right to the Server object, giving complete control over any volumes on that server.

  • [Public] has the Browse right to the top of the tree, giving all users the right to view any objects in the tree.

  • Objects created through an upgrade process, printing upgrade, or Windows user migration receive trustee assignments appropriate for most situations.

1.9.1 Trustee Assignments and Targets

The assignment of rights involves a trustee and a target object. The trustee represents the user or set of users that are receiving the authority. The target represents those network resources the users have authority over.

  • If you make an Alias a trustee, the rights apply only to the object the alias represents. The Alias object can be an explicit target, however.

  • A file or directory in the file system can also be a target, although file system rights are stored in the file system itself, not in eDirectory.

NOTE:The [Public] trustee is not an object. It is a specialized trustee that represents any network user, logged in or not, for rights assignment purposes.

[This] is a special type of trustee, that is defined to be an authenticated object, when its name matches the entry being accessed. This helps the administrator to easily specify rights such as, every user manages his own telephone number, with a single ACL at the top of the tree with [This] as a trustee.

1.9.2 eDirectory Rights Concepts

The following concepts can help you better understand eDirectory rights.

Object (Entry) Rights

When you make a trustee assignment, you can grant object rights and property rights. Object rights apply to manipulation of the entire object, while property rights apply only to certain object properties. An object right is described as an entry right because it provides an entry into the eDirectory database.

A description of each object right follows:

  • Supervisor includes all rights to the object and all of its properties.

  • Browse lets the trustee see the object in the tree. It does not include the right to see an object’s properties.

  • Create applies only when the target object is a container. It allows the trustee to create new objects below the container and also includes the Browse right.

  • Delete lets the trustee delete the target from the directory.

  • Rename lets the trustee change the name of the target.

Property Rights

When you make a trustee assignment, you can grant object rights and property rights. Object rights apply to manipulation of the entire object, while property rights apply only to certain object properties.

iManager gives you two options for managing property rights:

  • You can manage all properties at once when the [All Attributes Rights] item is selected.

  • You can manage one or more individual properties when the specific property is selected.

IMPORTANT:If you grant a trustee Read access to the [All Attributes Rights] property of a user, the trustee is granted Read access to the Password Management attribute for that user. The trustee can then read the user's passwords.

For more information about creating and managing password policies, see Creating Password Policies in the NetIQ Password Management Administration Guide.

A description of each property right follows:

  • Supervisor gives the trustee complete power over the property.

  • Compare lets the trustee compare the value of a property to a given value. This right allows searching and returns only a true or false result. It does not allow the trustee to actually see the value of the property.

  • Read lets the trustee see the values of a property. It includes the Compare right.

  • Write lets the trustee create, change, and delete the values of a property.

  • Add Self lets the trustee add or remove itself as a property value. It only applies to properties with object names as values, such as membership lists or Access Control Lists (ACLs).

Effective Rights

Users can receive rights in a number of ways, such as explicit trustee assignments, inheritance, and security equivalence. Rights can also be limited by Inherited Rights Filters and changed or revoked by lower trustee assignments. The net result of all these actions—the rights a user can employ—are called effective rights.

A user’s effective rights to an object are calculated each time the user attempts an action.

How Effective Rights Are Calculated

Each time a user attempts to access a network resource, eDirectory calculates the user’s effective rights to the target resource using the following process:

  1. eDirectory lists the trustees whose rights are to be considered in the calculation. These include

    • The user who is attempting to access the target resource.

    • The objects that the user is security equivalent to.

  2. For each trustee in the list, eDirectory determines its effective rights as follows:

    1. eDirectory starts with the inheritable rights that the trustee has at the top of the tree.

      eDirectory checks the Object Trustees (ACL) property of the Tree object for entries that list the trustee. If any are found and they are inheritable, eDirectory uses the rights specified in those entries as the initial set of effective rights for the trustee.

    2. eDirectory moves down a level in the branch of the tree that contains the target resource.

    3. eDirectory removes any rights that are filtered at this level.

      eDirectory checks the ACL at this level for Inherited Rights Filters (IRFs) that match with the right types (object, all properties, or a specific property) of the trustee’s effective rights. If any are found, eDirectory removes from the trustee’s effective rights any rights that are blocked by those IRFs.

      For example, if the trustee’s effective rights so far include an assignment of Write All Properties, but an IRF at this level blocks Write All Properties, the system removes Write All Properties from the trustee’s effective rights.

    4. eDirectory adds any inheritable rights that are assigned at this level, overriding as needed.

      eDirectory checks the ACL at this level for entries that list the trustee. If any are found, and they are inheritable, eDirectory copies the rights from those entries to the trustee’s effective rights, overriding as needed.

