6.5 NFARM (OES File Access Rights Management)

OES File Access Rights Management (NFARM) is a shell (Windows) or finder (Mac) extension that enables eDirectory or Active Directory users on Windows and Mac workstation to perform Salvage and Purge operations. In addition,

  • On Windows workstation, enables Windows Active Directory or eDirectory administrators or users to manage the access rights and quotas of AD or eDirectory users or groups on Storage Services (NSS) resources.

  • On Mac workstation, enables Windows Active Directory administrators or users to manage the access rights and quotas of AD users or groups on Storage Services (NSS) resources.

  • In case of trusted domain or forest, ensure that the user belongs to AD supervisor group of the domain where OES server is joined.

    NOTE:For OES 2018 SP2, NFARM on MAC supports only Single forest.

NFARM on Windows helps AD or eDirectory administrators or users with sufficient rights to manage the following:

  • Trustees explicit rights, inherited rights filter, and view effective rights. You can also view trustees with rights from the selected path and child or parent directories.

  • Owners, NSS attributes and directory quota

  • User quotas

  • All paths that a user is a trustee of

  • Salvage and Purge

NOTE:

  • To view, add, or modify User Quota:

    • For Active Directory, ensure that the user belongs to AD supervisor group of the domain where OES server is joined.

    • In case of trusted domain or forest, ensure that the user belongs to the AD supervisor group of the domain where OES server is joined.

    • For eDirectory, ensure that the user is an administrator or with administrator equivalent rights.

The term object referred to in this section, indicates a path, folder, or volume.

After performing any operation in NFARM, you can click the following:

  • Apply to save changes to the NSS file system and remain in the same window.

  • OK to save changes to the NSS file system and exit.

  • Cancel to discard changes and exit.

All these operations are performed on a Windows mapped network drive that is mapped to an NSS volume, NSS Folder, or CIFS Share in the Windows client.

  • For Active Directory, these shares must be compatible with OES 2015 or later servers that have NSS AD set up and configured.

  • For eDirectory, these shares must be compatible with OES 2018 SP2 or later servers.

Similarly, NFARM on Mac helps AD administrators or users with sufficient rights to manage the following:

  • Trustees explicit rights, inherited rights filter, and view effective rights. You can also view trustees with rights from the selected path and child or parent directories.

  • Owners, NSS attributes and directory quota

  • User quotas

  • All paths that a user is a trustee of

  • Salvage and Purge (both AD or eDirectory users)

The term object referred to in this section, indicates a path, folder, or volume.

After performing any operation in NFARM, you can click the following:

  • Apply to save changes to the NSS file system and remain in the same window.

  • Revert to undo the changes and remain in the same window.

  • OK to save changes to the NSS file system and exit.

  • Cancel to discard changes and exit.

All these operations are performed on a OES mapped drive that is mapped to an NSS volume, NSS Folder, or CIFS Share in the Mac client. These shares must be compatible with OES 2018 SP1 Update 6 (JAN 2020 Patch) or later servers that have NSS AD set up and configured.

This section includes the following:

6.5.1 NFARM Support Matrix

This section lists the requirements for installing and running NFARM:

  • Operating Systems: NFARM can be installed on Windows and Mac:

    • Windows (32-bit and 64-bit): Windows 10

    • Mac: Mac OS X 10.14 and 10.15

  • OES: NFARM for Mac is supported beginning with OES 2018.

  • Active Directory: Active Directories installed and configured on Windows 2012 R2 and later.

6.5.2 Prerequisites for Installing NFARM

  • Ensure that you have installed and configured NSS AD following the instruction at Section 3.0, Installing and Configuring NSS AD Support.

  • Ensure that the mapped network drive NSS volumes and CIFS shares are accessible.

    • For Active Directory, the CIFS shares must be compatible with OES 2015 or later servers that have NSS AD set up and configured.

    • For eDirectory, the CIFS shares must be compatible with OES 2018 SP2 or later servers.

    • For Mac client, these shares must be compatible with OES 2018 SP1 Update 6 (JAN 2020 Patch) or later servers that have NSS AD set up and configured.

