Novell Doc: OES 11 SP1: File Systems Management Guide - eDirectory Objects and Security Equivalence

5.1 eDirectory Objects and Security Equivalence

In OES, administrators, users, and network resources are represented as objects in an eDirectory database. Use Novell iManager to create eDirectory objects, such as Organizational, Organizational Unit, Group, User, and Admin. For information, see the Novell eDirectory 8.8 SP7 Administration Guide.

For example, in the following figure, The TREE container Tree icon is configured and created when you install eDirectory. Later, you must populate the tree with container and leaf objects to represent the various resources in your company. YourCo is the main Organization (O) object Organization icon in your TREE domain. In the YourCo container, you create Finance as an Organizational Unit (OU) object Organizational Unit icon . In the Finance container, you create Accounts as an OU object that contains all accounting resources. Other OUs within Finance might represent Sales or Marketing organizations. In the Accounts container, Bob is a User object User icon for a system user who is assigned to the Accounts Department.

Figure 5-1 Example eDirectory Container and Objects

Security equivalences help to simplify the task of assigning objects as file system trustees for your directories and files. Security equivalence is recorded in eDirectory as the value for the Security Equal To property of a User object. You can establish security equivalences explicitly, automatically, or implicitly.

Explicit: By assignment. Trustees of a file or directory with the Supervisor or Access Control right can assign rights explicitly. An eDirectory Administrator can modify an object’s Security Equal To property to explicitly assign it the same rights as those assigned to another object.

For example, suppose you make a User object named Joe security equivalent to the Admin object. After you create the security equivalence, Joe has the same rights to the tree and file system as the Admin user.
Automatic: By membership in a group or role. Whenever you assign an object to be a member in a Group object or Organizational Role object, the security equivalence is automatically added to the object’s Security Equal To property.
Implied: Equivalent to all parent containers and the [Public] trustee. Security equivalence for an object is implied by its parent container and by the Public container, which applies to all users.

Security equivalence is effective only for one step; it is not transferred by a subsequent security equivalence. For example, if you make a third user security equivalent to Joe in the example above, that user receives only Joe’s original security settings. The third user does not receive Admin rights or any other Security Equal To properties Joe might have.

Whenever a user attempts to access a network resource, eDirectory calculates the user’s security equivalence and makes that information available to the NCP Server. NCP Server compares the user’s security equivalence information to the trustee assignments for the path and target directory or file to determine if the user can access the target resource and what action on it is permitted.

For example, the user Joe is made a trustee of the Joe folder, and has access only to files in the Joe folder. Figure 5-2 demonstrates how Joe’s view of the file system differs if the files are on a volume where the Trustee Model is applied as compared to the ACL method on other file systems.

Figure 5-2 File System Tree View for Joe with the Trustee versus ACL Methods

Users can assign other users as trustees of files in directories where they have the file system Access Control right or Supervisor right. For example, Amy makes Joe a trustee of the o.mpg file in her personal Amy folder, and grants Joe the Read Only access to the file. On an NSS file system, Joe now sees the \Amy\o.mpg path and file in addition to his personal folder. Joe cannot see other files in the Amy folder.

Figure 5-3 File System Tree View of a Shared File for Joe with the Trustee versus ACL Methods

For more information about eDirectory objects and rights, see eDirectory Rights in the Novell eDirectory 8.8 SP7 Administration Guide. For information about file-system trustee rights, see Section 5.2, File-System Trustee Rights.