NDS Rights

When you create a tree, the default rights assignments give your network generalized access and security. Some of the default assignments are as follows:

User Admin has the Supervisor right to the top of the tree, giving Admin complete control over the entire directory. Admin also has the Supervisor right to the NetWare Server object, giving complete control over any volumes on that server.
[Public] has the Browse right to the top of the tree, giving all users the right to view any objects in the tree.
Objects created through an upgrade process such as a NetWare migration, printing upgrade, or Windows NT user migration receive trustee assignments appropriate for most situations.

Trustee Assignments and Targets

The assignment of rights involves a trustee and a target object. The trustee represents the user or set of users that are receiving the authority. The target represents those network resources the users have authority over.

If you make an Alias a trustee, the rights apply only to the object the alias represents. The Alias object can be an explicit target, however.
A file or directory in the NetWare file system can also be a target, although file system rights are stored in the file system itself, not in NDS.

See "Administration Basics" in ConsoleOne User Guide.

The [Public] trustee is not an object. It is a specialized trustee that represents any network user, logged in or not, for rights assignment purposes.

NDS Rights Concepts

The following list of concepts helps you understand NDS rights.

Object (Entry) Rights

When you make a trustee assignment, you can grant object rights and property rights. Object rights apply to manipulation of the entire object, while property rights apply only to certain object properties. An object right is described as an entry right because it provides an entry in the NDS database.

A description of each object right follows.

Supervisor: Includes all rights to the object and all of its properties.
Browse: Lets the trustee see the object in the tree. It does not include the right to see an object's properties.
Create: Applies only when the target object is a container. Create allows the trustee to create new objects below the container, and also includes the Browse right.
Delete: Lets the trustee delete the target from the directory.
Rename: Lets the trustee change the name of the target.

Property Rights

ConsoleOne gives you two options for managing property rights:

You can manage all properties at once when the [All Attributes Rights] item is selected.
You can manage one or more individual properties when the specific property is selected.

The following are descriptions of each property right:

Supervisor: Gives the trustee complete power over the property.
Compare: Lets the trustee compare the value of a property to a given value. This right allows searching and returns only a true or false result. It does not allow the trustee to actually see the value of the property.
Read: Lets the trustee see the values of a property. It includes the Compare right.
Write: Lets the trustee create, change, and delete the values of a property.
Add Self: Lets the trustee add or remove itself as a property value. It only applies to properties with object names as values, such as membership lists or Access Control Lists (ACLs).

Effective Rights

Users can receive rights in a number of ways, such as explicit trustee assignments, inheritance, and security equivalence. Rights can also be limited by Inherited Rights Filters and changed or revoked by lower trustee assignments. The net result of all these actions-the rights a user can employ-are called effective rights.

A user's effective rights to an object are calculated each time the user attempts an action.

How NDS Calculates Effective Rights

Each time a user attempts to access a network resource, NDS calculates the user's effective rights to the target resource using the following process:

NDS lists the trustees whose rights are to be considered in the calculation. These include:
- The user who is attempting to access the target resource
- The objects that the user is security equivalent to
For each trustee in the list, NDS determines its effective rights as follows:
1. NDS starts with the inheritable rights that the trustee has at the top of the tree.
  NDS checks the Object Trustees (ACL) property of the Tree object for entries that list the trustee. If any are found and they are inheritable, NDS uses the rights specified in those entries as the initial set of effective rights for the trustee.
2. NDS moves down a level in the branch of the tree that contains the target resource.
3. NDS removes any rights that are filtered at this level.
  NDS checks the ACL at this level for Inherited Rights Filters (IRFs) that match with the right types (object, all properties, or a specific property) of the trustee's effective rights. If any are found, NDS removes from the trustee's effective rights any rights that are blocked by those IRFs.
  
  For example, if the trustee's effective rights so far include an assignment of Write All Properties, but an IRF at this level blocks Write All Properties, the system removes Write All Properties from the trustee's effective rights.
4. NDS adds any inheritable rights that are assigned at this level, overriding as needed.
  NDS checks the ACL at this level for entries that list the trustee. If any are found, and they are inheritable, NDS copies the rights from those entries to the trustee's effective rights, overriding as needed.
  
  For example, if the trustee's effective rights so far include the Create and Delete object rights but no property rights, and if the ACL at this level contains both an assignment of zero object rights and an assignment of Write all properties for this trustee, then the system replaces the trustee's existing object rights (Create and Delete) with zero rights and adds the new all property rights.
5. NDS repeats the filtering and adding steps (c and d above) at each level of the tree, including at the target resource.
6. NDS adds any noninheritable rights assigned at the target resource, overriding as needed.
  NDS uses the same process as in Step 2d above. The resulting set of rights constitutes the effective rights for this trustee.
NDS combines the effective rights of all the trustees in the list as follows:
1. NDS includes every right held by any trustee in the list, and excludes only those rights that are missing from every trustee in the list. NDS does not mix right types. For example, it does not add rights for a specific property to rights for all properties or vice versa.
2. NDS adds rights that are implied by any of the current effective rights.
  The resulting set of rights constitutes the user's effective rights to the target resource.