    For more information on mapping a CIFS share, see Accessing Files from a Windows Client in the OES 2018 SP2: OES CIFS for Linux Administration Guide.

  • Ensure that you have administrative rights on your workstation to install NFARM.

  • Based on your operating system, download and install the correct version of NFARM from the OES Welcome page (https://<OES server IP or the host name>/welcome/client-software.html).

    • Windows: NFARM installer for Windows (32-bit and 64-bit)

    • Mac: NFARM installer for Mac

      NOTE:Beginning with OES 2018 SP2, NFARM on Mac does not support SMBv1 protocol.

  • Ensure that your Windows operating system has been configured to authenticate using Active Directory.

  • The maximum memory units that can be specified for the directory and user quotas in NFARM are as follows:

    • KB: 9007199254740991

    • MB: 8796093022207

    • GB: 8589934591

    • TB: 8388607

    • PB: 8191

  • OES communicates with Active Directory Domain Controllers over 389 port and Global Catalog servers over 3268 port by using Kerberos. So, 389 and 636 ports should be opened for Kerberos communication.

6.5.3 Installing and Accessing NFARM

Based on your operating system, download the version of NFARM from the OES Welcome page (http://<OES server IP Address or the host name>/welcome/client-software.html) and install it.

After installing NFARM, map an NSS volume or CIFS share, and do the following to get access to NFARM tabs.

  • On Windows: Right-click > Properties on the mapped share

  • On Mac: Right-click > Rights Management on a OES mapped drive

    or

    To get access to only Salvage and Purge options, right-click > Deleted Files on a OES mapped drive.

    NOTE:

    • Ensure to select Remember this password in my keychain box while mapping a CIFS share.

    • Relaunch the finder to register the NFARM application with the Finder extension.

    • NFARM uses mapped-in user’s credential stored in a keychain to mount IPC$ and _admin to interact with the OES server.

6.5.4 Managing the Trustee Rights in the NSS File System

On Windows

Using the Trustee Rights tab, you can do the following:

  • View, add, edit, search, and remove trustees and their explicit rights on a selected path. The path can be the root of a volume, a folder in the volume, a file or a CIFS share.

  • View both Active Directory and eDirectory trustees.

  • View and edit the Inherited Rights Filter (IRF) for the selected path.

  • View the effective rights trustees on the selected path.

  • View trustees with rights on the selected path and parent or child directories.

Managing the Explicit Rights of Trustees

Explicit rights are the rights defined for the trustee (user or group) on an object. The trustee names are displayed in FQDN (for eDirectory user or group) and it is preceded by the AD domain name (for AD user or group) along with the following eight NSS rights:

  • Supervisor: Grants all rights to the directory or file and any subordinate items. The Supervisor right can't be blocked by an Inherited Rights Filter. Users with this right can grant or deny other users rights to the directory or file.

  • Read: For a directory, grants the right to open files in the directory and read the contents or run the programs. For a file, grants the right to open and read the file.

  • Write: For a directory, grants the right to open and change the contents of files in the directory. For a file, grants the right to open and write to the file.

  • Erase: Grants the right to delete the directory or file.

  • Create: For a directory, grants the right to create new files and directories in the directory. For a file, grants the right to create a file and to salvage a file after it has been deleted.

  • Modify: Grants the right to change the attributes or name of the directory or file, but does not grant the right to change its contents (changing the contents requires the Write right).

  • File Scan: Grants the right to view directory and file names in the file system structure, including the directory structure from that file to the root directory.

  • Access Control: Grants the right to add and remove trustees for directories and files and modify their trustee assignments and Inherited Rights Filters.

    This right does not allow the trustee to add or remove the Supervisor right for any user. Also, it does not allow to remove the trustee with the Supervisor right.

    NOTE:These NSS rights are not related to the Microsoft Windows rights in any way.

This section explains the procedure to add, remove, or search trustees on an object, in addition to managing their explicit rights on the selected object:

  • To add trustees on a selected path:

    • When you map the volume as an AD user, click Add..., search and select the AD users or groups, then select the rights. If you are entering multiple trustee names in the Enter the object names to select (examples) text box, separate each trustee with a semicolon.

