6.5 Using the Files and Folders Plug-In for iManager to Manage Trustees, Trustee Rights, and Inherited Rights

NSS uses the Novell Trustee Model for controlling access to user data. As an administrator or a user with the Supervisor right or Access Control right, you can use the Files and Folders plug-in for iManager to manage file system trustees, trustee rights, inherited rights filters, and attributes for a file or folder on an NSS volume. A user who has only the Access Control right cannot modify the rights of another user who has the Supervisor right.

File system trustees, trustee rights, and inherited rights filters are used to determine access and usage for directories and files on NSS volumes and NCP volumes on OES 2 Linux.

IMPORTANT:Changes do not take effect until you click OK or Apply. If you click a different tab before you save, any changes you have made are lost.

6.5.1 Prerequisites

  • The volume that you want to manage must be in the same tree where you are currently logged in to iManager.

  • You must have trustee rights for the volume, folder, and file that you want to manage.

  • The volume must be a file system that uses the Novell trustee model for file access, such as an NSS volume or an NCP volume (an NCP share on Ext3, XFS, or Reiser file system) on OES 2 Linux.

6.5.2 Viewing, Adding, or Removing File System Trustees

A trustee is any Novell eDirectory object (such as a User object, Group object, Organizational Role object, or other container object) that you grant one or more rights for a directory or file. Trustee assignments allow you to set permissions for and monitor user access to data.

  1. In iManager, click Files and Folders, then click Properties to open the Properties page.

  2. On the Properties page, select a volume, folder, or file to manage, then click OK.

    For instructions, see Section 6.3, Viewing Properties of a File or Folder in iManager.

  3. Click the Rights tab to view the trustees, trustee rights, and inherited rights filter for the selected volume, folder, or file.

  4. To add trustees:

    1. Scroll down to the Add Trustees field.

    2. Use one of the following methods to add user names as trustees:

      • Click the Search icon, browse to locate the user names of the users, groups, or roles that you want to add as trustees, click the name link of the objects to add them to the Selected Objects list, then click OK.

      • Click the History icon to select user names from a list of users, groups, or roles that you recently accessed.

      • Type the typeless distinguished user name (such as username.context) in the Add Trustees field, then click the Add (+) icon.

      • To add the [Public] trustee, type [Public] with a dot before and after it in the Add Trustees field, then click the Add (+) icon. For example:

        .[Public].
        

        You might need to explicitly assign the [Public] trustee as a file system trustee on a directory in an NSS volume and grant it the Read right and File Scan right if you use daemons that run as the nobody user to access files in the directory. Granting file system rights to the [Public] trustee is also required to allow anonymous access to the file system.

        The [Public] trustee is not an eDirectory object. It is a specialized trustee that represents any network user, logged in or not, for rights assignment purposes. By making [Public] a trustee of a volume, directory, or file, you effectively grant all objects in eDirectory the same file system rights.

        IMPORTANT:For security reasons, you should not provide the file system Supervisor right to the [Public] trustee.

      The user names appear in the Trustees list, but they are not actually added until you click Apply or OK. By default, each of the user names has the default Read and File Scan trustee rights assigned.

    3. On the Properties page, click Apply to save the changes.

  5. To grant or revoke rights for a trustee:

    For information about the rights, see Section 6.5.3, Viewing, Granting, or Revoking File System Trustee Rights.

    1. In the check boxes next to the trustee name, select the rights you want to grant.

    2. In the check boxes next to the trustee name, deselect the rights you want to revoke.

    3. On the Properties page, click Apply to save the changes.

  6. To remove trustees:

    1. Scroll down to locate and select the user name of the user, group, or role that you want to remove as a trustee.

    2. Click the Remove (red X) icon next to the user name to remove it as a trustee.

      The user name disappears from the list, but it is not actually removed until you click Apply or OK.

    3. On the Properties page, click Apply to save changes.

6.5.3 Viewing, Granting, or Revoking File System Trustee Rights

Administrator users and users with the Supervisor right or the Access Control right can grant or revoke file system trustee rights for a volume, folder, or file. Only the administrator user or user with the Supervisor right can grant or revoke the Access Control right.

