21.1 Configuring File System Trustees, Trustee Rights, Inherited Rights Filters, and Attributes

NSS uses the OES Trustee model for controlling access to user data. As an administrator or a user with the Supervisor right or Access Control right, you can use the Files and Folders plug-in to iManager to manage file system trustees, trustee rights, inherited rights filters, and attributes for a file or folder on an NSS volume. A user who has only the Access Control right cannot modify the Supervisor right of another user. To manage AD users, use the supported NSS command line utilities or NFARM.

IMPORTANT:For more information and alternate methods for configuring file system trustees and attributes for directories and files on NSS volumes, see the OES 2018: File Systems Management Guide.

21.1.1 Prerequisites for Configuring Trustees

  • The volume that you want to manage must be in the same tree where you are currently logged in to iManager.

  • You must have trustee rights for the volume, folder, and file that you want to manage.

  • The volume must be a file system that uses the OES trustee model for file access, such as an NSS volume on OES 2015 or later, an NSS or NetWare traditional volume on NetWare 6.5, or an NCP (NetWare Core Protocol) volume (an NCP share on a Linux POSIX file system) on OES 2015 or later.

  • NSS does not support dynamic and nested eDirectory groups. Although it is possible to add these groups as trustees in NSS volumes, NSS does not recognize the rights assigned to them as applying to group members.

21.1.2 Viewing Properties of a File or Folder

  1. In iManager, click Files and Folders > Properties to open the Properties page.

  2. Click the Search icon to browse and locate volume, folder or file from the Storage objects, then click the name link of the object to select it.

    The pathname of the object appears in the Name field.

  3. View the following properties in three Properties tabs:

    Properties Tabs

    Description

    For Information

    Information

    • View details about the selected volume, folder, or file.

    • Configure directory quotas for folders on NSS volumes where the Directory Quotas attribute is enabled.

    • Modify the file owner.

    • Configure file or directory attributes.

    See Section 26.7, Viewing or Modifying File or Folder Properties.

    See Section 26.9, Viewing, Adding, Modifying, or Removing a Directory Quota.

    See Section 26.8, Viewing or Modifying File Ownership.

    See Section 21.1.3, Configuring File or Folder Attributes.

    Rights

    • View details about trustees, trustee rights, and inherited rights filter for the selected volume, folder, or file.

    • Add or remove trustees.

    • Grant or revoke trustee rights for one or more trustees.

    • Configure the inherited rights filter.

    See Section 21.1.4, Configuring Rights Properties (File System Trustees, Trustee Rights, and Inherited Rights Filter).

    Inherited Rights

    • View details about explicitly assigned trustee rights and inherited rights at all levels along the path from the selected file or folder to the root of the volume.

    • View the effective rights for a given trustee for the selected volume, folder, or file.

    See Section 21.1.5, Viewing Effective Rights for a Trustee.

21.1.3 Configuring File or Folder Attributes

File attributes determine how the file or folder behaves when accessed by any user. File attributes apply universally to all users. For example, a file that has a read-only attribute is read-only for all users.

Attributes can be set by any trustee with the Modify right to the directory or file, and attributes stay set until they are changed. Attributes do not change when you log out or when you down a file server.

For example, if a trustee with the Modify right enables the Delete Inhibit attribute for a file, no one, including the owner of the file or the network administrator, can delete the file. However, any trustee with the Modify right can disable the Delete Inhibit attribute to allow the file’s deletion.

  1. In iManager, click Files and Folders > Properties to open the Properties page.

  2. Click the Search icon to browse and locate volume, folder or file from the Storage objects, then click the name link of the object to select it.

    The pathname of the object appears in the Name field. For example:

    VOL1:dir1\dirB\filename.ext

  3. Click the Information tab to view or modify the file or folder attributes. Enable or disable an attribute by selecting or deselecting the check box next to it.

    IMPORTANT:Changes do not take effect until you click OK or Apply. If you click a different tab before you save, changes you make on this page are lost.

    The following table defines file system attributes and whether they apply to files, folders, or both files and folders.

    Attribute

    Description

    Files

    Folders

    Read Only

    Prevents a file from being modified.

    This attribute is typically used in combination with Delete Inhibit and Rename Inhibit.

    Yes

    No

    Archive

    Identifies files and folders that have been modified since the last backup. This attribute is assigned automatically.

    Yes

    Yes

    Hidden

    Hides directories and files so they do not appear in a file manager or directory listing.

    Yes

    Yes

    Shareable

    Allows more than one user to access the file at the same time. This attribute is usually used with Read Only.

    Yes

    No

    Purge Immediate

    Flags a directory or file to be erased from the system as soon as it is deleted. Purged directories and files cannot be recovered.

    Yes

    Yes

    Rename Inhibit

    Prevents the directory or filename from being modified.

    Yes

    Yes

    Delete Inhibit

    Prevents users from deleting a directory or file.

    This attribute overrides the file system trustee Erase right. When Delete Inhibit is enabled, no one, including the owner and network administrator, can delete the directory or file. A trustee with the Modify right must disable this attribute to allow the directory or file to be deleted.

