Novell Doc: NW 6.5 SP8: File Systems Management Guide - eDirectory Objects and Security Equivalence

8.1 eDirectory Objects and Security Equivalence

In OES, administrators, users, and network resources are represented as objects in an eDirectory database. Use Novell iManager to create eDirectory objects, such as Organizational, Organizational Unit, Group, User, and Admin. For information, see the Novell eDirectory 8.8 Administration Guide.

For example, in the following figure, The TREE container Tree icon is configured and created when you install eDirectory. Later, you must populate the tree with container and leaf objects to represent the various resources in your company. YourCo is the main Organization (O) object Organization icon in your TREE domain. In the YourCo container, you create Finance as an Organizational Unit (OU) object Organizational Unit icon . In the Finance container, you create Accounts as an OU object that contains all accounting resources. Other OUs within Finance might represent Sales or Marketing organizations. In the Accounts container, Bob is a User object User icon for a system user who is assigned to the Accounts Department.

Figure 8-1 Example eDirectory Container and Objects

Security equivalences help to simplify the task of assigning objects as file system trustees for your directories and files. Security equivalence is recorded in eDirectory as the value for the Security Equal To property of a User object. You can establish security equivalences explicitly, automatically, or implicitly.

Explicit: By assignment. Trustees of a file or directory with the Supervisor or Access Control right can assign rights explicitly. An eDirectory Administrator can modify an object’s Security Equal To property to explicitly assign it the same rights as those assigned to another object. For example, suppose you make a User object named Joe security equivalent to the Admin object. After you create the security equivalence, Joe has the same rights to the tree and file system as the Admin user.
Automatic: By membership in a group or role. Whenever you assign an object to be a member in a Group object or Organizational Role object, the security equivalence is automatically added to the object’s Security Equal To property.
Implied: Equivalent to all parent containers and the [Public] trustee. Security equivalence for an object is implied by its parent container and by the Public container, which applies to all users.

Security equivalence is effective only for one step; it is not transferred by a subsequent security equivalence. For example, if you make a third user security equivalent to Joe in the example above, that user receives only Joe’s original security settings. The third user does not receive Admin rights or any other Security Equal To properties Joe might have.

Whenever a user attempts to access a network resource, eDirectory calculates the user’s security equivalence and makes that information available to NetWare. NetWare compares the user’s security equivalence information to the trustee assignments for the path and target directory or file to determine if the user can access the target resource and what action on it is permitted.

For more information about eDirectory objects and rights, see eDirectory Rights in the Novell eDirectory 8.8 Administration Guide. For information about file-system trustee rights, see Section 8.2, File-System Trustee Rights.