Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP 9000 Networking: Supervising the Network > Chapter 2 Setting Up and Managing NetWare Directory Services Objects

Rights Needed to Create and Manage Objects
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

As User object ADMIN, you initially have all rights to all objects in the Directory tree. However, if you allow users to manage parts of the Directory tree, you need to give them the rights necessary to manage their section of the tree.

Trustee Assignments

When you give an object, such as a user, rights to another object, such as a container, you make a trustee assignment. That user then becomes a trustee of that container. Any object with a trustee assignment to another object is a trustee of that object.

Each object contains a list of objects that have trustee assignments to it, called a trustee list. This list tells who can access that object. An object's trustee list is stored in its Access Control List (ACL) property.

Inherited Rights Filter

The Inherited Rights Filter ( IRF) controls the rights that a trustee can inherit from parent directories and container objects. By default, the IRF allows every right to be inherited from the parent directory or container object.

The IRF cannot grant rights; it can only allow or revoke rights.

Security Equivalence

Security Equal To is a property of every User object that lists other objects. The user is granted all rights that any object (such as User, Group, or Printer) in that list is granted, both to objects and to files and directories.

Use the Security Equal To property to give a user temporary access to the same information or rights another user has access to.

For more information on Security Equal To, see "Security Equal To" in Concepts.

Types of Rights

Four kinds of rights exist in NetWare 4.1:

  • Object rights control what a trustee can do with an object. These rights control the object as a single piece in the Directory tree, but do not allow access to information stored within that object (unless the Supervisor object right is granted).

  • Property rights control a trustee's access to information stored within the object—that is, the information stored in the object's properties. Each object has several properties: Supervisor (grants all rights to the property), Compare (grants the right to compare property values), Read (grants the right to read the property values), Write (grants to right to add, change, or remove property values), or Add or Delete Self (grants the right to add or remove itself as a property value).

  • Directory rights control what a trustee can do with a directory. Directory rights also apply to files in the directory unless explicit file rights are granted and the file's Inherited Rights Filter doesn't block the directory rights from flowing through.

  • File rights control what a trustee can do with a file.

In bindery-based versions of NetWare, you could assign only directory and file rights. In NetWare Services, you can also assign rights to an object and to properties belonging to an object.

This section discusses only object rights and property rights.

Object and property rights are assigned separately so that you can control access to the pieces of information (or properties) contained in the object.

Any object to which you grant sufficient rights can make trustee assignments using NetWare Administrator or NETADMIN. This section discusses the rights that are needed to make various types of trustee assignments within NDS.

Directory rights and file rights apply only to the file system. For a discussion of these rights, see Chapter 3 ,"Managing the NetWare Services File System."

NOTE: In addition to the rights mentioned previously, NetWare® 4.1/9000 has its own security. The discussion of rights in this chapter is limited to those rights inherent to NetWare Services. For information about how these two sets of security work together see Chapter 3, "Managing the NetWare Services File System."

Object Rights

Object rights control what trustees can do with the object of which they are a trustee. Object rights control the object as a single piece in the Directory tree, but do not allow the trustee to access information stored in that object's properties (unless the Supervisor object right is granted).

Table 2-1 lists and describes the object rights that you can assign to a trustee.

Table 2-1 Object Rights

Right

Description

Supervisor

Gives the network supervisor all rights to the object and to all its properties. However, the Supervisor object right can be blocked by the Inherited Rights Filter (IRF) below the object where the Supervisor right is granted.

Browse

Allows the trustee to see the object in the Directory tree. Also when the trustee searches for a value that matches the object, Browse allows that object to be listed.

Create

Allows the trustee to create a new object within a container object. Applies only to container objects because leaf objects cannot contain other objects.

Delete

Allows the trustee to delete an object from the Directory tree. You cannot, however, delete a container object unless all the objects in the container are deleted first.

Rename

Allows the trustee to change the name of the object, in effect, changing the naming property. This changes what the object is called when it is a part of complete names.

 

Property Rights

Object rights do not allow trustees to see the information stored in the object's properties. Property rights are required to read the information in an object's properties. Property rights control access to each property of an object.

For example, if you include a private telephone number as a property for a User object, you can use property rights to prevent others from seeing that telephone number. At the same time, you can use property rights to allow other properties, such as Address or Fax Number, to be viewed.

Table 2-2 lists and describes property rights that you can assign to a trustee.

Table 2-2 Property Rights

Right

Description

Supervisor

Gives all rights to the property. You can block the Supervisor property right with an Inherited Rights Filter.

Compare

Allows the trustee to compare any value with an existing value of the property. The comparison can return True or False, but cannot give the value of the property.

Read

Allows the trustee to read the values of the property. This right includes the Compare right; that is, if the Read right is given, Compare operations are allowed also.

Write

Allows the trustee to add, change, or remove any values of the property. The Write right implies the Add or Delete Self right. Giving the Write right to the ACL property is the same as giving the Supervisor right to the object.

Add or Delete Self

Allows the trustee to add or remove itself as a value of the property, but not to change any other values of the property. This right is only used for properties where a User object can be listed as a value, such as group membership lists or mailing lists. The Write right includes the Add or Delete Self right.

 

See the following references for more detailed information.

Additional Information

For more information about

Refer to

Access Control List

"Access Control List" in Concepts

Container and leaf objects

"Object" in Concepts

Trustees and rights

"Security" in Concepts



Introduction
  		 


Managing Trustee Assignments to Objects  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1996 Hewlett-Packard Development Company, L.P.