    NOTE:Setting the following preferences override the delete inhibit and rename inhibit settings. The override option is made available via volume mount options and nsscon.

    • From nsscon enter, /(No)RootOverrideFA=(ALL|VOL1,VOL2)

    • For local volumes change the following: /etc/fstab (-o name=<NAME>,overrideFA)

    • For shared volumes change the following: cluster resource load scripts (/opt=overrideFA)

    If /RootOverrideFA is set on the volume, the Linux root user can delete and rename a file.

    Yes

    Yes

  4. If you modified any settings, click Apply or OK to save your changes.

21.1.4 Configuring Rights Properties (File System Trustees, Trustee Rights, and Inherited Rights Filter)

File system trustees, trustee rights, and inherited rights filters are used to determine access and usage for directories and files on NSS volumes on OES 2015 or later, NCP volumes on OES 2015 or later, and NSS and NetWare Traditional volumes on NetWare 6.5. If you modify any settings, you must click Apply or OK to save the changes.

Viewing, Adding, or Removing File System Trustees

A trustee is any NetIQ eDirectory object (such as a User object, Group object, Organizational Role object, or other container object) that you grant one or more rights for a directory or file. Trustee assignments allow you to set permissions for and monitor user access to data.

  1. In iManager, click Files and Folders, then click Properties to open the Properties page.

  2. On the Properties page, select a volume, folder, or file to manage.

    For instructions, see Section 21.1.2, Viewing Properties of a File or Folder.

  3. Click the Rights tab to view the trustees, trustee rights, and inherited rights filter for the selected volume, folder, or file.

  4. Add trustees.

    1. Scroll down to the Add Trustees field.

    2. Use one of the following methods to add usernames as trustees:

      • Click the Search icon, browse to locate the usernames of the users, groups, or roles that you want to add as trustees, click the name link of the objects to add them to the Selected Objects list, then click OK.

      • Click the History icon to select usernames from a list of users, groups, or roles that you recently accessed.

      • Type the typeless distinguished username (such as username.context) in the Add Trustees field, then click the Add (+) icon.

      The usernames appear in the Trustees list, but they are not actually added until you click Apply or OK. Each of the usernames has the default Read and File Scan trustee rights assigned.

    3. On the Properties page, click Apply to save the changes.

  5. Remove trustees.

    1. Scroll down to locate and select the username of the user, group, or role that you want to remove as a trustee.

    2. Click the Remove (red X) icon next to the username to remove it as a trustee.

      The username disappears from the list, but it is not actually removed until you click Apply or OK.

    3. On the Properties page, click Apply to save changes.

Viewing, Granting, or Revoking File System Trustee Rights

Administrator users and users with the Supervisor right or the Access Control right can grant or revoke file system trustee rights for a volume, folder, or file. Only the administrator user or user with the Supervisor right can grant or revoke the Access Control right.

  1. In iManager, click Files and Folders, then click Properties to open the Properties page.

  2. On the Properties page, select a volume, folder, or file to manage.

    For instructions, see Section 21.1.2, Viewing Properties of a File or Folder.

  3. Click the Rights tab to view the trustees, trustee rights, and inherited rights filter for the selected volume, folder, or file.

  4. Scroll to locate the username of the trustee you want to manage.

  5. In the check boxes next to the trustee name, select or deselect the rights you want to grant or revoke for the trustee.

    IMPORTANT:Changes do not take effect until you click OK or Apply. If you click a different tab before you save, any changes you have made on this page are lost.

    Trustee Right

    Description

    Supervisor (S)

    Grants the trustee all rights to the directory or file and any subordinate items.

    The Supervisor right cannot be blocked with an inherited rights filter (IRF) and cannot be revoked. Users who have this right can also grant other users any rights to the directory or file and can change its inherited rights filter.

    Default=Off

    Read (R)

    Grants the trustee the ability to open and read files, and open, read, and execute applications.

    Default=On

    Write (W)

    Grants the trustee the ability to open and modify (write to) an existing file.

    Default=Off

    Erase (E)

    Grants the trustee the ability to delete directories and files.

    Default=Off

    Create (C)

    Grants the trustee the ability to create directories and files and salvage deleted files.

    Default=Off

    Modify (M)

    Grants the trustee the ability to rename directories and files, and change file attributes. Does not allow the user to modify the contents of the file.

    Default=Off

    File Scan (F)

    Grants the trustee the ability to view directory and filenames in the file system structure, including the directory structure from that file to the root directory.

    Default=On

    Access Control (A)

    Grants the trustee the ability to add and remove trustees for directories and files and modify their trustee assignments and inherited rights filters.

    This right does not allow the trustee to add or remove the Supervisor right for any user. Also, it does not allow to remove the trustee with the Supervisor right.

    Default=Off

  6. Click Apply or OK to save changes.

    NOTE:The DFS junctions rights modification is not supported. This will be disabled. Use DFS tasks for junction rights management.

Configuring the Inherited Rights Filter for a File or Directory

File system trustee rights assignments made at a given directory level flow down to lower levels until they are either changed or masked out. This is referred to as inheritance. The mechanism provided for preventing inheritance is called the inherited rights filter. Only those rights allowed by the filter are inherited by the child object. The effective rights that are granted to a trustee are a combination of explicit rights set on the file or folder and the inherited rights. Inherited rights are overridden by rights that are assigned explicitly for the trustee on a given file or folder.