Example

User DJones is attempting to access volume Acctg_Vol. See Figure 22.

Figure 22

The following process shows how NDS calculates DJones' effective rights to Acctg_Vol:

The trustees whose rights are to be considered in the calculation are DJones, Marketing, Tree, and [Public].
This assumes that DJones doesn't belong to any groups or roles and has not been explicitly assigned any security equivalences.
The effective rights for each trustee are as follows:
- DJones: Zero object, zero all properties
  The assignment of zero all property rights at Acctg_Vol overrides the assignment of Write all properties at Accounting.
- Marketing: Zero all properties
  The assignment of Write all properties at the top of the tree is filtered out by the IRF at Accounting.
- Tree: No rights
  No rights are assigned for Tree anywhere in the pertinent branch of the tree.
- [Public]: Browse object, Read all properties
  These rights are assigned at the root and aren't filtered or overridden anywhere in the pertinent branch of the tree.
Combining the rights from all these trustees, we get the following:
DJones: Browse object, Read all properties
Adding the Compare all properties right that is implied by the Read all properties right, we get the following final effective rights for DJones to Acctg_Vol:
DJones: Browse object, Read and Compare all properties

Blocking Effective Rights

Because of the way that effective rights are calculated, it is not always obvious how to block particular rights from being effective for specific users without resorting to an IRF (an IRF blocks rights for all users).

To block particular rights from being effective for a user without using an IRF, do either of the following:

Ensure that neither the user nor any of the objects that the user is security equivalent to ever gets assigned those rights, either at the target resource or at any level above the target resource in the tree.
If the user or any object that the user is security equivalent to does get assigned those rights, ensure that that object also has an assignment lower in the tree that omits those rights. Do this for every trustee (associated with the user) that has the unwanted rights.

Security Equivalence

Security equivalence means having the same rights as another object. When you make one object security equivalent to another object, the rights of the second object are added to the rights of the first object when the system calculates the first object's effective rights.

For example, suppose you make User object Joe security equivalent to the Admin object. After you create the security equivalence, Joe has the same rights to the tree and file system as Admin.

There are three types of security equivalence:

Explicit: By assignment
Automatic: By membership in a group or role
Implied: Equivalent to all parent containers and the [Public] trustee

Security equivalence is only effective for one step. For example, if you make a third user security equivalent to Joe in the example above, that user does not receive Admin rights.

Security equivalence is recorded in NDS as values in the User object's Security Equal To property.

When you add a User object as an occupant to an Organizational Role object, that User automatically becomes security equivalent to the Organizational Role object. The same is true when a User becomes a member of a Group role object.

Access Control List (ACL)

The Access Control List (ACL) is also called the Object Trustees property. Whenever you make a trustee assignment, the trustee is added as a value to the Object Trustees (ACL) property of the target.

This property has strong implications for network security for the following reasons:

Anyone who has the Supervisor or Write right to the Object Trustees (ACL) property of an object can determine who is a trustee of that object.
Any users with the Add Self right to the Object Trustees (ACL) property of an object can change their own rights to that object. For example, they can grant themselves the Supervisor right.

For these reasons, be careful giving Add Self rights to all properties of a container object. That assignment makes it possible for the trustee to become Supervisor of that container, all objects in it, and all objects in containers beneath it.

Inherited Rights Filter (IRF)

The Inherited Rights Filter allows you to block rights from flowing down the NDS Tree. For more information on configuring this filter, see "Blocking Inheritance" in "Administering Rights in ConsoleOne User Guide.

Default Rights for a New Server

When you install a new Server object into a tree, the following trustee assignments are made:

Table 17.

Default Trustees	Default Rights
Admin (first NDS server in the tree)	Supervisor object right to the Tree object. Admin has the Supervisor object right to the NetWare Server object, which means that Admin also has the Supervisor right to the root directory of the file system of any volumes on the server.
[Public] (first NDS server in the tree)	Browse object right to the Tree object.
Tree	The Tree Read property right to the Host Server Name and Host Resource properties on all Volume objects. This gives all objects access to the physical volume name and physical server name.
Container objects	Read and File Scan rights to SYS: \PUBLIC. This allows User objects under the container to access NetWare utilities in \PUBLIC.
User objects	If home directories are automatically created for users, the users have the Supervisor right to those directories.

Delegated Administration

NDS lets you delegate administration of a branch of the tree, revoking your own management rights to that branch. One reason for this approach is that special security requirements require a different administrator with complete control over that branch.

To delegate administration:

Grant the Supervisor object right to a container.
Create an IRF on the container that filters the Supervisor and any other rights you want blocked.

IMPORTANT: If you delegate administration to a User object and that object is subsequently deleted, there are no objects with rights to manage that branch.

To delegate administration of specific NDS properties, such as Password Management, see "Granting Equivalence" in ConsoleOne User Guide.

To delegate the use of specific functions in role-based administration applications, see "Configuring Role-Based Administration" in ConsoleOne User Guide.