Rights
Qualities assigned to an object that control what the object can do with directories, files, or other objects. Creating, reading, and other operations can be done only if an object has rights to perform them.
Rights are granted to a specific directory, file, or object by trustee assignments. An object with a trustee assignment to a file, directory, or another object is a trustee of that file, directory, or object.
Within each object is a list of who has rights to the object and what rights the object has to other objects. This list is the ACL property of the object. (Files and directories contain similar information, but not an ACL.)
For example, to grant user JILL the right to delete a Printer object, go to the Printer object and make JILL a trustee; don't go to Jill and make the Printer object a trustee.
Directory Rights
Directory rights apply to the directory in the NetWare file system they are assigned to, as well as to all files and subdirectories in that directory (unless redefined at the file or subdirectory level).
Directory rights are a part of the file system. They aren't assigned to NDS objects. But, a User object can be granted Directory rights to a directory on a volume.
The following table describes directory rights.
Table 14. Directory Rights
Supervisor |
Grants all rights to the directory, its files, and subdirectories. The Supervisor right can't be blocked by an Inherited Rights Filter. Users with this right can grant other users rights to the directory, its files, and subdirectories. |
Read |
Grants the right to open files in the directory and read the contents or run the programs. |
Write |
Grants the right to open and change the contents of files in the directory. |
Create |
Grants the right to create new files and subdirectories in the directory. If Create is the only right granted to a trustee for the directory, and no other rights are granted below the directory, a drop box directory is created. In a drop box directory, you can create a file and write to it. Once the file is closed, however, only a trustee with more rights than Create can see or update the file. You can copy files or subdirectories into the directory and assume ownership of them, but other users' rights are revoked. |
Erase |
Grants the right to delete the directory, its files, and subdirectories. |
Modify |
Grants the right to change the attributes or name of the directory and of its files and subdirectories, but does not grant the right to change the contents of them. (Changing the contents requires the Write right.) |
File Scan |
Grants the right to see the directory and its files with the DIR or NDIR command. |
Access Control |
Grants the right to change the trustee assignments and the Inherited Rights Filter of the directory and of its files and subdirectories. |
File Rights
File rights apply only to the file they are assigned to. A trustee can also inherit rights to a file from the directory above the file.
The following table describes file rights.
Table 15. File Rights
Supervisor |
Grants all rights to the file. The Supervisor file right can't be blocked with an Inherited Rights Filter. Users who have this right can also grant other users any rights to the file and can change the file's Inherited Rights Filter. |
Read |
Grants the right to open and read the file. |
Create |
Grants the right create a file and to salvage a file after it has been deleted. |
Write |
Grants the right to open and write to an existing file. |
Erase |
Grants the right to erase (delete) the file. |
Modify |
Grants the right to change the attributes and name of the file, but does not grant the right to change its contents. (Changing the contents requires the Write right.) |
File Scan |
Grants the right to see the file with the NDIR directory command, including the directory structure from that file to the root directory. |
Access Control |
Grants the right to change the trustee assignments and the Inherited Rights Filter of the file. |
Object Rights
Object rights apply to NDS objects. Object rights don't affect the properties of an object (see property rights later in this section). A trustee can inherit rights to an object from the object above it.
The following table describes object rights.
Table 16. Object Rights
Supervisor |
Grants all access privileges. A trustee with the Supervisor object right also has unrestricted access to all properties. The Supervisor object right can be blocked by an Inherited Rights Filter below the object where the Supervisor right is granted. |
Browse |
Grants the right to see this object in the Directory tree. The name of the object is returned when a search is made that matches the object. |
Create |
Grants the right to create a new object below this object in the Directory tree. Rights are not defined for the new object. This right is only available on container objects because non-container objects can't have subordinates. |
Delete |
Grants the right to delete the object from the Directory tree. Objects that have subordinates can't be deleted (unless subordinates are deleted first). |
Rename |
Grants the right to change the name of the object, in effect changing the naming property. This changes the object's complete name. |
Property Rights
Property rights apply to the properties of an NDS object. Rights can be assigned to all properties as a whole or to selected properties.
The following table describes property rights:
Table 17. Property Rights
Supervisor |
Grants all rights to the property. The Supervisor property right can be blocked by an object's Inherited Rights Filter. |
Compare |
Grants the right to compare any value to a value of the property. With the compare right, an operation can return True or False, but you can't see the value of the property. The Read right includes the Compare right. |
Read |
Grants the right to read the values of the property. Compare is a subset of Read. If the Read right is given, compare operations are also allowed. |
Write |
Grants the right to add, change, or remove any values of the property. The Write right includes the Add or Delete Self right. |
Add or Delete Self |
Grants a trustee the right to add or remove itself as a value of the property. The trustee can't affect any other values of the property. This right is only meaningful for properties that contain object names as values, such as group membership lists or mailing lists. The Write right includes Add or Delete Self. |
To grant directory or file rights to other objects, a trustee must have the Access Control right to a directory or file.
To grant object or property rights to other objects, a trustee must have the Write, Add or Delete Self, or Supervisor right to the ACL property of the object.
Rights are granted and revoked by creating trustee assignments with the RIGHTS, NETADMIN, or NetWare Administrator utilities.
Related utilities: NETADMIN , NetWare Administrator , and RIGHTS in Utilities Reference .
See also Access Control List ; Security.
Previous | Next