Controlling Access

NDS* provides a basic level of network access security through default rights. You can provide additional access control using the procedures outlined in this document.

[Contents]

 

How Rights Work

Each time a user attempts to access a network resource, the system calculates that user's effective rights to the target resource.

  • If the target resource is an NDS object, NDS does the calculation.

  • If the target resource is a file or folder on a NetWare* volume, the NetWare file system does the calculation.

To calculate a user's effective rights, the system uses the following process:

Note: This is the logical process, not the exact implementation. For an example of this process, see Rights Example.

  1. Make a list of the trustees whose rights are to be considered in the calculation. These include

    • The user who is attempting to access the target resource

    • The objects that the user is security equivalent to

  2. For each trustee in the list, determine its effective rights as follows:

    1. Start with the inheritable rights that the trustee has at the root of the tree.

      Check the access control list (ACL) of the [Root] object for entries that list the trustee. If any are found and they are inheritable, use the rights specified in those entries as the initial set of effective rights for the trustee.

    2. Move down a level in the branch of the tree that contains the target resource.

    3. Remove any rights that are filtered at this level.

      Check the ACL at this level for inherited rights filters (IRFs) that match with the right types (object, all properties, or specific properties) of the trustee's effective rights. If any are found, remove from the trustee's effective rights any rights that are blocked in the IRFs.

      For example, if the trustee's effective rights so far include an assignment of the Write right to all properties but an IRF at this level blocks Write to all properties, the system removes (converts to zero) the Write right to all properties in the trustee's effective rights.

      Note: Zero rights is different than having no rights assignment at all. Zero rights is an explicit denial of a category of rights, whereas not having an assignment of that category of rights does not constitute a denial of those rights.

    4. Add any inheritable rights that are assigned at this level, overriding as needed.

      Check the ACL at this level for entries that list the trustee. If any are found and they are inheritable, copy the rights from those entries to the trustee's effective rights, overriding as needed.

      For example, if the trustee's effective rights so far include the Create and Delete object rights but no property rights, and if the ACL at this level contains both an assignment of zero object rights and an assignment of Write to all properties for this trustee, then the system replaces the trustee's existing Create and Delete object rights with zero object rights and adds the Write right to all properties.

    5. Repeat the previous three substeps until the ACL of the target resource has been processed.

    6. Add any noninheritable rights assigned in the ACL of the target resource, overriding as needed.

      Use the same process described above for adding the inheritable rights.

    The resulting set of rights constitutes the effective rights for this trustee. The system does this for each trustee in the list, and then proceeds with Steps 3 and 4 below.

  3. Combine the effective rights of all the trustees.

    • Include every right held by any trustee in the list, and exclude only those rights that are missing from every trustee in the list.

    • Do not add different types of rights to each other. For example, do not add rights for a specific property to rights for all properties or vice versa.

  4. Add rights that are implied by any of the current effective rights.

The set of rights that results from this process constitutes the user's effective rights to the target resource. See Rights Example.

[Contents]   [Top of Page]

 

Rights Example

In the tree shown below, user DJones is attempting to access volume Acctg_Vol. The steps below the diagram explain how NDS calculates DJones' effective rights to Acctg_Vol.

[Insufficient memory to display graphic]

  1. The trustees whose rights are to be considered in the calculation are DJones, Marketing, [Root], and [Public]. (These are the objects that DJones is security equivalent to, assuming he doesn't belong to any groups or organizational roles and has not been explicitly assigned any security equivalences.)

  2. The effective rights for each trustee are as follows:

    • DJones:   zero object, zero all properties

      Although DJones is assigned the Write right to all properties at the Accounting container and the assignment is inheritable, the assignment is overriden by the assignment of zero rights to all properties at Acctg_Vol.

    • Marketing:   zero all properties

      Although Marketing is assigned the Write right to all properties at the root of the tree and the assignment is inheritable, the Write right is blocked (converted to zero) by the IRF on the Accounting container.