    • When you map the volume as an eDirectory user, click Add.... Specify the object name, search context, select the object type, and then click Search. In the User or Group Name list, select the eDirectory user or group and click OK.

  • To remove trustees, select the trustees that you want to remove, then click Remove.

    HINT:To delete multiple trustees, press and hold the Ctrl key while selecting multiple trustees.

  • To search for a specific trustee in the trustee list, specify the trustee name, and click Search. To revert to the original trustee list, clear the entry in the search box, and then click Search.

  • To edit or remove rights for the displayed trustees, select or clear the respective rights check boxes. Multiple trustee edit is possible.

  • To list the eDirectory and Active Directory trustees in the trustee list, select List both eDirectory and AD trustees. After listing, you can continue to perform a search or remove trustees, edit or remove rights, but you cannot add any user to the trustee list.

After managing the explicit rights, ensure that you click Apply in order for your changes take effect in the NSS file system.

Managing Inherited Rights Filter (IRF)

Subdirectories and files can inherit rights from their parent directory. The directory’s rights flow down through its structure to subdirectories and files, except for specific subdirectories or files with their own trustee assignments that supersede inherited rights. When granting a trustee assignment to a subdirectory or file, the trustee assignment takes precedence over the inherited rights of its parent directory.

The Inherited Rights Filter section displays the list of rights that are inherited from the parent object. To block inheritance of rights from the parent object to the selected object (file or directory), clear the respective NSS rights, then click Apply for the changes to take effect in the NSS file system.

The supervisor rights cannot be blocked.

Viewing the Effective Rights

A user’s explicit rights on a directory are combined with the filtered rights inherited from its parent directory. Any rights through security equivalence are also applied.

A user’s explicit rights on a file override any rights that can be inherited from its parent directory. In this case, the user has only the rights granted, and the inherited rights are ignored. If the user is a member of another group or role that also has explicit rights to the file, the user’s effective rights on the file are a combination of the rights granted for the user and the rights granted for the group or role. If the rights of the group or role are more restrictive than the user’s explicit rights, it has no effect on rights granted to the user.

An object’s effective rights to a subdirectory are the set of distinct rights from the following:

  • Rights inherited for the user from the parent directory, with consideration of the inherited rights filter set for the subdirectory.

  • Rights set explicitly for the user on the directory.

  • Rights set explicitly for a security-equivalent object on the directory:

    • Explicit by assignment (Security Equal To property)

    • Automatic by membership in a group or role

    • Implied by its parent container and by the [Public] container

    More restrictive security-equivalent rights do not override rights granted for the trustee on the directory or for the trustee’s filtered inherited rights.

An object’s effective rights to a file are determined by the following:

  • Rights inherited for the user from the parent directory, with consideration of the inherited rights filter set for the file.

    If the user has rights set on the parent directory or is security equivalent to an object with explicit rights set there, those are the rights that flow down to the file for the user and are subject to the IRF.

    Inherited rights for a file are ignored if rights are set explicitly for the object or for a security equivalent of the object. This behavior is different than for a directory.

  • Rights set explicitly for the user on the file.

    Inherited rights are ignored. Explicit trustee rights for a security equivalent object are added. More restrictive security-equivalent rights do not override rights set for the trustee on the file.

  • Rights set explicitly for a security-equivalent object on the file:

    • Explicit by assignment (Security Equal To property)

    • Automatic by membership in a group or role

    • Implied by its parent container and by the [Public] container

      Inherited rights are ignored. Explicit trustee rights are added.

For more information, see How Effective Rights Are Calculated in the NetIQ eDirectory Administration Guide.

To launch the Effective Rights screen, from the Trustee Rights tab, click Advanced.... By default, for the selected object, the list of trustees along with their rights is displayed. You can use the Search button to view the rights of a specific trustee in the trustee list.

NOTE:To revert to the original trustee list, clear the entry in the search box, and then click Search.