      For example, if the trustee’s effective rights so far include the Create and Delete object rights but no property rights, and if the ACL at this level contains both an assignment of zero object rights and an assignment of Write all properties for this trustee, then the system replaces the trustee’s existing object rights (Create and Delete) with zero rights and adds the new all property rights.

    5. eDirectory repeats the filtering and adding steps (Step 2.c and Step 2.d above) at each level of the tree, including at the target resource.

    6. eDirectory adds any noninheritable rights assigned at the target resource, overriding as needed.

      eDirectory uses the same process as in Step 2.d above. The resulting set of rights constitutes the effective rights for this trustee.

  3. eDirectory combines the effective rights of all the trustees in the list as follows:

    1. eDirectory includes every right held by any trustee in the list and excludes only those rights that are missing from every trustee in the list. eDirectory does not mix right types. For example, it does not add rights for a specific property to rights for all properties or vice versa.

    2. eDirectory adds rights that are implied by any of the current effective rights.

      The resulting set of rights constitutes the user’s effective rights to the target resource.

Example

User DJones is attempting to access volume Acctg_Vol. See Figure 1-20.

Figure 1-20 Sample Trustee Rights

The following process shows how eDirectory calculates DJones’ effective rights to Acctg_Vol:

  1. The trustees whose rights are to be considered in the calculation are DJones, Marketing, Tree, and [Public].

    This assumes that DJones doesn’t belong to any groups or roles and has not been explicitly assigned any security equivalences.

  2. The effective rights for each trustee are as follows:

    • DJones: Zero object, zero all properties

      The assignment of zero all property rights at Acctg_Vol overrides the assignment of Write all properties at Accounting.

    • Marketing: Zero all properties

      The assignment of Write all properties at the top of the tree is filtered out by the IRF at Accounting.

    • Tree: No rights

      No rights are assigned for Tree anywhere in the pertinent branch of the tree.

    • [Public]: Browse object, Read all properties

      These rights are assigned at the root and aren’t filtered or overridden anywhere in the pertinent branch of the tree.

  3. Combining the rights from all these trustees results in the following:

    DJones: Browse object, Read all properties

  4. Adding the Compare all properties right that is implied by the Read all properties right, DJones has the following final effective rights to Acctg_Vol:

    DJones: Browse object, Read and Compare all properties

Blocking Effective Rights

Because of the way that effective rights are calculated, it is not always obvious how to block particular rights from being effective for specific users without resorting to an IRF (an IRF blocks rights for all users).

To block particular rights from being effective for a user without using an IRF, do either of the following:

  • Ensure that neither the user nor any of the objects that the user is security equivalent to ever gets assigned those rights, either at the target resource or at any level above the target resource in the tree.

  • If the user or any object that the user is security equivalent to does get assigned those rights, ensure that that object also has an assignment lower in the tree that omits those rights. Do this for every trustee (associated with the user) that has the unwanted rights.

Security Equivalence

Security equivalence means having the same rights as another object. When you make one object security equivalent to another object, the rights of the second object are added to the rights of the first object when the system calculates the first object's effective rights.

For example, suppose you make User object Joe security equivalent to the Admin object. After you create the security equivalence, Joe has the same rights to the tree and file system as Admin.

There are three types of security equivalence:

  • Explicit: By assignment

  • Automatic: By membership in a group or role

  • Implied: Equivalent to all parent containers and the [Public] trustee

Security equivalence is effective only for one step. For example, if you make a third user security equivalent to Joe in the example above, that user does not receive Admin rights.

Security equivalence is recorded in eDirectory as values in the User object’s Security Equal To property.

When you add a User object as an occupant to an Organizational Role object, that User automatically becomes security equivalent to the Organizational Role object. The same is true when a User becomes a member of a Group role object.

Access Control List (ACL)

The Access Control List (ACL) is also called the Object Trustees property. Whenever you make a trustee assignment, the trustee is added as a value to the Object Trustees (ACL) property of the target.

This property has strong implications for network security for the following reasons:

  • Anyone who has the Supervisor or Write right to the Object Trustees (ACL) property of an object can determine who is a trustee of that object.

  • Any users with the Add Self right to the Object Trustees (ACL) property of an object can change their own rights to that object. For example, they can grant themselves the Supervisor right.

For these reasons, be careful giving Add Self rights to all properties of a container object. That assignment makes it possible for the trustee to become Supervisor of that container, all objects in it, and all objects in containers beneath it.

Inherited Rights Filter (IRF)

The Inherited Rights Filter allows you to block rights from flowing down the eDirectory Tree. For more information on configuring this filter, see Blocking Inherited Rights to an eDirectory Object or Property.

1.9.3 Default Rights for a New Server

When you install a new Server object into a tree, the following trustee assignments are made:

Default Trustees

Default Rights

Admin (first eDirectory server in the tree)

Supervisor object right to the Tree object.

Admin has the Supervisor object right to the Server object, which means that Admin also has the Supervisor right to the root directory of the file system of any volumes on the server.

