When you create a tree, the default rights assignments give your network generalized access and security. Some of the default assignments are as follows:
The assignment of rights involves a trustee and a target object. The trustee represents the user or set of users that are receiving the authority. The target represents those network resources the users have authority over.
NOTE: The [Public] trustee is not an object. It is a specialized trustee that represents any network user, logged in or not, for rights assignment purposes.
The following concepts can help you better understand eDirectory rights.
When you make a trustee assignment, you can grant object rights and property rights. Object rights apply to manipulation of the entire object, while property rights apply only to certain object properties. An object right is described as an entry right because it provides an entry into the eDirectory database.
A description of each object right follows:
Supervisor includes all rights to the object and all of its properties.
Browse lets the trustee see the object in the tree. It does not include the right to see an object's properties.
Create applies only when the target object is a container. It allows the trustee to create new objects below the container and also includes the Browse right.
Delete lets the trustee delete the target from the directory.
When you make a trustee assignment, you can grant object rights and property rights. Object rights apply to manipulation of the entire object, while property rights apply only to certain object properties.
iManager gives you two options for managing property rights:
A description of each property right follows:
Supervisor gives the trustee complete power over the property.
Compare lets the trustee compare the value of a property to a given value. This right allows searching and returns only a true or false result. It does not allow the trustee to actually see the value of the property.
Read lets the trustee see the values of a property. It includes the Compare right.
Write lets the trustee create, change, and delete the values of a property.
Add Self lets the trustee add or remove itself as a property value. It only applies to properties with object names as values, such as membership lists or Access Control Lists (ACLs).
Users can receive rights in a number of ways, such as explicit trustee assignments, inheritance, and security equivalence. Rights can also be limited by Inherited Rights Filters and changed or revoked by lower trustee assignments. The net result of all these actions---the rights a user can employ---are called effective rights.
A user's effective rights to an object are calculated each time the user attempts an action.
Each time a user attempts to access a network resource, eDirectory calculates the user's effective rights to the target resource using the following process:
eDirectory checks the Object Trustees (ACL) property of the Tree object for entries that list the trustee. If any are found and they are inheritable, eDirectory uses the rights specified in those entries as the initial set of effective rights for the trustee.
eDirectory checks the ACL at this level for Inherited Rights Filters (IRFs) that match with the right types (object, all properties, or a specific property) of the trustee's effective rights. If any are found, eDirectory removes from the trustee's effective rights any rights that are blocked by those IRFs.
For example, if the trustee's effective rights so far include an assignment of Write All Properties, but an IRF at this level blocks Write All Properties, the system removes Write All Properties from the trustee's effective rights.
eDirectory checks the ACL at this level for entries that list the trustee. If any are found, and they are inheritable, eDirectory copies the rights from those entries to the trustee's effective rights, overriding as needed.
For example, if the trustee's effective rights so far include the Create and Delete object rights but no property rights, and if the ACL at this level contains both an assignment of zero object rights and an assignment of Write all properties for this trustee, then the system replaces the trustee's existing object rights (Create and Delete) with zero rights and adds the new all property rights.
eDirectory uses the same process as in Step 2d above. The resulting set of rights constitutes the effective rights for this trustee.
The resulting set of rights constitutes the user's effective rights to the target resource.
User DJones is attempting to access volume Acctg_Vol. (See Figure 21.)
Figure 21The following process shows how eDirectory calculates DJones' effective rights to Acctg_Vol:
This assumes that DJones doesn't belong to any groups or roles and has not been explicitly assigned any security equivalences.
The assignment of zero all property rights at Acctg_Vol overrides the assignment of Write all properties at Accounting.
The assignment of Write all properties at the top of the tree is filtered out by the IRF at Accounting.
No rights are assigned for Tree anywhere in the pertinent branch of the tree.
These rights are assigned at the root and aren't filtered or overridden anywhere in the pertinent branch of the tree.
DJones: Browse object, Read all properties
DJones: Browse object, Read and Compare all properties
Because of the way that effective rights are calculated, it is not always obvious how to block particular rights from being effective for specific users without resorting to an IRF (an IRF blocks rights for all users).