To view the effective rights of some other trustee, click Select:

  • When you map the volume as an AD user, search or enter the trustee name.

  • When you map the volume as an eDirectory user, search the trustee name in the User or Group Name list, select the eDirectory user or group, and then click OK. You can select only one user at a time.

NOTE:If you enable the List both eDirectory and AD trustees option on the Trustee Rights tab, you cannot view the effective rights of other trustees.

You must have adequate rights to view the effective rights of other trustees.

Managing Trustees for Directories

Using the Trustees for Directories tab, you can get the explicit rights of the trustees from the selected path to the root of the volume and trustees from the selected path to the child directories in the volume.

To launch the Trustees for Directories screen, from the Trustee Rights tab, click Advanced... > Trustees for Directories.

For example, assume that you have the following directory structure:

  • \vol1\media\audio

  • \vol1\org\country\us\ny\emp

  • \vol1\org\country\us\slc\emp

  • \vol1\org\country\uk\ln\emp

  • \vol1\org\country\uk\lpl\emp

If you click Parent Directories from the “country” folder, it will list the explicit list of trustees and their rights in the country, org and vol1. It does not consider the media and its sub directories.

If you click Sub Directories from the countries folder, it lists the explicit rights of all the trustees in the following directories:

  • \vol1\org\country\us\

  • \vol1\org\country\us\ny

  • \vol1\org\country\us\slc

  • \vol1\org\country\us\ny\emp

  • \vol1\org\country\us\slc\emp

  • \vol1\org\country\uk

  • \vol1\org\country\uk\ln

  • \vol1\org\country\uk\lpl

  • \vol1\org\country\uk\ln\emp

  • \vol1\org\country\uk\lpl\emp

From this tab, you can also modify the explicit rights of the trustees by clearing or selecting the NSS rights check boxes. You can also remove trustees by using the Remove button. To search for a specific trustee in the trustee list, specify the trustee name, and click Search.

NOTE:To revert to the original trustee list, clear the entry in the search box, and then click Search.

On Mac

Using the Trustee Rights tab, you can do the following:

  • View, add, edit, search, and remove trustees and their explicit rights on a selected path. The path can be the root of a volume, a folder in the volume, a file or a CIFS share.

  • View and edit the Inherited Rights Filter (IRF) for the selected path.

  • View the effective rights trustees on the selected path.

  • View trustees with rights on the selected path and parent or child directories.

Managing the Explicit Rights of Trustees

Explicit rights are the rights defined for the trustee (user or group) on an object. The trustee names displayed here are always preceded by the AD domain name (for AD user or group) along with the eight NSS rights. For more information on these eight rights, see Managing the Explicit Rights of Trustees on Windows.

This section explains the procedure to add, remove, or search trustees on an object, in addition to managing their explicit rights on the selected object:

  • To add trustees on a selected path, click , search and select the AD users or groups, then select the rights.

  • To remove trustees, select the trustees that you want to remove, then click .

    HINT:

    • To select all files: Select the first file, then press COMMAND+A.

    • To select multiple files: Press and hold the ALT key, then click the files of your choice..

    • To select a series of files: Select the first file, press and hold the SHIFT key, and then click the last file.

  • To search for a specific trustee in the trustee list, specify the trustee name in the search box.

  • To edit or remove rights for the displayed trustees, select or clear the respective rights check boxes. Multiple trustee edit is possible.

After managing the explicit rights, ensure that you click Apply in order for your changes take effect in the NSS file system or click Revert to undo the changes.

Managing Inherited Rights Filter (IRF)

Subdirectories and files can inherit rights from their parent directory. The directory’s rights flow down through its structure to subdirectories and files, except for specific subdirectories or files with their own trustee assignments that supersede inherited rights. When granting a trustee assignment to a subdirectory or file, the trustee assignment takes precedence over the inherited rights of its parent directory.

The Inherited Rights Filter section displays the list of rights that are inherited from the parent object. To block inheritance of rights from the parent object to the selected object (file or directory), clear the respective NSS rights, then click Apply for the changes to take effect in the NSS file system or click Revert to undo the changes.