  1. In iManager, click Files and Folders, then click Properties to open the Properties page.

  2. On the Properties page, select a volume, folder, or file to manage.

    For instructions, see Section 6.3, Viewing Properties of a File or Folder in iManager.

  3. Click the Rights tab to view the trustees, trustee rights, and inherited rights filter for the selected volume, folder, or file.

  4. Scroll to locate the user name of the trustee you want to manage.

  5. In the check boxes next to the trustee name, select or deselect the rights you want to grant or revoke for the trustee.

    IMPORTANT:Changes do not take effect until you click OK or Apply. If you click a different tab before you save, any changes you have made on this page are lost.

    Trustee Right

    Description

    Supervisor (S)

    Grants the trustee all rights to the directory or file and any subordinate items.

    The Supervisor right cannot be blocked with an inherited rights filter (IRF) and cannot be revoked. Users who have this right can also grant other users any rights to the directory or file and can change its inherited rights filter.

    Default=Off

    Read (R)

    Grants the trustee the ability to open and read files, and open, read, and execute applications.

    Default=On

    Write (W)

    Grants the trustee the ability to open and modify (write to) an existing file.

    Default=Off

    Erase (E)

    Grants the trustee the ability to delete directories and files.

    Default=Off

    Create (C)

    Grants the trustee the ability to create directories and files and salvage deleted files.

    Default=Off

    Modify (M)

    Grants the trustee the ability to rename directories and files, and change file attributes. Does not allow the user to modify the contents of the file.

    Default=Off

    File Scan (F)

    Grants the trustee the ability to view directory and file names in the file system structure, including the directory structure from that file to the root directory.

    Default=On

    Access Control (A)

    Grants the trustee the ability to add and remove trustees for directories and files and modify their trustee assignments and inherited rights filters.

    Default=Off

  6. Click Apply or OK to save changes.

6.5.4 Configuring the Inherited Rights Filter for a File or Directory

File system trustee rights assignments made at a given directory level flow down to lower levels until they are either changed or masked out. This is referred to as inheritance. The mechanism provided for preventing inheritance is called the inherited rights filter. Only those rights allowed by the filter are inherited by the child object. The effective rights that are granted to a trustee are a combination of explicit rights set on the file or folder and the inherited rights. Inherited rights are overridden by rights that are assigned explicitly for the trustee on a given file or folder.

  1. In iManager, click Files and Folders, then click Properties to open the Properties page.

  2. On the Properties page, select a volume, folder, or file to manage.

    For instructions, see Section 6.3, Viewing Properties of a File or Folder in iManager.

  3. Click Information, then scroll down to view the inherited rights filter.

    The selected rights are allowed to be inherited from parent directories. The deselected rights are disallowed to be inherited.

  4. In the Inherited Rights Filter, enable or disable a right to be inherited from its parent directory by selecting or deselecting the check box next to it.

  5. Click Apply or OK to save the changes.

6.5.5 Viewing Effective Rights for a Trustee

Effective rights are the explicit rights defined for the trustee plus the rights that are inherited from the parent directory. The Inherited Rights page shows the inheritance path for a trustee for the selected file or folder and the effective rights at each level from the current file or directory to the root of the volume. You can use this information to help identify at which directory in the path a particular right was filtered, granted, or revoked.

  1. In iManager, click Files and Folders, then click Properties to open the Properties page.

  2. On the Properties page, select a volume, folder, or file to manage.

    For instructions, see Section 6.3, Viewing Properties of a File or Folder in iManager.

  3. On the Properties page, click the Inherited Rights tab to view the effective rights for a given trustee.

    By default, the page initially displays the effective rights for the user name you used to log in to iManager.

  4. On the Inherited Rights page, click the Search icon next to the Trustee field to browse for and locate the user name of the trustee you want to manage, then select the user name by clicking the name link.

    The path for the selected file or folder is traced backwards to the root of the volume. At each level, you can see the rights that have been granted and inherited to create the effective rights for the trustee.

  5. If you make any changes, click Apply or OK to save them.