To block particular rights from being effective for a user without using an IRF, do either of the following:
Security equivalence means having the same rights as another object. When you make one object security equivalent to another object, the rights of the second object are added to the rights of the first object when the system calculates the first object's effective rights.
For example, suppose you make User object Joe security equivalent to the Admin object. After you create the security equivalence, Joe has the same rights to the tree and file system as Admin.
There are three types of security equivalence:
Security equivalence is effective only for one step. For example, if you make a third user security equivalent to Joe in the example above, that user does not receive Admin rights.
Security equivalence is recorded in eDirectory as values in the User object's Security Equal To property.
When you add a User object as an occupant to an Organizational Role object, that User automatically becomes security equivalent to the Organizational Role object. The same is true when a User becomes a member of a Group role object.
The Access Control List (ACL) is also called the Object Trustees property. Whenever you make a trustee assignment, the trustee is added as a value to the Object Trustees (ACL) property of the target.
This property has strong implications for network security for the following reasons:
For these reasons, be careful giving Add Self rights to all properties of a container object. That assignment makes it possible for the trustee to become Supervisor of that container, all objects in it, and all objects in containers beneath it.
The Inherited Rights Filter allows you to block rights from flowing down the eDirectory Tree. For more information on configuring this filter, see Blocking Inherited Rights to an eDirectory Object or Property.
When you install a new Server object into a tree, the following trustee assignments are made:
eDirectory lets you delegate administration of a branch of the tree, revoking your own management rights to that branch. One reason for this approach is that special security requirements require a different administrator with complete control over that branch.
To delegate administration:
Grant the Supervisor object right to a container.
Create an IRF on the container that filters the Supervisor and any other rights you want blocked.
In Novell iManager, click the Roles and Tasks button
Click Rights > Modify Inherited Rights Filter.
Specify the name and context of the object whose inherited rights filter you want to modify, then click OK.
Edit the list of inherited rights filters as needed.
To edit the list of filters, you must have the Supervisor or Access Control right to the ACL property of the object. You can set filters that block inherited rights to the object as a whole, to all the properties of the object, and to individual properties.
NOTE: These filters won't block rights that are explicitly granted a trustee on this object, since such rights aren't inherited.
Click OK.
IMPORTANT: If you delegate administration to a User object and that object is subsequently deleted, there are no objects with rights to manage that branch.
To delegate administration of specific eDirectory properties, such as Password Management, see Granting Equivalence.
To delegate the use of specific functions in role-based administration applications, see Configuring Role-Based Services.
When the default rights assignments in your eDirectory tree provide users with either too much or not enough access to resources, you can create or modify explicit rights assignments. When you create or modify a rights assignment, you start by selecting either the resource that you are controlling access to or the trustee (the eDirectory object that possesses, or will possess, the rights).
HINT: To manage users' rights collectively rather than individually, make a group, role, or container object the trustee. To restrict access to a resource globally (for all users), see Blocking Inherited Rights to an eDirectory Object or Property.
In Novell iManager, click the Roles and Tasks button .
Click Rights > Modify Trustees.
Specify the name and context of the eDirectory resource (object) that you want to control access to, then click OK.
Choose a container if you want to control access to all the objects below it.
Edit the list of trustees and their rights assignments as needed.
To modify a trustee's rights assignment, select the trustee, click Assigned Rights, modify the rights assignment as needed, then click Done.
To add an object as a trustee, click Add Trustee, select the object, click OK, click Assigned Rights to assign the trustee's rights, then click Done.
When creating or modifying a rights assignment, you can grant or deny access to the object as a whole, to all the properties of the object, and to individual properties.
To remove an object as a trustee, select the trustee, then click Delete Trustee.
The deleted trustee no longer has explicit rights to the object or its properties but might still have effective rights through inheritance or security equivalence.
Click OK.
In Novell iManager, click the Roles and Tasks button .
Click Rights > Rights to Other Objects.
Enter the name and context of the trustee (the object that possesses, or will possess, the rights) whose rights you want to modify.
In the Context to Search From field, specify the part of the eDirectory tree to be searched for eDirectory objects that the trustee currently has rights assignments to.
Click OK.
A screen appears showing the progress of the search. When the search is done, the Rights to Other Objects page appears with the results of the search filled in.
Edit the trustee's eDirectory rights assignments as needed.
