When you create a tree, the default rights assignments give your network generalized access and security. Some of the default assignments are as follows:
The assignment of rights involves a trustee and a target object. The trustee represents the user or set of users that are receiving the authority. The target represents those network resources the users have authority over.
See "Administration Basics" in ConsoleOne User Guide.
The [Public] trustee is not an object. It is a specialized trustee that represents any network user, logged in or not, for rights assignment purposes.
The following list of concepts helps you understand eDirectory rights.
When you make a trustee assignment, you can grant object rights and property rights. Object rights apply to manipulation of the entire object, while property rights apply only to certain object properties. An object right is described as an entry right because it provides an entry in the eDirectory database.
A description of each object right follows.
Supervisor: Includes all rights to the object and all of its properties.
Browse: Lets the trustee see the object in the tree. It does not include the right to see an object's properties.
Create: Applies only when the target object is a container. Create allows the trustee to create new objects below the container, and also includes the Browse right.
Delete: Lets the trustee delete the target from the directory.
Rename: Lets the trustee change the name of the target.
When you make a trustee assignment, you can grant object rights and property rights. Object rights apply to manipulation of the entire object, while property rights apply only to certain object properties.
ConsoleOne gives you two options for managing property rights:
The following are descriptions of each property right:
Supervisor: Gives the trustee complete power over the property.
Compare: Lets the trustee compare the value of a property to a given value. This right allows searching and returns only a true or false result. It does not allow the trustee to actually see the value of the property.
Read: Lets the trustee see the values of a property. It includes the Compare right.
Write: Lets the trustee create, change, and delete the values of a property.
Add Self: Lets the trustee add or remove itself as a property value. It only applies to properties with object names as values, such as membership lists or Access Control Lists (ACLs).
Users can receive rights in a number of ways, such as explicit trustee assignments, inheritance, and security equivalence. Rights can also be limited by Inherited Rights Filters and changed or revoked by lower trustee assignments. The net result of all these actions-the rights a user can employ-are called effective rights.
A user's effective rights to an object are calculated each time the user attempts an action.
Each time a user attempts to access a network resource, eDirectory calculates the user's effective rights to the target resource using the following process:
eDirectory checks the Object Trustees (ACL) property of the Tree object for entries that list the trustee. If any are found and they are inheritable, eDirectory uses the rights specified in those entries as the initial set of effective rights for the trustee.
eDirectory checks the ACL at this level for Inherited Rights Filters (IRFs) that match with the right types (object, all properties, or a specific property) of the trustee's effective rights. If any are found, eDirectory removes from the trustee's effective rights any rights that are blocked by those IRFs.
For example, if the trustee's effective rights so far include an assignment of Write All Properties, but an IRF at this level blocks Write All Properties, the system removes Write All Properties from the trustee's effective rights.
eDirectory checks the ACL at this level for entries that list the trustee. If any are found, and they are inheritable, eDirectory copies the rights from those entries to the trustee's effective rights, overriding as needed.
For example, if the trustee's effective rights so far include the Create and Delete object rights but no property rights, and if the ACL at this level contains both an assignment of zero object rights and an assignment of Write all properties for this trustee, then the system replaces the trustee's existing object rights (Create and Delete) with zero rights and adds the new all property rights.
eDirectory uses the same process as in Step 2d above. The resulting set of rights constitutes the effective rights for this trustee.
The resulting set of rights constitutes the user's effective rights to the target resource.
User DJones is attempting to access volume Acctg_Vol. See Figure 22.
Figure 22
Sample Trustee Rights
The following process shows how eDirectory calculates DJones' effective rights to Acctg_Vol:
This assumes that DJones doesn't belong to any groups or roles and has not been explicitly assigned any security equivalences.
The assignment of zero all property rights at Acctg_Vol overrides the assignment of Write all properties at Accounting.
The assignment of Write all properties at the top of the tree is filtered out by the IRF at Accounting.
No rights are assigned for Tree anywhere in the pertinent branch of the tree.
These rights are assigned at the root and aren't filtered or overridden anywhere in the pertinent branch of the tree.
DJones: Browse object, Read all properties
DJones: Browse object, Read and Compare all properties
Because of the way that effective rights are calculated, it is not always obvious how to block particular rights from being effective for specific users without resorting to an IRF (an IRF blocks rights for all users).
To block particular rights from being effective for a user without using an IRF, do either of the following:
Security equivalence means having the same rights as another object. When you make one object security equivalent to another object, the rights of the second object are added to the rights of the first object when the system calculates the first object's effective rights.
For example, suppose you make User object Joe security equivalent to the Admin object. After you create the security equivalence, Joe has the same rights to the tree and file system as Admin.
There are three types of security equivalence:
Security equivalence is only effective for one step. For example, if you make a third user security equivalent to Joe in the example above, that user does not receive Admin rights.
Security equivalence is recorded in eDirectory as values in the User object's Security Equal To property.
When you add a User object as an occupant to an Organizational Role object, that User automatically becomes security equivalent to the Organizational Role object. The same is true when a User becomes a member of a Group role object.
The Access Control List (ACL) is also called the Object Trustees property. Whenever you make a trustee assignment, the trustee is added as a value to the Object Trustees (ACL) property of the target.
This property has strong implications for network security for the following reasons:
For these reasons, be careful giving Add Self rights to all properties of a container object. That assignment makes it possible for the trustee to become Supervisor of that container, all objects in it, and all objects in containers beneath it.
The Inherited Rights Filter allows you to block rights from flowing down the eDirectory Tree. For more information on configuring this filter, see "Blocking Inheritance" in "Administering Rights in ConsoleOne User Guide.
When you install a new Server object into a tree, the following trustee assignments are made:
Table 23. Trustee Assignments
eDirectory lets you delegate administration of a branch of the tree, revoking your own management rights to that branch. One reason for this approach is that special security requirements require a different administrator with complete control over that branch.
To delegate administration:
Grant the Supervisor object right to a container.
Create an IRF on the container that filters the Supervisor and any other rights you want blocked.
IMPORTANT: If you delegate administration to a User object and that object is subsequently deleted, there are no objects with rights to manage that branch.
To delegate administration of specific eDirectory properties, such as Password Management, see "Granting Equivalence" in ConsoleOne User Guide.
To delegate the use of specific functions in role-based administration applications, see "Configuring Role-Based Administration" in ConsoleOne User Guide.