The supervisor rights cannot be blocked.

Viewing the Effective Rights

A user’s explicit rights on a directory are combined with the filtered rights inherited from its parent directory. Any rights through security equivalence are also applied.

A user’s explicit rights on a file override any rights that can be inherited from its parent directory. In this case, the user has only the rights granted, and the inherited rights are ignored. If the user is a member of another group or role that also has explicit rights to the file, the user’s effective rights on the file are a combination of the rights granted for the user and the rights granted for the group or role. If the rights of the group or role are more restrictive than the user’s explicit rights, it has no effect on rights granted to the user. For more information on effective rights, see Viewing the Effective Rights on Windows.

By default, for the selected object, the list of trustees along with their rights is displayed. You can use the Search button to view the rights of a specific trustee in the trustee list.

To view the effective rights of some other trustee, click Select, then search or enter the trustee name.

You must have adequate rights to view the effective rights of other trustees.

Managing Trustees for Directories

Using the Trustee for Directories tab, you can get the explicit rights of the trustees from the selected path to the root of the volume and trustees from the selected path to the child directories in the volume.

For example, assume that you have the following directory structure:

  • \vol1\media\audio

  • \vol1\org\country\us\ny\emp

  • \vol1\org\country\us\slc\emp

  • \vol1\org\country\uk\ln\emp

  • \vol1\org\country\uk\lpl\emp

If you click Parent Directories from the “country” folder, it will list the explicit list of trustees and their rights in the country, org and vol1. It does not consider the media and its sub directories.

If you click Sub Directories from the countries folder, it lists the explicit rights of all the trustees in the following directories:

  • \vol1\org\country\us\

  • \vol1\org\country\us\ny

  • \vol1\org\country\us\slc

  • \vol1\org\country\us\ny\emp

  • \vol1\org\country\us\slc\emp

  • \vol1\org\country\uk

  • \vol1\org\country\uk\ln

  • \vol1\org\country\uk\lpl

  • \vol1\org\country\uk\ln\emp

  • \vol1\org\country\uk\lpl\emp

From this tab, you can also modify the explicit rights of the trustees by clearing or selecting the NSS rights check boxes. You can also remove trustees by using the button. To search for a specific trustee in the trustee list, specify the trustee name in the search box.

6.5.5 Information or Directory Quota

On Windows

Using the Information tab, you can view and modify:

  • The owner of a file

  • NSS attributes

  • Directory quotas

  1. To change the owner of a file, click Change, then search for and select the new owner.

    NOTE:If you enable the List both eDirectory and AD trustees option on the Trustee Rights tab, you cannot change the owner of a file.

  2. To set the NSS attributes for the selected path, select or clear the respective attributes. These attributes vary based on the object chosen (file or directory).

  3. To change the directory quota of a selected path, click Edit, then specify the quota limit and the memory unit (KB, MB, GB, TB, PB). After setting the quota, you will be able to view the quota limit set, the used quota and the available quota.

  4. Click Apply for the changes to take effect in the NSS file system.

On Mac

Using the Directory Quota tab, you can view and modify:

  • The owner of a file

  • NSS attributes

  • Directory quotas

  1. To change the owner of a file, click , then search for and select the new owner.

  2. To set the NSS attributes for the selected path, select or clear the respective attributes. These attributes vary based on the object chosen (file or directory).

  3. To change the directory quota of a selected path, click , then specify the quota limit and the memory unit (MB, GB, TB, PB). After setting the quota, you will be able to view the quota limit set, the used quota and the available quota.

  4. Click Revert to undo the changes or click Apply for the changes to take effect in the NSS file system.

6.5.6 User Quota

Using the User Quota tab, you can add, edit, or remove the user quota limit for a single or multiple users concurrently. For every user, it lists the quota limit, used, and remaining.

On Windows

To set the user quota:

  • For Active Directory users, you should either be an AD domain administrator or a user who has administrative privileges.

  • For eDirectory users, you should either be an eDirectory administrator or a user who has administrative privileges.