[Public] (first eDirectory server in the tree)

Browse object right to the Tree object.

Tree

The Tree Read property right to the Host Server Name and Host Resource properties on all Volume objects.

This gives all objects access to the physical volume name and physical server name.

Container objects

Read and File Scan rights to the sys:\public folder. This allows User objects under the container to access utilities in \public.

NOTE:These rights only apply to servers running OES Linux.

User objects

If home directories are automatically created for users, the users have the Supervisor right to those directories.

1.9.4 Delegated Administration

eDirectory lets you delegate administration of a branch of the tree, revoking your own management rights to that branch. One reason for this approach is that special security requirements require a different administrator with complete control over that branch.

To delegate administration:

  1. Grant the Supervisor object right to a container.

    1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

    2. Click Rights > Modify Trustees.

    3. Enter the name and context of the container object that you want to control access to, then click OK.

    4. Click Assigned Rights.

    5. Click the Supervisor checkbox for the properties you want.

    6. Click Done, then click OK.

  2. Create an IRF on the container that filters the Supervisor and any other rights you want blocked.

    1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

    2. Click Rights > Modify Inherited Rights Filter.

    3. Specify the name and context of the object whose inherited rights filter you want to modify, then click OK.

    4. Edit the list of inherited rights filters as needed.

      To edit the list of filters, you must have the Supervisor or Access Control right to the ACL property of the object. You can set filters that block inherited rights to the object as a whole, to all the properties of the object, and to individual properties.

      NOTE:These filters won't block rights that are explicitly granted a trustee on this object, since such rights aren't inherited.

    5. Click OK.

IMPORTANT:If you delegate administration to a User object and that object is subsequently deleted, there are no objects with rights to manage that branch.

To delegate administration of specific eDirectory properties, such as Password Management, see Granting Equivalence.

To delegate the use of specific functions in role-based administration applications, see Configuring Role-Based Services.

1.9.5 Administering Rights

Assigning Rights Explicitly

When the default rights assignments in your eDirectory tree provide users with either too much or not enough access to resources, you can create or modify explicit rights assignments. When you create or modify a rights assignment, you start by selecting either the resource that you are controlling access to or the trustee (the eDirectory object that possesses, or will possess, the rights).

HINT:To manage users' rights collectively rather than individually, make a group, role, or container object the trustee. To restrict access to a resource globally (for all users), see Blocking Inherited Rights to an eDirectory Object or Property.

Controlling Access to NetIQ eDirectory by Resource

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click Rights > Modify Trustees.

  3. Specify the name and context of the eDirectory resource (object) that you want to control access to, then click OK.

    Choose a container if you want to control access to all the objects below it.

  4. Edit the list of trustees and their rights assignments as needed.

    1. To modify a trustee's rights assignment, select the trustee, click Assigned Rights, modify the rights assignment as needed, then click Done.

    2. To add an object as a trustee, click Add Trustee, select the object, click OK, click Assigned Rights to assign the trustee's rights, then click Done.

      When creating or modifying a rights assignment, you can grant or deny access to the object as a whole, to all the properties of the object, and to individual properties.

    3. To remove an object as a trustee, select the trustee, then click Delete Trustee.

      The deleted trustee no longer has explicit rights to the object or its properties but might still have effective rights through inheritance or security equivalence.

  5. Click OK.

Controlling Access to NetIQ eDirectory by Trustee

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click Rights > Rights to Other Objects.

  3. Enter the name and context of the trustee (the object that possesses, or will possess, the rights) whose rights you want to modify.

  4. In the Context to Search From field, specify the part of the eDirectory tree to be searched for eDirectory objects that the trustee currently has rights assignments to.

  5. Click OK.

    A screen appears showing the progress of the search. When the search is done, the Rights to Other Objects page appears with the results of the search filled in.

  6. Edit the trustee's eDirectory rights assignments as needed.

    1. To add a rights assignment, click Add Object, select the object to control access to, click OK, click Assigned Rights, assign the trustee's rights, then click Done.

    2. To modify a rights assignment, select the object you want to control access to, click Assigned Rights, modify the trustee's rights assignment as needed, then click Done.

      When creating or modifying a rights assignment, you can grant or deny access to the object as a whole, to all the properties of the object, and to individual properties.

    3. To remove a rights assignment, select the object you want to control access to, then click Delete Object.

      The trustee no longer has explicit rights to the object or its properties but might still have effective rights through inheritance or security equivalence.

  7. Click OK.

Granting Equivalence

A user who is security equivalent to another eDirectory object effectively has all the rights of that object. A user is automatically security equivalent to the groups and roles that they belong to. All users are implicitly security equivalent to the [Public] trustee and to each container above their User objects in the eDirectory tree, including the Tree object. You can also explicitly grant a user security equivalence to any eDirectory object.