To add a rights assignment, click Add Object, select the object to control access to, click OK, click Assigned Rights, assign the trustee's rights, then click Done.
To modify a rights assignment, select the object you want to control access to, click Assigned Rights, modify the trustee's rights assignment as needed, then click Done.
When creating or modifying a rights assignment, you can grant or deny access to the object as a whole, to all the properties of the object, and to individual properties.
To remove a rights assignment, select the object you want to control access to, then click Delete Object.
The trustee no longer has explicit rights to the object or its properties but might still have effective rights through inheritance or security equivalence.
Click OK.
A user who is security equivalent to another eDirectory object effectively has all the rights of that object. A user is automatically security equivalent to the groups and roles that they belong to. All users are implicitly security equivalent to the [Public] trustee and to each container above their User objects in the eDirectory tree, including the Tree object. You can also explicitly grant a user security equivalence to any eDirectory object.
NOTE: The tasks in this section allow you to delegate administrative authority through eDirectory rights. If you have administration applications that use Role-Based Services (RBS) roles, you can also delegate administrative authority by assigning users membership in those roles.
If you haven't already done so, create the group or role object that you want the users to be security equivalent to.
See Creating an Object for details.
Grant the group or role the eDirectory rights that you want the users to have.
See Assigning Rights Explicitly for details.
Edit the membership of the group or role to include those users who need the rights of the group or role.
In Novell iManager, click eDirectory Administration > Modify Object, specify the name and context of a Group object, click OK, then click the Members tab.
In Novell iManager, click eDirectory Administration > Modify Object, specify the name and context of an rbsRole object, click OK, then click Role Occupant on the General tab.
In Novell iManager, click the Configure button , click Role Configuration > Modify iManager Roles, click the Modify Members button to the left of the role you want to modify, then use the options on the Modify iManager Members page to add or remove members from a role.
Click OK.
In Novell iManager, click the Roles and Tasks button .
Click eDirectory Administration > Modify Object.
Enter the name and context of the user or object that you want the user to be security equivalent to, then click OK.
Click the Security tab, then grant the security equivalence as follows:
The contents of these two property pages are synchronized by the system.
Click OK.
If you haven't already done so, create the User, Group, Role, or Container object that you want to make a trustee of the object's specific properties.
If you create a container as a trustee, all objects inside and below the container will have the rights you grant. You must make the property inheritable or the container and its members will not have rights below its level.
See Creating an Object for information.
In Novell iManager, click the Roles and Tasks button .
Click Rights > Modify Trustees.
Specify the name and context of the highest-level container that you want the administrator to manage, then click OK.
On the Modify Trustees page, click Add Trustee, select the object that represents the administrator, then click OK.
Click Assigned Rights for the trustee you just added, then click Add Property.
Select the properties you want to add to the property list, then click OK.
For each property that the administrator will manage, assign the needed rights.
Be sure to select the Inheritable check box on each rights assignment.
Click Done, then click OK.
In eDirectory, rights assignments on containers can be inheritable or non-inheritable. In the NetWare file system, all rights assignments on folders are inheritable. In both eDirectory and NetWare, you can block such inheritance on individual subordinate items so that the rights aren't effective on those items, no matter who the trustee is. One exception is that the Supervisor right can't be blocked in the NetWare file system.
In Novell iManager, click the Roles and Tasks button
Click Rights > Modify Inherited Rights Filter.
Specify the name and context of the object whose inherited rights filter you want to modify, then click OK.
This displays a list of the inherited rights filters that have already been set on the object.
On the property page, edit the list of inherited rights filters as needed.
To edit the list of filters, you must have the Supervisor or Access Control right to the ACL property of the object. You can set filters that block inherited rights to the object as a whole, to all the properties of the object, and to individual properties.
NOTE: These filters won't block rights that are explicitly granted a trustee on this object, because such rights aren't inherited.
Click OK.
Effective rights are the actual rights users can exercise on specific network resources. They are calculated by eDirectory based on explicit rights assignments, inheritance, and security equivalence. You can query the system to determine a user's effective rights to any resource.
In Novell iManager, click the Roles and Tasks button
Click Rights > View Effective Rights.
Enter the name and context of the trustee whose effective rights you want to view, then click OK.
Choose from the following options:
Click Done.