Elements that control access to the network or to specific information on the network. Six categories of security features are

• Login security. Controls which users can access the network.
• Trustees. Designate which users can access directories, files, or objects.
• Rights. Determine the level of access for each trustee.
• Inheritance. Passes rights from higher to lower levels.
• Attributes. Describe characteristics of directories and files.
• Effective rights. List a user's actual rights to a directory, file, or object (including explicitly granted rights and inherited rights).

The LOGIN command controls who can access the network by determining if a valid user is attempting to log in.

A person must know the User object's name and the correct password (if required) to log in.

The network supervisor establishes this login security by creating a User object in NDS and by then assigning values to the properties of that user. Those values determine how the user can access the network.

A User object's properties affect when a user can log in, which workstations a user can log in to, when the user's account is disabled, etc.

Passwords aren't required, but they should be used. Without one, an intruder can access the network with only a user's name. Don't use family or pet names as passwords; they are easily guessed by an intruder.

Passwords are encrypted and are never displayed on the monitor or transmitted across the network. The password authenticates every action of a user.

You can assign and change passwords, or you can assign initial passwords and allow users to change them. To increase login security, consider requiring these password options:

• Minimum password length. Prevents the use of passwords that might be easily guessed. (Default: 5 characters.)
• Periodic password change. Prevents the user from keeping a password indefinitely. (Default: every 40 days.)
• Unique password. Prevents alternating between a few favorite passwords. The server remembers and rejects the use of the eight passwords most recently used for one day or longer.

A trustee is a User or Group object that has been granted access to a directory, file, or object. Access is granted through a trustee assignment.

Any object with sufficient rights can make trustee assignments with the RIGHTS, NETADMIN, or NetWare Administrator utilities.

• Trustee list. Each directory, file, and object has a list of trustee assignments, called a trustee list, that specifies who can access that directory, file, or object.

  An object's trustee list is stored in the object's ACL property.

• Trustees of groups. For several users to access a directory, file, or object, a trustee assignment is required for each user. Rather than make trustee assignments for each user individually, create a Group object, include the users in the group, and then grant access for the group with one trustee assignment.

• [Public] trustee. [Public] is a special trustee that can be added to an object, directory or file.

  The rights assigned to [Public] are effective for anyone who has no rights to the file, directory, or object.

Rights determine the type of access a trustee has to a directory, file, or object. For example, if a trustee assignment grants the Create right to a directory, a trustee can create files in the directory.

A trustee assignment grants one object rights to another object. By default, every trustee assignment includes the Browse object right and the Read right for all properties.

Rights are granted within the object a trustee has rights to, not within the trustee object.

For example, to grant JILL the right to delete a Printer object, make JILL a trustee of the Printer object and include the delete right in her assignment---don't make the Printer object a trustee of JILL.

Because directories, files, and objects contain such different information, the rights that control access to each are different.

Rights to directories and files and to other objects are controlled in different sections of the utilities.

There are four kinds of rights in NetWare 4:

• Directory rights control what a trustee can do with a directory.

  Directory rights also apply to files in the directory if file rights aren't granted and if the file's Inherited Rights Filter doesn't block the directory rights.

• File rights control what a trustee can do with a file.

• Object rights control what a trustee can do with an object.

  These rights control the object as a single piece in the directory tree, but don't allow access to information stored within that object (except the Supervisor object right, which also allows access to an object's properties).

• Property rights control a trustee's access to information stored within the object---that is, the information stored in the object's properties.

  Each object type has a different set of properties.

  Property rights can be managed in NETADMIN or NetWare Administrator using the All Properties or the Selected Properties option.

  Rights assigned using All Properties affect every property equally. Rights assigned using Selected Properties affect individual properties only.

To grant directory or file rights to other objects, an object must have the Access Control right to that directory or file. To grant object or property rights, a user must have the Write right to the object's ACL property.

Inheritance

Creating a trustee assignment for every user and for every directory, file, and object would be a huge job. Inheritance simplifies the task.

Through inheritance, rights granted in a trustee assignment apply to objects, directories, and files below the assignment. Rights change if another trustee assignment is made or if the rights are blocked by an IRF.

Inheritance applies both to directories and files on a volume and to objects in the Directory tree.

For directories and files, all access rights are inherited. For objects, only object rights and rights assigned with All Properties are inherited. Rights to specific properties of an object can't be inherited.

Rights assigned to NDS objects do not affect file system rights. For example, object rights assigned to a Volume object do no affect the directory and file system rights in the physical volume represented by that Volume object.

However, one exception exists: Any trustee with the Supervisor right to a NetWare Server object or to that object's ACL property is granted the Supervisor right to any physical volume attached to that server.

An IRF stops rights from being inherited. An IRF has the same set of possible rights as a trustee assignment, but instead of granting rights, it revokes rights.

Every directory, file, and object has an IRF. With this filter, you can grant access more freely at the top of the object tree or volume, then filter out rights in sensitive areas.

Attributes (also called flags) describe the characteristics of a directory or file and tell NetWare what actions are allowed, and in a few cases, what actions have been performed. They aren't used for objects.

NetWare reads the attributes you set (for example, to compress, back up, or not allow deletion of a file) and sets other attributes to tell you what has been done (for example, that a file has been compressed, migrated, or indexed).

Attributes are separate from rights. Attributes aren't inherited, and if an attribute indicates that a file can't be deleted, not even a supervisor can delete it without first changing the attribute.

Effective Rights

Effective rights are the rights that a user actually has to a directory, file, or object.

NetWare calculates your effective rights to a directory, file, or object whenever you take an action.

Effective rights to a file or directory are determined by

• An object's trustee assignments to the directory or file
• Inherited rights from an object's trustee assignments to parent directories
• Trustee assignments of Group objects that a User object belongs to
• Trustee assignments of objects listed in a User object's Security Equal To list

If a user has a trustee assignment to a directory on a given level in the file system, and also one on a higher level, the current trustee assignment overrides the higher one.

However, trustee assignments to a group are added to individual user trustee assignments.

Effective rights to an object are shown in the following figure.

Figure 67
Effective Rights

In the previous figure, MWILKENS' effective rights to access the MANAGERS profile can come from

• Trustee assignments on MANAGERS that list MWILKENS (explicit rights are granted)

• Trustee assignments on MANAGERS that list SALES PV (inherited from the trustee's container)

• Trustee assignments on SALES LA that list MWILKENS (inherited from the object's container)

  Rights must pass through MANAGERS' IRF before becoming effective.

• Trustee assignments on SALES LA that list SALES PV (inherited from object's container and trustee's container)

  Rights must pass through MANAGERS' IRF before becoming effective.

• Trustee assignments to any Group object that MWILKENS is a member of (only valid when the object requesting rights is a User object)

• Trustee assignments to any object listed in MWILKENS' Security Equal To list (only valid when the object requesting rights is a User object)

If MWILKENS has a trustee assignment to SALES LA and to MANAGERS, the Trustee assignment on MANAGERS overrides the trustee assignment on SALES LA.

Trustee assignments to groups, however, are added to previous trustee assignments for User objects.

No rights are granted by default. They must be granted by a trustee assignment at some point.

The Supervisor right can be filtered for object and property rights, but can't be filtered for file system rights.