NOTE:The tasks in this section allow you to delegate administrative authority through eDirectory rights. If you have administration applications that use Role-Based Services (RBS) roles, you can also delegate administrative authority by assigning users membership in those roles.

Granting Security Equivalence by Membership

  1. If you haven't already done so, create the group or role object that you want the users to be security equivalent to.

    See Creating an Object for details.

  2. Grant the group or role the eDirectory rights that you want the users to have.

    See Assigning Rights Explicitly for details.

  3. Edit the membership of the group or role to include those users who need the rights of the group or role.

    • For a Group object, use the Modify Members of Groups window.

      In NetIQ iManager, click Roles and Tasks > Groups > Modify Members of Group, specify the name and context of a Group object, and click OK. In the General tab, specify the members you want to add to the group and click OK.

    • For a Role object, use the Modify Object window.

      In NetIQ iManager, click Roles and Tasks > Directory Administration > Modify Object, specify the name and context of an Organizational Role object, and click OK. Click Other, select rbsMember, and click Edit. On the Edit Attribute window, specify the members you want to add to the role and click OK.

  4. Click OK.

Granting Security Equivalence Explicitly

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click Directory Administration > Modify Object.

  3. Enter or browse to the name and context of the user or object that you want the user to be security equivalent to, then click OK.

  4. Click the Security tab, then grant the security equivalence as follows:

    • If you chose a user, click Security Equal To, select or browse to the name and context of the object that you want the user to be equivalent in terms of security, then click OK.

    • If you chose an object that you want the user to be security equivalent to, click Security Equal To Me, select or browse to the name and context of the user that you want the object to be equivalent to in terms of security, then click OK.

    The contents of these two property pages are synchronized by the system.

  5. Click OK.

Setting Up an Administrator For an Object's Specific eDirectory Properties

  1. If you haven’t already done so, create the User, Group, Role, or Container object that you want to make a trustee of the object's specific properties.

    If you create a container as a trustee, all objects inside and below the container will have the rights you grant. You must make the property inheritable or the container and its members will not have rights below its level.

    See Creating an Object for information.

  2. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  3. Click Rights > Modify Trustees.

  4. Specify the name and context of the highest-level container that you want the administrator to manage, then click OK.

  5. On the Modify Trustees page, click Add Trustee, select the object that represents the administrator, then click OK.

  6. Click Assigned Rights for the trustee you just added, then click Add Property.

  7. Select the properties you want to add to the property list, then click OK.

  8. For each property that the administrator will manage, assign the needed rights.

    Be sure to select the Inheritable check box on each rights assignment.

  9. Click Done, then click OK.

Blocking Inherited Rights to an eDirectory Object or Property

In eDirectory, rights assignments on containers can be inheritable or non-inheritable. In the file system, all rights assignments on folders are inheritable. In eDirectory, you can block such inheritance on individual subordinate items so that the rights aren’t effective on those items, no matter who the trustee is.

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click Rights > Modify Inherited Rights Filter.

  3. Specify the name and context of the object whose inherited rights filter you want to modify, then click OK.

    This displays a list of the inherited rights filters that have already been set on the object.

  4. On the property page, edit the list of inherited rights filters as needed.

    To edit the list of filters, you must have the Supervisor or Access Control right to the ACL property of the object. You can set filters that block inherited rights to the object as a whole, to all the properties of the object, and to individual properties.

    NOTE:These filters won't block rights that are explicitly granted a trustee on this object, because such rights aren't inherited.

  5. Click OK.

Viewing Effective Rights to an eDirectory Object or Property

Effective rights are the actual rights users can exercise on specific network resources. They are calculated by eDirectory based on explicit rights assignments, inheritance, and security equivalence. You can query the system to determine a user’s effective rights to any resource.

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click Rights > View Effective Rights.

  3. Enter the name and context of the trustee whose effective rights you want to view, then click OK.

  4. Choose from the following options:

    Option

    Description

    Property Name

    Lists the properties that the trustee has effective rights to. The properties are read from eDirectory and so are always shown in English. Each item in the list is one of the following types:

    [All Attributes Rights]-Represents all the properties of the object.

    [Entry Rights]-Represents the object as a whole. Rights to this item don’t imply any property rights, except in the case of Supervisor.

    Specific properties-These are specific properties that the trustee has rights to individually. By default, only properties of this object class are listed (see below).

    Effective Rights

    Shows the trustee’s effective rights to the selected property, as calculated by eDirectory.

    Show All Properties in Schema

    Leave this check box deselected to show only the properties of this object class.

    To show the properties of all classes defined in the eDirectory schema, select this check box. The additional properties are pertinent only if this object is a container, or if it has been extended to include the properties of an auxiliary class. The additional properties are shown without a bullet next to them.

  5. Click Done.