OES File Access Rights Management (NFARM) is a Windows-based shell extension that enables Windows Active Directory administrators to manage the rights of AD users or groups on the Novell Storage Services (NSS) resources.
NFARM helps AD administrators or users with sufficient rights to mange the following:
Trustees’ explicit rights, inherited rights filter, and view effective rights. You can also view trustees with rights from the selected path and subdirectories or parent directories.
Owner, NSS attributes and directory quota
User quotas
All paths that a user is a trustee of
NOTE:
User Quota and Files System Rights operations are restricted to AD domain administrators, and should have logged in to the Windows workstation using the AD domain administrative credentials.
To view or modify User Quota and File System Rights for an AD user from the trusted domain or forest, ensure that the user belongs to AD supervisor group of the domain where OES server is joined.
The term object referred to in this section, indicates a path, folder, or volume.
After performing any operation in NFARM, you can click the following:
Apply to save changes to the NSS file system and remain in the same window.
OK to save changes to the NSS file system and exit.
Cancel to discard changes and exit.
All these operations are performed on a Windows mapped network drive that is mapped to an NSS volume, NSS Folder, or CIFS Share in the Windows client. These shares must be compatible with OES 2015 or later servers that have NSS AD set up and configured.
This section lists the requirements for installing and running NFARM:
Operating Systems (32 or 64-bit): NFARM can be installed on Windows 10, Windows 8.1, Windows 8, Windows 7 SP1, Windows 7, Windows 2012 R2, Windows 2012, Windows 2008 R2, and Windows 2008.
OES: NFARM is supported beginning with OES 2015.
Active Directory: Active Directories installed and configured on Windows 2008, Windows 2008 R2, Windows 2012 and Windows 2012 R2.
Ensure that you have installed and configured NSS AD following the instruction at Installing and Configuring NSS Active Directory Support
in the OES 2015 SP1: Installation Guide.
Ensure that the mapped NSS volumes and CIFS shares are accessible. All NFARM operations are performed on a mapped NSS volume or CIFS share that is compatible with OES 2015 or above that has NSS AD set up and configured. For more information on mapping a CIFS share, see Accessing Files from a Windows Client
in the OES 2015 SP1: Novell CIFS for Linux Administration Guide.
Based on your Windows operating system, ensure to download NFARM (64-bit or 32-bit) from the OES 2015 SP1 welcome page.
Ensure that your Windows operating system has been configured to authenticate using Active Directory.
The maximum memory units that can be specified for the directory and user quotas in NFARM are as follows:
Based on your Windows operating system, download the matching version of NFARM (64-bit or 32-bit) from the OES Welcome page (http://<OES Server IP Address>/welcome/client-software.html) and install it.
After installing NFARM, map an NSS volume or CIFS share, right-click > Properties on the mapped share and you get access to NFARM tabs.
Using the Trustees tab, you can do the following:
View, add, edit, and remove explicit trustees and their rights on a selected path, which can be a volume, a folder in the volume, or a file.
View and edit the Inherited Rights Filter (IRF) for the selected path.
View the effective rights and manage the inherited rights of the trustees on a selected path.
Explicit rights are the rights defined for the trustee (user or group) on an object exclusively. This section explains the procedure to add or remove trustees on an object in addition to managing their explicit rights on the selected object. The trustee names displayed here are always preceded by the AD domain name along with the following eight NSS rights:
Supervisor: Grants all rights to the directory or file and any subordinate items. The Supervisor right can't be blocked by an Inherited Rights Filter. Users with this right can grant or deny other users rights to the directory or file.
Read: For a directory, grants the right to open files in the directory and read the contents or run the programs. For a file, grants the right to open and read the file.
Write: For a directory, grants the right to open and change the contents of files in the directory. For a file, grants the right to open and write to the file.
Erase: Grants the right to delete the directory or file.
Create: For a directory, grants the right to create new files and directories in the directory. For a file, grants the right to create a file and to salvage a file after it has been deleted.
Modify: Grants the right to change the attributes or name of the directory or file, but does not grant the right to change its contents (changing the contents requires the Write right).
File Scan: Grants the right to view directory and file names in the file system structure, including the directory structure from that file to the root directory.
Access Control: Grants the right to add and remove trustees for directories and files and modify their trustee assignments and Inherited Rights Filters.
This right does not allow the trustee to add or remove the Supervisor right for any user. Also, it does not allow to remove the trustee with the Supervisor right.
NOTE:These NSS rights are not related to the Microsoft Windows rights in any way.
To edit or remove rights for the displayed trustees, select or clear the respective rights check boxes. Multiple trustee edit is possible.
To add trustees on a selected path, click Add..., search and select the AD users or groups, then select the rights. If you are entering multiple trustee names in the Enter the object names to select (examples) text box, separate each trustee with a semicolon.
To remove trustees, select the trustees that you want to remove, then click Remove.
HINT:To delete multiple trustees, press and hold the Ctrl key while selecting multiple trustees.
After managing the explicit rights, ensure that you click Apply in order for your changes take effect in the NSS file system.
Subdirectories and files can inherit rights from their parent directory. The directory’s rights flow down through its structure to subdirectories and files, except for specific subdirectories or files with their own trustee assignments that supersede inherited rights. When granting a trustee assignment to a subdirectory or file, the trustee assignment takes precedence over the inherited rights of its parent directory.
The Inherited Rights Filter section displays the list of rights that are inherited from the parent object. To block inheritance of rights from the parent object to the selected object (file or directory), clear the respective NSS rights, then click Apply for the changes to take effect in the NSS file system.
The supervisor rights cannot be blocked.
A user’s explicit rights on a directory are combined with the filtered rights inherited from its parent directory. Any rights through security equivalence are also applied.