To search for a specific trustee in the trustee list, specify the trustee name, and click Search. To revert to the original trustee list, clear the entry in the search box, and then click Search.

  1. To assign quotas for a single or multiple users, click Add..., search and select users, then specify the quota limit.

    NOTE:If you enable the List both eDirectory and AD trustees option on the Trustee Rights tab, you cannot assign quotas for any user.

  2. To edit the quota limit, select users, click Edit..., then modify the quota limit. Press and hold the Ctrl key while selecting multiple users.

  3. To remove the quota set for users, select the users, then click Remove.

NOTE:The user quota is always set at the volume level, regardless of the folder or share from where you have invoked the User Quota.

On Mac

To set the user quota, you should either be an AD domain administrator or a user who has administrative privileges.

  1. To assign quotas for a single or multiple users, click . A new window is displayed, click , search and select users, then specify the quota limit.

  2. To edit the quota limit, select users, click , then modify the quota limit and click Ok. Press and hold the Alt key while selecting multiple users.

  3. To remove the quota set for users, select the users, then click .

  4. Click Revert to undo the changes or click Apply for the changes to take effect in the NSS file system.

NOTE:The user quota is always set at the volume level, regardless of the folder or share from where you have invoked the User Quota.

6.5.7 File System Rights

On Windows

Using the File System Rights tab, you can do the following:

  • View all the objects that a user is a trustee of

  • Modify the explicit rights that the trustee has on an object

  • Add or remove the objects

  • View the rights of all groups to which the user is a member

  1. To view the explicit rights of a trustee across objects at the volume level, click Select, then search and select a user or group.

    NOTE:If you enable the List both eDirectory and AD trustees option on the Trustee Rights tab, you cannot select any user or group name to view the explicit rights of a trustee.

  2. To modify the explicit rights that the trustee has on an object, select or clear the respective NSS rights check boxes next to the object name.

  3. To add an object and to assign rights to the trustee, click Add..., then select the path.

  4. To remove an object on which the trustee has rights, select the object, then click Remove. Press and hold the Ctrl key while selecting multiple objects.

  5. To view rights of all the groups to which the trustee belongs, click Group Rights. Group Rights is disabled if a group is selected.

On Mac

Using the File System Rights tab, you can do the following:

  • View all the objects that a user is a trustee of

  • Modify the explicit rights that the trustee has on an object

  • Add or remove the objects

  • View the rights of all groups to which the user is a member

NOTE:To view or modify the File System Rights, you should either be an AD domain administrator or a user who has administrative privileges. Further, you should have logged in to the Mac workstation using the AD administrative credentials.

  1. To view the explicit rights of a trustee across objects at the volume level, click , then search and select an user or a group.

  2. To modify the explicit rights that the trustee has on an object, select or clear the respective NSS rights check boxes next to the object name.

  3. To add an object and to assign rights to the trustee, click Add or remove path, select the object, then assign rights and click Apply.

  4. To remove an object on which the trustee has rights, select the object, then click Add or remove path. Press and hold the Ctrl key while selecting multiple objects.

  5. To view the rights of all the groups to which the trustee belongs, click Group Rights. Group Rights is disabled if a group is selected.

  6. Click Revert to undo the changes or click Apply for the changes to take effect in the NSS file system.

6.5.8 Salvage and Purge

The Salvage and Purge utility lets you recover or delete the files and directories permanently from the NSS file system. The files that have been purged cannot be recovered. This tool gets automatically installed when you install NFARM.

For information on how to perform salvage and purge operations on Windows, see Salvage and Purge on Windows in the OES 2018 SP2: OES CIFS for Linux Administration Guide.

For information on how to perform salvage and purge operations on Mac, see Salvage and Purge on Mac in the OES 2018 SP2: OES CIFS for Linux Administration Guide.

6.5.9 Logs

On Mac

  • Application log location - /Users/<username>/Library/Logs/nfarm/<application_name>.log

  • Crash Reports - /Users/<username>/Library/Logs/DiagnosticReports/

  • Run-time logs - Launch Console.app

On Windows

Log location - C:\Users\<username>\AppData\Roaming\NFARM