This section describes the specific rights that users can have to files and folders on NetWare volumes, the possible sources of those rights, and how the NetWare file system calculates users' effective rights to files and folders.
The following table describes the individual rights that a trustee can have to a file or folder on a NetWare volume.
A given file or folder can have multiple rights assignments associated with it, each linked with a different trustee (possessor) of the rights. Rights to a folder are inherited by the trustee to items within the folder, so the trustee can exercise the rights on subordinate items without having an explicit assignment on those items. You can, however, place a filter on individual subordinate items to block specific rights from being inherited. Such filters apply globally to all trustees holding the specified rights.
Besides having explicit and inherited rights to a file or folder, a user can also have rights to a file or folder through security equivalence to another eDirectory object. For example, if a user is a member of an eDirectory group or role and that group or role has been granted certain rights, the user effectively has those additional rights through security equivalence. For more information, see “ eDirectory Rights” in the Novell eDirectory Administration Guide.
A user's effective rights are calculated by NetWare each time the user tries to access a file or folder on a NetWare volume. You can view a user's effective rights to any file or folder as explained in Section 4.4, Viewing Effective Rights. Following is the process used by NetWare to calculate effective rights.
This process is similar to, but not the same as, the process used by eDirectory to calculate users' effective rights to eDirectory objects and properties. For information on that process, see “ eDirectory Rights” in the Novell eDirectory Administration Guide.
Checks whether the user effectively has the Supervisor right to the NetWare server where the target file or folder resides. (eDirectory supplies this information to NetWare.)
If so, the user effectively has all rights in the file system of the server, and the rest of this process is skipped.
If not, continues with the next step.
Determines which eDirectory objects the user is security equivalent to. (eDirectory supplies this information to NetWare.)
Descends to the next level in the file system along the path to the target file or folder.
HINT:The next level below the NetWare server is the root folder of the volume.
Checks whether the user, or any of the objects that the user is security equivalent to, is assigned the Supervisor right at the current level.
If so, the user effectively has all rights from this level down in the file system, and the rest of this process is skipped.
If not, continues with the next step.
Does the following for the user and each object that the user is security equivalent to:
Checks whether the user (or object) is assigned any non-Supervisor rights at the current level. If so, sets the effective rights of the user (or object) to the rights specified in the assignment and skips to Step 6. If not, continues with the next substep.
Removes from the current effective rights any rights that are blocked by an inheritance filter at the current level.
If the current level of the file system is the target file or folder, the user's final effective rights are the sum of his or her current effective rights and the current effective rights of each object that the user is security equivalent to. If the target file or folder hasn't been reached yet, returns to Step 3.