A user’s explicit rights on a file override any rights that can be inherited from its parent directory. In this case, the user has only the rights granted, and the inherited rights are ignored. If the user is a member of another group or role that also has explicit rights to the file, the user’s effective rights on the file are a combination of the rights granted for the user and the rights granted for the group or role. If the rights of the group or role are more restrictive than the user’s explicit rights, it has no effect on rights granted to the user.
An object’s effective rights to a subdirectory are the set of distinct rights from the following:
Rights inherited for the user from the parent directory, with consideration of the inherited rights filter set for the subdirectory.
Rights set explicitly for the user on the directory.
Rights set explicitly for a security-equivalent object on the directory:
Explicit by assignment (Security Equal To property)
Automatic by membership in a group or role
Implied by its parent container and by the [Public] container
More restrictive security-equivalent rights do not override rights granted for the trustee on the directory or for the trustee’s filtered inherited rights.
An object’s effective rights to a subdirectory are the set of distinct rights from the following:
Rights inherited for the user from the parent directory, with consideration of the inherited rights filter set for the file.
If the user has rights set on the parent directory or is security equivalent to an object with explicit rights set there, those are the rights that flow down to the file for the user and are subject to the IRF.
Inherited rights for a file are ignored if rights are set explicitly for the object or for a security equivalent of the object. This behavior is different than for a directory.
Rights set explicitly for the user on the file.
Inherited rights are ignored. Explicit trustee rights for a security equivalent object are added. More restrictive security-equivalent rights do not override rights set for the trustee on the file.
Rights set explicitly for a security-equivalent object on the file:
Explicit by assignment (Security Equal To property)
Automatic by membership in a group or role
Implied by its parent container and by the [Public] container
Inherited rights are ignored. Explicit trustee rights are added.
For more information, see How Effective Rights Are Calculated in the NetIQ eDirectory 8.8 SP8 Administration Guide.
To launch the Effective Rights screen, from the Trustees tab, click Advanced...
By default, for the selected object, the list of trustees along with their rights is displayed. To view the effective rights of some other trustee, click Select, then search or enter the trustee name. You must have adequate rights to view the effective rights of other trustees.
Using theTrustees for Directories tab, you can get the explicit rights of the trustees from the selected path to the root of the volume and trustees from the selected path to the child directories in the volume.
To launch the Trustees for Directories screen, from the Trustees tab, click Advanced... > > Trustees for Directories.
For example, assume that you have the following directory structure:
\vol1\media\audio
\vol1\org\country\us\ny\emp
\vol1\org\country\us\slc\emp
\vol1\org\country\uk\ln\emp
\vol1\org\country\uk\lpl\emp
If you click Parent Directories from the “country” folder, it will list the explicit list of trustees and their rights in the country, org and vol1. It does not consider the media and its sub directories.
If you click Sub Directories from the countries folder, it lists the explicit rights of all the trustees in the following directories:
\vol1\org\country\us\
\vol1\org\country\us\ny
\vol1\org\country\us\slc
\vol1\org\country\us\ny\emp
\vol1\org\country\us\slc\emp
\vol1\org\country\uk
\vol1\org\country\uk\ln
\vol1\org\country\uk\lpl
\vol1\org\country\uk\ln\emp
\vol1\org\country\uk\lpl\emp
From this tab, you can also modify the explicit rights of the trustees by clearing or selecting the NSS rights check boxes. You can also remove trustees by using the Remove button.
Using the Information tab, you can view and modify:
Owner of a file
NSS attributes
Directory quota
To change the owner of a file, click Change, then search for and select the new owner.
To set the NSS attributes for the selected path, select or clear the respective attributes. These attributes vary based on the object chosen (file or directory).
To change the directory quota of a selected path, click Edit, then specify the quota limit and the memory unit (KB, MB, GB, TB, PB). After setting the quota, you will be able to view the quota limit set, the used quota and the available quota.
Click Apply for the changes to take effect in the NSS file system.
Using the User Quota tab, you can add, edit, or remove the user quota limit for a single or multiple users concurrently. For every user, it lists the quota limit, used, and remaining. To set the user quota, you should either be an AD domain administrator or admin-equivalent user who is part of the AD Administrators group. You should also be logged in to the Windows workstation using the AD domain administrative credentials.
To assign quotas for a single or multiple users, click Add..., search and select users, then specify the quota limit.
To edit the quota limit, select users, click Edit..., then modify the quota limit. Press and hold the Ctrl key while selecting multiple users.
To remove the quota set for users, select the users, then click Remove.
NOTE:The user quota is always set at the volume level, regardless of the folder or share from where you have invoked the User Quota.
Using the File System Rights tab, you can do the following:
View all the objects that a user is a trustee of
Modify the explicit rights that the trustee has on an object
Add or remove the objects
View the rights of all groups to which the user is a member
NOTE:To view or modify the File System Rights, you should either be an AD domain administrator or admin-equivalent user who is part of the AD administrators group. Further, you should have logged in to the Windows workstation using the AD administrative credentials.
To view the explicit rights of a trustee across objects at the volume level, click Select, then search and select a user or group.
To modify the explicit rights that the trustee has on an object, select or clear the respective NSS rights check boxes next to the object name.
To add an object and to assign rights to the trustee, click Add..., then select the path.
To remove an object on which the trustee has rights, select the object, then click Remove. Press and hold the Ctrl key while selecting multiple objects.
To view rights of all the groups to which the trustee belongs, click Group Rights. Group Rights is disabled if a group is selected.
Salvage and Purge options are introduced in NFARM utility in OES 2015 SP1, using which AD and eDirectory users can recover or permanently delete the files or folders that are already deleted. For more information on how to perform salvage and purge operations as an AD or eDirectory user, see Salvage and Purge in the OES 2015 SP1: NSS AD Administration Guide.