    • [Root]:   (no rights)

      There are no entries for [Root] in any of the ACLs in the pertinent branch of the tree.

    • [Public]:   Browse object, Read all properties

      These rights are assigned to [Public] at the root of the tree and are not filtered or overridden in the pertinent branch of the tree.

  3. Combining the rights from all these trustees, we get the following effective rights for DJones:

    DJones:   Browse object, Read all properties

  4. Finally, the Read right implies the Compare right, so we add Compare to DJones' effective rights:

    DJones:   Browse object, Read and Compare all properties

For details on the logic of this process, see How Rights Work.

For tips on the effects of this process and ways to control it, see Notes and Tips.

[Contents]   [Top of Page]

 

Default Rights

NDS provides the following default rights:

  • User Admin has all rights in the NDS tree and in the NetWare file system.

  • The [Public] trustee has the Browse right to the root of the tree.

    This enables all objects, by security equivalence to [Public], to browse the tree.

  • User objects created in a container have the following file system rights on the Sys volumes in the container:

    • Read and File Scan to the Login and Public folders

    • Create to the Mail folder

    They also have these rights on the Sys volumes in all parent containers, but not on the Sys volumes in subordinate containers.

  • If a home directory is automatically created during User object creation, the user has all file system rights to the home directory, no matter where it is in the tree.

    Note: ConsoleOne* does not yet provide the capability to create home directories automatically or to set file system rights. Use NetWare Administrator or an equivalent utility.

[Contents]   [Top of Page]

 

Viewing Effective Rights

Each time a user attempts to access a network resource, the system calculates that user's effective rights to the target resource. For details on how this process works, see How Rights Work.

To view a user's effective rights to a resource,

  1. Right-click the resource (the object that you are trying to control the user's access to), and then choose Trustees of this Object.

  2. Display the user's effective rights.

    • If the user is listed as a trustee, click the user and then click the Effective Rights button.

    • If the user is not listed as a trustee, click the Effective Rights button, and then in the Effective Rights dialog box, browse for the user.

  3. View the particular effective rights that you are interested in.

    Remember that effective rights to specific properties are not displayed in the dialog box unless you select those properties in the list.

    For help with this step, see Effective Rights.

[Contents]   [Top of Page]

 

Setting Rights

Each time a user attempts to access a network resource, the system calculates that user's effective rights to the target resource. To understand how this works, see How Rights Work.

One way to control a user's effective rights to a resource is to make an explicit trustee assignment.

  • You can make the trustee assignment on the target resource itself, or you can make it on a container object above the target resource in the tree if the assignment is inheritable.

  • In the assignment, you can set the User object as the trustee, or you can set an object that the user is security equivalent to as the trustee.

To create or modify an explicit trustee assignment,

  1. Right-click the object that the trustee assignment is (or will be) stored in, and then choose Trustees of this Object.

    This object can be the target resource, or it can be a container above the target resource if the assignment is inheritable.

  2. On the property page, add the new trustee assignment or edit the existing trustee assignment.

    For help with this step, see Trustees of this Object.

  3. Click OK.

Once you have made the trustee assignment, you might want to check the user's effective rights to the target resource to see if the assignment had the desired effect. See Viewing Effective Rights.

[Contents]   [Top of Page]

 

Blocking Inheritance

Assignments of inheritable rights to a container object flow down the tree and become effective on subordinate resources. To understand how this works, see How Rights Work.

For a particular trustee, you can override higher rights assignments by making an explicit assignment of fewer rights lower in the tree (see Setting Rights).

However, to block all inheritable rights from flowing down the tree, no matter who the trustee is, you must create an inherited rights filter (IRF).

To create or modify an IRF,

  1. Right-click the object that you want to block rights from being inherited to, and then choose Trustees of this Object.

    If the object is a container, inheritance will also be blocked to all subordinate objects.

