6.5 NFARM (OES File Access Rights Management)

OES File Access Rights Management (NFARM) is a Windows-based shell extension that enables Windows Active Directory administrators to manage the rights of AD users or groups on Novell Storage Services (NSS) resources.

NFARM helps AD administrators or users with sufficient rights to mange the following:

  • Trustees explicit rights, inherited rights filter, and view effective rights. You can also view trustees with rights from the selected path and child or parent directories.

  • Owners, NSS attributes and directory quota

  • User quotas

  • All paths that a user is a trustee of

  • Salvage and Purge (also supports eDirectory users)

NOTE:

  • User Quota and Files System Rights operations are restricted to AD domain administrators, and to use these features one should have logged in to the Windows workstation using the AD domain administrative credentials.

  • To view or modify User Quota and File System Rights for an AD user from the trusted domain or forest, ensure that the user belongs to AD supervisor group of the domain where OES server is joined.

The term object referred to in this section, indicates a path, folder, or volume.

After performing any operation in NFARM, you can click the following:

  • Apply to save changes to the NSS file system and remain in the same window.

  • OK to save changes to the NSS file system and exit.

  • Cancel to discard changes and exit.

All these operations are performed on a Windows mapped network drive that is mapped to an NSS volume, NSS Folder, or CIFS Share in the Windows client. These shares must be compatible with OES 2015 or later servers that have NSS AD set up and configured.

6.5.1 NFARM Support Matrix

This section lists the requirements for installing and running NFARM:

  • Operating Systems (32 or 64-bit): NFARM can be installed on Windows 10, Windows 8.1, Windows 8, Windows 7 SP1, Windows 7, Windows 2012 R2, Windows 2012, Windows 2008 R2, and Windows 2008.

  • OES: NFARM is supported beginning with OES 2015.

  • Active Directory: Active Directories installed and configured on Windows 2008, Windows 2008 R2, Windows 2012 and Windows 2012 R2.

6.5.2 Prerequisites for Installing NFARM

  • Ensure that you have installed and configured NSS AD following the instruction at Section 3.0, Installing and Configuring NSS AD Support.

  • Ensure that the Windows mapped network drive NSS volumes and CIFS shares are accessible. All NFARM operations are performed on a Windows mapped network drive NSS volume or CIFS share that is compatible with OES 2015 or later servers that have NSS AD set up and configured. For more information on mapping a CIFS share, see Accessing Files from a Windows Client in the OES 2015 SP1: Novell CIFS for Linux Administration Guide.

  • Based on your Windows operating system, download and install the correct version of NFARM (64-bit or 32-bit) from the OES Welcome page (https://<OES server IP or the host name>/welcome/client-software.html).

  • Ensure that your Windows operating system has been configured to authenticate using Active Directory.

  • The maximum memory units that can be specified for the directory and user quotas in NFARM are as follows:

    • KB: 9007199254740991

    • MB: 8796093022207

    • GB: 8589934591

    • TB: 8388607

    • PB: 8191

6.5.3 Installing and Accessing NFARM

Based on your Windows operating system, download the matching version of NFARM (64-bit or 32-bit) from the OES Welcome page (http://<OES server IP Address or the host name>/welcome/client-software.html), and install it.

After installing NFARM, map an NSS volume or CIFS share, right-click > properties on the mapped share, and you get access to NFARM tabs.

6.5.4 Managing the Trustee Rights in the NSS File System

Using the Trustees tab, you can do the following:

  • View, add, edit, and remove explicit trustees and their rights on a selected path, which can be the root of a volume, a folder in the volume, a file or CIFS share.

  • View and edit the Inherited Rights Filter (IRF) for the selected path.

  • View the effective rights trustees on the selected path, and manage the rights inheritance on the selected path.

Managing the Explicit Rights of Trustees

Explicit rights are the rights defined for the trustee (user or group) on an object. This section explains the procedure to add or remove trustees on an object in addition to managing their explicit rights on the selected object. The trustee names displayed here are always preceded by the AD domain name along with the following eight NSS rights:

  • Supervisor: Grants all rights to the directory or file and any subordinate items. The Supervisor right can't be blocked by an Inherited Rights Filter. Users with this right can grant or deny other users rights to the directory or file.

  • Read: For a directory, grants the right to open files in the directory and read the contents or run the programs. For a file, grants the right to open and read the file.

  • Write: For a directory, grants the right to open and change the contents of files in the directory. For a file, grants the right to open and write to the file.

  • Erase: Grants the right to delete the directory or file.

  • Create: For a directory, grants the right to create new files and directories in the directory. For a file, grants the right to create a file and to salvage a file after it has been deleted.

  • Modify: Grants the right to change the attributes or name of the directory or file, but does not grant the right to change its contents (changing the contents requires the Write right).

  • File Scan: Grants the right to view directory and file names in the file system structure, including the directory structure from that file to the root directory.

  • Access Control: Grants the right to add and remove trustees for directories and files and modify their trustee assignments and Inherited Rights Filters.

