Calculating Effective Rights

Each time a user attempts to access a network resource, the system calculates that user's effective rights to the target resource.

• If the target resource is an NDS* object, NDS does the calculation.
• If the target resource is a file or directory on a NetWare* volume, the NetWare file system does the calculation.

Calculation Process

To calculate a user's effective rights, the system uses the following process:

NOTE:  This is the logical process, not the exact implementation.

1. List the trustees whose rights are to be considered in the calculation. These include
   • The user who is attempting to access the target resource
   • The objects that the user is security equivalent to

2. For each trustee in the list, determine its effective rights as follows:
   1. Start with the inheritable rights that the trustee has at the root of the tree.

      Check the Object Trustees (ACL) property of the [Root] object for entries that list the trustee. If any are found and they are inheritable, use the rights specified in those entries as the initial set of effective rights for the trustee.

   2. Move down a level in the branch of the tree that contains the target resource.
   3. Remove any rights that are filtered at this level.

      Check the ACL at this level for Inherited Rights Filters (IRFs) that match with the right types (object, all properties, or a specific property) of the trustee's effective rights. If any are found, remove from the trustee's effective rights any rights that are blocked by those IRFs.

      For example, if the trustee's effective rights so far include an assignment of Write all properties but an IRF at this level blocks Write all properties, the system removes Write all properties from the trustee's effective rights.

   4. Add any inheritable rights that are assigned at this level, overriding as needed.

      Check the ACL at this level for entries that list the trustee. If any are found and they are inheritable, copy the rights from those entries to the trustee's effective rights, overriding as needed.

      For example, if the trustee's effective rights so far include the Create and Delete object rights but no property rights, and if the ACL at this level contains both an assignment of zero object rights and an assignment of Write all properties for this trustee, then the system replaces the trustee's existing object rights (Create and Delete) with zero rights and adds the new all property rights.

   5. Repeat the filtering and adding steps (c and d above) at each level of the tree, including at the target resource.
   6. Add any noninheritable rights assigned at the target resource, overriding as needed.

      Use the same process as in Step d above. The resulting set of rights constitutes the effective rights for this trustee.

3. Combine the effective rights of all the trustees in the list as follows:
   1. Include every right held by any trustee in the list, and exclude only those rights that are missing from every trustee in the list. Do not mix right types. For example, do not add rights for a specific property to rights for all properties or vice versa.
   2. Add rights that are implied by any of the current effective rights.

   The resulting set of rights constitutes the user's effective rights to the target resource.

Example

In the tree shown below, user DJones is attempting to access volume Acctg_Vol.

Here's how NDS calculates DJones' effective rights to Acctg_Vol:

1. The trustees whose rights are to be considered in the calculation are DJones, Marketing, [Root], and [Public].

   This assumes that DJones doesn't belong to any groups or roles and has not been explicitly assigned any security equivalences.

2. The effective rights for each trustee are as follows:
   • DJones: zero object, zero all properties

     The assignment of zero all property rights at Acctg_Vol overrides the assignment of Write all properties at Accounting.

   • Marketing: zero all properties

     The assignment of Write all properties at the root of the tree is filtered out by the IRF at Accounting.

   • [Root]: (no rights)

     No rights are assigned for [Root] anywhere in the pertinent branch of the tree.

   • [Public]: Browse object, Read all properties

     These rights are assigned at the root and aren't filtered or overridden anywhere in the pertinent branch of the tree.

3. Combining the rights from all these trustees, we get the following:

   DJones: Browse object, Read all properties

4. Adding the Compare all properties right that is implied by the Read all properties right, we get the following final effective rights for DJones to Acctg_Vol:

   DJones: Browse object, Read and Compare all properties

Blocking Effective Rights

Because of the way that effective rights are calculated, it is not always obvious how to block particular rights from being effective for specific users without resorting to an IRF. (An IRF blocks rights for all users.)

To block particular rights from being effective for a user without using an IRF, do either of the following:

• Ensure that neither the user nor any of the objects that the user is security equivalent to ever gets assigned those rights, neither at the target resource nor at any level above the target resource in the tree.
• If the user or any object that the user is security equivalent to does get assigned those rights, ensure that that object also has an assignment lower in the tree that omits those rights. Do this for every trustee (associated with the user) that has the unwanted rights.