  2. Click the NDS Rights tab, and then choose the Inherited Rights Filters page.

  3. On the page, add the new IRFs or edit the existing IRFs.

    For help with this step, see Inherited Rights Filters.

  4. Click OK.

Keep in mind that this affects only inherited rights. You might want to check users' effective rights to see if the IRF had the desired effect. See Viewing Effective Rights.

[Contents]   [Top of Page]

 

Granting Equivalence

It is often easier to grant rights to a user by security equivalence than by making trustee assignments for that user explicitly.

However, rights granted by security equivalence are often overlooked by administrators who are attempting to block effective rights, and so the rights seem to circumvent their efforts. This reflects a lack of understanding of how the system calculates effective rights. See How Rights Work.

In NDS, some security equivalences are granted automatically and others are implied for all users. (See Security Equivalence.) In addition to these, you can grant security equivalences explicitly.

You can grant a user security equivalence to an object explicitly in either of two ways:

  • Add the object to the user's Security Equal To page

  • Add the user to the object's Security Equal To Me page

It doesn't matter which way you use, because the system keeps the lists on these pages synchronized automatically.

To add an object to a user's Security Equal To page,

  1. Right-click the user, and then choose Properties.

  2. On the Memberships tab, choose the Security Equal To page.

  3. On the page, add the objects that you want the user to be security equivalent to.

    For help with this step, see Security Equal To.

  4. Click OK.

To add a user to an object's Security Equal To Me page,

  1. Right-click the object, and then choose Properties.

  2. Choose the Security Equal To Me page.

    For a container object, this page is on its own tab. For a Group object, the page is on the Members tab. For a User object, the page is on the Memberships tab.

  3. On the page, add the users who you want to be security equivalent to this object.

    For help with this step, see Security Equal To Me.

  4. Click OK.

Once you have granted a security equivalence, you might want to check the user's effective rights to see if the security equivalence had the desired effect. See Viewing Effective Rights.

[Contents]   [Top of Page]

 

Managing by Group

It is often easier to grant rights to a user by creating a Group object, making the user a member of the group, and then granting rights to the group.

Members of a group are automatically security equivalent to the group.

To create a group,

  1. Right-click the container object that you want to create the new Group object in, and then choose New > Group.

  2. Fill in the Group Name field.

    For help with this step, see Group Name.

  3. Click Create.

To make a user a member of a group,

  1. Right-click the user or the group, and then choose Properties.

  2. For a user, click Memberships > Group Membership. For a group, click Members > Members.

  3. On the page, add the Group or User object to the list.

    • If you are viewing the properties of the user, add the Group object. See Group Membership.

    • If you are viewing the properties of the group, add the User object. See Members.

    • The membership lists in the User and Group objects are kept synchronized by the system.

  4. Click OK.

To grant rights to the group, see Setting Rights.

Once you have completed these tasks, you might want to check the user's effective rights to see if the group membership had the desired effect. See Viewing Effective Rights.

[Contents]   [Top of Page]

 

Notes and Tips

  • ConsoleOne does not yet provide the capability to view or change the inheritable setting for rights assignments. Use NetWare Administrator or an equivalent utility.

  • Because of the way effective rights are calculated, it is not always obvious how to block particular rights from being effective for individual users without resorting to an IRF. (An IRF blocks rights for all users.) You have two options:

    • Ensure that neither the user nor any of the objects that the user is security equivalent to is assigned the unwanted rights, neither in the ACL of the target resource nor in the ACL of any container above the target resource, including [Root].

    • If any of the relevant trustees (the user and the objects that the user is security equivalent to) are assigned the unwanted rights, ensure that each of those trustees has an assignment lower in the tree that overrides the unwanted rights. For more information, see How Rights Work.

[Contents]   [Top of Page]

 

Related Topics

For other related topics, see the index.

[Contents]   [Top of Page]

 

* Novell trademark. ** Third-party trademark. For more information, see Trademarks.