    NOTE:These NSS rights are not related to the Microsoft Windows rights in any way.

  • To edit or remove rights for the displayed trustees, select or clear the respective rights check boxes. Multiple trustee edit is possible.

  • To add trustees on a selected path, click Add..., search and select the AD users or groups, then select the rights. If you are entering multiple trustee names in the Enter the object names to select (examples) text box, separate each trustee with a semicolon.

  • To remove trustees, select the trustees that you want to remove, then click Remove.

    HINT:To delete multiple trustees, press and hold the Ctrl key while selecting multiple trustees.

    After managing the explicit rights, ensure that you click Apply in order for your changes take effect in the NSS file system.

Managing Inherited Rights Filter (IRF)

Subdirectories and files can inherit rights from their parent directory. The directory’s rights flow down through its structure to subdirectories and files, except for specific subdirectories or files with their own trustee assignments that supersede inherited rights. When granting a trustee assignment to a subdirectory or file, the trustee assignment takes precedence over the inherited rights of its parent directory.

The Inherited Rights Filter section displays the list of rights that are inherited from the parent object. To block inheritance of rights from the parent object to the selected object (file or directory), clear the respective NSS rights, then click Apply for the changes to take effect in the NSS file system.

The supervisor rights cannot be blocked.

Viewing the Effective Rights

A user’s explicit rights on a directory are combined with the filtered rights inherited from its parent directory. Any rights through security equivalence are also applied.

A user’s explicit rights on a file override any rights that can be inherited from its parent directory. In this case, the user has only the rights granted, and the inherited rights are ignored. If the user is a member of another group or role that also has explicit rights to the file, the user’s effective rights on the file are a combination of the rights granted for the user and the rights granted for the group or role. If the rights of the group or role are more restrictive than the user’s explicit rights, it has no effect on rights granted to the user.

An object’s effective rights to a subdirectory are the set of distinct rights from the following:

  • Rights inherited for the user from the parent directory, with consideration of the inherited rights filter set for the subdirectory.

  • Rights set explicitly for the user on the directory.

  • Rights set explicitly for a security-equivalent object on the directory:

    • Explicit by assignment (Security Equal To property)

    • Automatic by membership in a group or role

    • Implied by its parent container and by the [Public] container

    More restrictive security-equivalent rights do not override rights granted for the trustee on the directory or for the trustee’s filtered inherited rights.

An object’s effective rights to a file are determined by the following:

  • Rights inherited for the user from the parent directory, with consideration of the inherited rights filter set for the file.

    If the user has rights set on the parent directory or is security equivalent to an object with explicit rights set there, those are the rights that flow down to the file for the user and are subject to the IRF.

    Inherited rights for a file are ignored if rights are set explicitly for the object or for a security equivalent of the object. This behavior is different than for a directory.

  • Rights set explicitly for the user on the file.

    Inherited rights are ignored. Explicit trustee rights for a security equivalent object are added. More restrictive security-equivalent rights do not override rights set for the trustee on the file.

  • Rights set explicitly for a security-equivalent object on the file:

    • Explicit by assignment (Security Equal To property)

    • Automatic by membership in a group or role

    • Implied by its parent container and by the [Public] container

      Inherited rights are ignored. Explicit trustee rights are added.

For more information, see How Effective Rights Are Calculated in the NetIQ eDirectory 8.8 SP8 Administration Guide.

To launch the Effective Rights screen, from the Trustees tab, click Advanced...

By default, for the selected object, the list of trustees along with their rights is displayed. To view the effective rights of some other trustee, click Select, then search or enter the trustee name. You must have adequate rights to view the effective rights of other trustees.

Managing Trustees for Directories

Using the Inherited Rights tab, you can get the explicit rights of the trustees from the selected path to the root of the volume and trustees from the selected path to the child directories in the volume.

To launch the Inherited Rights screen, from the Trustees tab, click Advanced... > > Inherited Rights.

For example, assume that you have the following directory structure:

  • \vol1\media\audio

  • \vol1\org\country\us\ny\emp

  • \vol1\org\country\us\slc\emp

  • \vol1\org\country\uk\ln\emp

  • \vol1\org\country\uk\lpl\emp

If you click Parent Directories from the “country” folder, it will list the explicit list of trustees and their rights in the country, org and vol1. It does not consider the media and its sub directories.

If you click Sub Directories from the countries folder, it lists the explicit rights of all the trustees in the following directories:

  • \vol1\org\country\us\

  • \vol1\org\country\us\ny

  • \vol1\org\country\us\slc

  • \vol1\org\country\us\ny\emp

  • \vol1\org\country\us\slc\emp

  • \vol1\org\country\uk

  • \vol1\org\country\uk\ln

  • \vol1\org\country\uk\lpl

  • \vol1\org\country\uk\ln\emp

  • \vol1\org\country\uk\lpl\emp

From this tab, you can also modify the explicit rights of the trustees by clearing or selecting the NSS rights check boxes. You can also remove trustees by using the Remove button.

