NSS uses the Novell Trustee Model for controlling access to user data. As an administrator or a user with the Supervisor right or Access Control right, you can use the Files and Folders plug-in for iManager to manage file system trustees, trustee rights, inherited rights filters, and attributes for a file or folder on an NSS volume. A user who has only the Access Control right cannot modify the rights of another user who has the Supervisor right.
File system trustees, trustee rights, and inherited rights filters are used to determine access and usage for directories and files on NSS volumes and NCP volumes on OES 2 Linux.
IMPORTANT:Changes do not take effect until you click or . If you click a different tab before you save, any changes you have made are lost.
The volume that you want to manage must be in the same tree where you are currently logged in to iManager.
You must have trustee rights for the volume, folder, and file that you want to manage.
The volume must be a file system that uses the Novell trustee model for file access, such as an NSS volume or an NCP volume (an NCP share on Ext3, XFS, or Reiser file system) on OES 2 Linux.
A trustee is any Novell eDirectory object (such as a User object, Group object, Organizational Role object, or other container object) that you grant one or more rights for a directory or file. Trustee assignments allow you to set permissions for and monitor user access to data.
In iManager, click , then click to open the page.
On the page, select a volume, folder, or file to manage, then click .
For instructions, see Section 6.3, Viewing Properties of a File or Folder in iManager.
Click the tab to view the trustees, trustee rights, and inherited rights filter for the selected volume, folder, or file.
To add trustees:
Scroll down to the field.
Use one of the following methods to add user names as trustees:
Click the icon, browse to locate the user names of the users, groups, or roles that you want to add as trustees, click the name link of the objects to add them to the list, then click .
Click the icon to select user names from a list of users, groups, or roles that you recently accessed.
Type the typeless distinguished user name (such as username.context) in the field, then click the (+) icon.
To add the [Public] trustee, type [Public] with a dot before and after it in the field, then click the (+) icon. For example:
.[Public].
You might need to explicitly assign the [Public] trustee as a file system trustee on a directory in an NSS volume and grant it the Read right and File Scan right if you use daemons that run as the nobody user to access files in the directory. Granting file system rights to the [Public] trustee is also required to allow anonymous access to the file system.
The [Public] trustee is not an eDirectory object. It is a specialized trustee that represents any network user, logged in or not, for rights assignment purposes. By making [Public] a trustee of a volume, directory, or file, you effectively grant all objects in eDirectory the same file system rights.
IMPORTANT:For security reasons, you should not provide the file system Supervisor right to the [Public] trustee.
The user names appear in the Trustees list, but they are not actually added until you click or . By default, each of the user names has the default Read and File Scan trustee rights assigned.
On the page, click to save the changes.
To grant or revoke rights for a trustee:
For information about the rights, see Section 6.5.3, Viewing, Granting, or Revoking File System Trustee Rights.
In the check boxes next to the trustee name, select the rights you want to grant.
In the check boxes next to the trustee name, deselect the rights you want to revoke.
On the page, click to save the changes.
To remove trustees:
Scroll down to locate and select the user name of the user, group, or role that you want to remove as a trustee.
Click the (red X) icon next to the user name to remove it as a trustee.
The user name disappears from the list, but it is not actually removed until you click or .
On the page, click to save changes.
Administrator users and users with the Supervisor right or the Access Control right can grant or revoke file system trustee rights for a volume, folder, or file. Only the administrator user or user with the Supervisor right can grant or revoke the Access Control right.
In iManager, click , then click to open the page.
On the page, select a volume, folder, or file to manage.
For instructions, see Section 6.3, Viewing Properties of a File or Folder in iManager.
Click the tab to view the trustees, trustee rights, and inherited rights filter for the selected volume, folder, or file.
Scroll to locate the user name of the trustee you want to manage.
In the check boxes next to the trustee name, select or deselect the rights you want to grant or revoke for the trustee.
IMPORTANT:Changes do not take effect until you click or . If you click a different tab before you save, any changes you have made on this page are lost.
|
Trustee Right |
Description |
|---|---|
|
Supervisor (S) |
Grants the trustee all rights to the directory or file and any subordinate items. The Supervisor right cannot be blocked with an inherited rights filter (IRF) and cannot be revoked. Users who have this right can also grant other users any rights to the directory or file and can change its inherited rights filter. Default=Off |
|
Read (R) |
Grants the trustee the ability to open and read files, and open, read, and execute applications. Default=On |
|
Write (W) |
Grants the trustee the ability to open and modify (write to) an existing file. Default=Off |
|
Erase (E) |
Grants the trustee the ability to delete directories and files. Default=Off |
|
Create (C) |
Grants the trustee the ability to create directories and files and salvage deleted files. Default=Off |
|
Modify (M) |
Grants the trustee the ability to rename directories and files, and change file attributes. Does not allow the user to modify the contents of the file. Default=Off |
|
File Scan (F) |
Grants the trustee the ability to view directory and file names in the file system structure, including the directory structure from that file to the root directory. Default=On |
|
Access Control (A) |
Grants the trustee the ability to add and remove trustees for directories and files and modify their trustee assignments and inherited rights filters. Default=Off |
Click or to save changes.
File system trustee rights assignments made at a given directory level flow down to lower levels until they are either changed or masked out. This is referred to as inheritance. The mechanism provided for preventing inheritance is called the inherited rights filter. Only those rights allowed by the filter are inherited by the child object. The effective rights that are granted to a trustee are a combination of explicit rights set on the file or folder and the inherited rights. Inherited rights are overridden by rights that are assigned explicitly for the trustee on a given file or folder.
In iManager, click , then click to open the page.
On the page, select a volume, folder, or file to manage.
For instructions, see Section 6.3, Viewing Properties of a File or Folder in iManager.
Click , then scroll down to view the inherited rights filter.
The selected rights are allowed to be inherited from parent directories. The deselected rights are disallowed to be inherited.
In the , enable or disable a right to be inherited from its parent directory by selecting or deselecting the check box next to it.
Click or to save the changes.
Effective rights are the explicit rights defined for the trustee plus the rights that are inherited from the parent directory. The page shows the inheritance path for a trustee for the selected file or folder and the effective rights at each level from the current file or directory to the root of the volume. You can use this information to help identify at which directory in the path a particular right was filtered, granted, or revoked.
In iManager, click , then click to open the page.
On the page, select a volume, folder, or file to manage.
For instructions, see Section 6.3, Viewing Properties of a File or Folder in iManager.
On the page, click the tab to view the effective rights for a given trustee.
By default, the page initially displays the effective rights for the user name you used to log in to iManager.
On the page, click the icon next to the field to browse for and locate the user name of the trustee you want to manage, then select the user name by clicking the name link.
The path for the selected file or folder is traced backwards to the root of the volume. At each level, you can see the rights that have been granted and inherited to create the effective rights for the trustee.
If you make any changes, click or to save them.