  1. In iManager, click Files and Folders, then click Properties to open the Properties page.

  2. On the Properties page, select a volume, folder, or file to manage.

    For instructions, see Section 21.1.2, Viewing Properties of a File or Folder.

  3. Click Information, then scroll down to view the inherited rights filter.

    The selected rights are allowed to be inherited from parent directories. The deselected rights are disallowed to be inherited.

  4. In the Inherited Rights Filter, enable or disable a right to be inherited from its parent directory by selecting or deselecting the check box next to it.

  5. Click Apply or OK to save the changes.

21.1.5 Viewing Effective Rights for a Trustee

Effective rights are the explicit rights defined for the trustee plus the rights that are inherited from the parent directory. The Inherited Rights page shows the inheritance path for a trustee for the selected file or folder and the effective rights at each level from the current file or directory to the root of the volume. You can use this information to help identify at which directory in the path a particular right was filtered, granted, or revoked.

  1. In iManager, click Files and Folders, then click Properties to open the Properties page.

  2. On the Properties page, select a volume, folder, or file to manage.

    For instructions, see Section 21.1.2, Viewing Properties of a File or Folder.

  3. On the Properties page, click the Inherited Rights tab to view the effective rights for a given trustee.

    By default, the page initially displays the effective rights for the username you used to log in to iManager.

  4. On the Inherited Rights page, click the Search icon next to the Trustee field to browse for and locate the username of the trustee you want to manage, then select the username by clicking the name link.

    The path for the selected file or folder is traced backwards to the root of the volume. At each level, you can see the rights that have been granted and inherited to create the effective rights for the trustee.

  5. If you make any changes, click Apply or OK to save them.

21.1.6 Managing Rights

Users can receive rights in a number of ways, such as explicit trustee assignments, inheritance, and security equivalence. Rights can also be limited by Inherited Rights Filters and changed or revoked by lower trustee assignments. The net results of all these actions—the rights a user can employ—are called effective rights.

Viewing or Modifying the Effective Rights of a Trustee

View the effective rights for a trustee. If needed, you can modify the trustee's rights on a file, folder or volume.

NOTE:Ensure to LUM-enable the non-default admin users for viewing effective rights.

Effective Rights details include the following:

Server: Displays the name of the server where the volume, folder or file exists along with the trustee information.

Location: Displays the location of the volume, file or folder.

Trustees: Lists the trustees who have effective rights on the file, folder or volume listed in Location.

To view or modify the rights for a particular trustee which will be reflected in the effective rights:

  1. In iManager, click Files and Folders > Properties to open the Properties page.

  2. Click the (Object Selector) icon to browse the storage objects, locate and select the name link of the file or folder you want to manage, then click OK to view the Properties for the file. For more instructions, see Section 21.1.2, Viewing Properties of a File or Folder.

  3. Click the Effective Rights tab to view the list of trustees and their effective rights on the chosen folder or file.

  4. To modify the rights for a particular trustee which will be reflected in the effective rights, click the hyper-linked name of a trustee.

  5. On the Rights to Files and Folder page, modify the rights and click Apply.

Assigning or Modifying Rights to Files and Folders

Use this feature to assign or modify the rights that a trustee has on a folder or file.

Rights to Files and Folders details include the following and they are displayed based on the context from where this page is invoked:

Modify User / Modify Group: Displays the name of the trustee for whom the rights are being assigned or modified.

Volume: Displays the selected volume. It's a read-only field.

Files and Folders: Lists the files and folders for which you can modify the rights for the trustee displayed in Rights to Files and Folders.

To modify or add rights on a file or folder for a trustee:

  1. In iManager, click Users > Modify User or Groups > Modify Group to open the Modify User page.

  2. Under Volume, using the search (Search) button, select the volume where the file or folder exists. You can also choose a recently used volume using the (History) button.

  3. Under File and Folders Trustee Rights, click Add to select file(s) or folder(s) and the selected entities get listed under Files/Folders section.

  4. Under Files and Folders section, for a file or folder, modify or assign rights and then click Apply. Use the (Delete) button, to delete an entity under Files and Folders.

    HINT:

    • Use collapse or expand buttons to collapse or expand the list of files and folders.

    • Use the Filter option to search for a file or folder from the displayed list. Nested filter is supported. For example, if you specify the search string as "ark dir", the files and folders will be filtered based on "ark" string first, and then a sub-search is done for "dir" on the filter result of "ark".

    • Use the (unsorted), (sorted ascending), and (sorted descending) buttons to sort the list of files and folders.

Limitations in Effective Rights, and Rights to Files and Folders

  • Viewing Effective Rights on non-NSS (NCP) Volumes not supported.

  • Viewing the soft-linked files or folders in a volume using the Properties under Files and Folders is not supported.

  • You will see the primary file too when the rights are modified for the hard linked files.

  • The Effective rights is not supported for DST Shadow Volume files in this release.