6.5.5 Information

Using the Information tab, you can view and modify:

  • The owner of a file

  • NSS attributes

  • Directory quotas

  1. To change the owner of a file, click Change, then search for and select the new owner.

  2. To set the NSS attributes for the selected path, select or clear the respective attributes. These attributes vary based on the object chosen (file or directory).

  3. To change the directory quota of a selected path, click Edit, then specify the quota limit and the memory unit (KB, MB, GB, TB, PB). After setting the quota, you will be able to view the quota limit set, the used quota and the available quota.

  4. Click Apply for the changes to take effect in the NSS file system.

6.5.6 User Quota

Using the User Quota tab, you can add, edit, or remove the user quota limit for a single or multiple users concurrently. For every user, it lists the quota limit, used, and remaining. To set the user quota, you should either be an AD domain administrator or a user who has administrative privileges. You should also be logged in to the Windows workstation using the AD domain administrative credentials.

  1. To assign quotas for a single or multiple users, click Add..., search and select users, then specify the quota limit.

  2. To edit the quota limit, select users, click Edit..., then modify the quota limit. Press and hold the Ctrl key while selecting multiple users.

  3. To remove the quota set for users, select the users, then click Remove.

NOTE:The user quota is always set at the volume level, regardless of the folder or share from where you have invoked the User Quota.

6.5.7 File System Rights

Using the File System Rights tab, you can do the following:

  • View all the objects that a user is a trustee of

  • Modify the explicit rights that the trustee has on an object

  • Add or remove the objects

  • View the rights of all groups to which the user is a member

NOTE:To view or modify the File System Rights, you should either be an AD domain administrator or a user who has administrative privileges. Further, you should have logged in to the Windows workstation using the AD administrative credentials.

  1. To view the explicit rights of a trustee across objects at the volume level, click Select, then search and select a user or group.

  2. To modify the explicit rights that the trustee has on an object, select or clear the respective NSS rights check boxes next to the object name.

  3. To add an object and to assign rights to the trustee, click Add..., then select the path.

  4. To remove an object on which the trustee has rights, select the object, then click Remove. Press and hold the Ctrl key while selecting multiple objects.

  5. To view rights of all the groups to which the trustee belongs, click Group Rights. Group Rights is disabled if a group is selected.

6.5.8 Salvage and Purge

The Salvage and Purge utility for Windows lets you recover or delete the files and directories permanently from the NSS file system. The files that have been purged cannot be recovered. This tool gets automatically installed when you install NFARM.

Salvaging Files

The Salvage utility for Windows lets you recover the deleted files and directories from the NSS file system.

To salvage:

  1. Right-click a Windows mapped network drive or folder, then click Salvage or Properties > Salvage.

    • If you have logged in as AD user, the following tabs are displayed:

    • If you have logged in as eDirectory user, the following tabs are displayed:

  2. Select the salvageable files, then click Salvage. The selected files are salvaged. To salvage all files, click Salvage All.

    HINT:

    • To select all files: Select the first file, then press CTRL+SHIFT+END.

    • To select multiple files: Press and hold the CTRL key, then click the files of your choice.

    • To select a series of files: Press and hold the SHIFT key, then click the first file and the last files.

    • To refresh: Click (refresh) to display the latest list of salvageable files and folders.

    • To sort: Click the column heading to sort the files and folders. The icon indicates descending order and the icon indicates ascending order.

  3. While salvaging, if a file already exists with the same name, you are prompted to rename it.

  4. To see the attributes of the selected files, click More Information. The attributes include: File name, Deletor Name, Date Deleted, Creator Name, Date Created, Modifier Name, Date Modified, Archiver Name, Date Archived, Date Accessed and File Size.

    The More Information dialog box also includes Salvage and Salvage All. Follow the same procedure provided in Step 2 to perform the salvage operation.

Purging Files

The purge utility for Windows lets you delete files and folders permanently from the NSS file system. Purging is an irreversible action. The files that have been purged cannot be recovered.

To purge:

  1. Right-click a Windows mapped network drive or folder, then click Purge or Properties > Purge.

    • If you have logged in as AD user, the following tabs are displayed:

    • If you have logged in as eDirectory user, the following tabs are displayed:

  2. Select the files to be purged, then click Purge. The selected files are purged. To purge all files, click Purge All.

    HINT:

    • To select all files: Select the first file, then press CTRL+SHIFT+END.

    • To select multiple files: Press and hold the CTRL key, then click the files of your choice.

    • To select a series of files: Press and hold the SHIFT key, then click the first file and the last files.

    • To refresh: Click (refresh) to display the latest list of purgeable files and folders.

    • To sort: Click the column heading to sort the files and folders. The icon indicates descending order and the icon indicates ascending order.

  3. To see the attributes of the selected files, click More Information. The attributes include: File name, Deletor Name, Date Deleted, Creator Name, Date Created, Modifier Name, Date Modified, Archiver Name, Date Archived, Date Accessed and File Size.

    The More Information dialog box also includes Purge and Purge All. Follow the same procedure provided in Step 2 to perform the purge operation.