eDirectory Rights

When you create a tree, the default rights assignments give your network generalized access and security. Some of the default assignments are as follows:


Trustee Assignments and Targets

The assignment of rights involves a trustee and a target object. The trustee represents the user or set of users that are receiving the authority. The target represents those network resources the users have authority over.

See "Administration Basics" in ConsoleOne User Guide.

The [Public] trustee is not an object. It is a specialized trustee that represents any network user, logged in or not, for rights assignment purposes.


eDirectory Rights Concepts

The following list of concepts helps you understand eDirectory rights.


Object (Entry) Rights

When you make a trustee assignment, you can grant object rights and property rights. Object rights apply to manipulation of the entire object, while property rights apply only to certain object properties. An object right is described as an entry right because it provides an entry in the eDirectory database.

A description of each object right follows.


Property Rights

When you make a trustee assignment, you can grant object rights and property rights. Object rights apply to manipulation of the entire object, while property rights apply only to certain object properties.

ConsoleOne gives you two options for managing property rights:

The following are descriptions of each property right:


Effective Rights

Users can receive rights in a number of ways, such as explicit trustee assignments, inheritance, and security equivalence. Rights can also be limited by Inherited Rights Filters and changed or revoked by lower trustee assignments. The net result of all these actions-the rights a user can employ-are called effective rights.

A user's effective rights to an object are calculated each time the user attempts an action.


How eDirectory Calculates Effective Rights

Each time a user attempts to access a network resource, eDirectory calculates the user's effective rights to the target resource using the following process:

  1. eDirectory lists the trustees whose rights are to be considered in the calculation. These include:
    • The user who is attempting to access the target resource
    • The objects that the user is security equivalent to

  2. For each trustee in the list, eDirectory determines its effective rights as follows:
    1. eDirectory starts with the inheritable rights that the trustee has at the top of the tree.

      eDirectory checks the Object Trustees (ACL) property of the Tree object for entries that list the trustee. If any are found and they are inheritable, eDirectory uses the rights specified in those entries as the initial set of effective rights for the trustee.

    2. eDirectory moves down a level in the branch of the tree that contains the target resource.
    3. eDirectory removes any rights that are filtered at this level.

      eDirectory checks the ACL at this level for Inherited Rights Filters (IRFs) that match with the right types (object, all properties, or a specific property) of the trustee's effective rights. If any are found, eDirectory removes from the trustee's effective rights any rights that are blocked by those IRFs.

      For example, if the trustee's effective rights so far include an assignment of Write All Properties, but an IRF at this level blocks Write All Properties, the system removes Write All Properties from the trustee's effective rights.

    4. eDirectory adds any inheritable rights that are assigned at this level, overriding as needed.

      eDirectory checks the ACL at this level for entries that list the trustee. If any are found, and they are inheritable, eDirectory copies the rights from those entries to the trustee's effective rights, overriding as needed.

      For example, if the trustee's effective rights so far include the Create and Delete object rights but no property rights, and if the ACL at this level contains both an assignment of zero object rights and an assignment of Write all properties for this trustee, then the system replaces the trustee's existing object rights (Create and Delete) with zero rights and adds the new all property rights.

    5. eDirectory repeats the filtering and adding steps (c and d above) at each level of the tree, including at the target resource.
    6. eDirectory adds any noninheritable rights assigned at the target resource, overriding as needed.

      eDirectory uses the same process as in Step 2d above. The resulting set of rights constitutes the effective rights for this trustee.

  3. eDirectory combines the effective rights of all the trustees in the list as follows:
    1. eDirectory includes every right held by any trustee in the list, and excludes only those rights that are missing from every trustee in the list. eDirectory does not mix right types. For example, it does not add rights for a specific property to rights for all properties or vice versa.
    2. eDirectory adds rights that are implied by any of the current effective rights.

      The resulting set of rights constitutes the user's effective rights to the target resource.


Example

User DJones is attempting to access volume Acctg_Vol. See Figure 22.

Figure 22
Sample Trustee Rights

The following process shows how eDirectory calculates DJones' effective rights to Acctg_Vol:

  1. The trustees whose rights are to be considered in the calculation are DJones, Marketing, Tree, and [Public].

    This assumes that DJones doesn't belong to any groups or roles and has not been explicitly assigned any security equivalences.

  2. The effective rights for each trustee are as follows:
    • DJones: Zero object, zero all properties

      The assignment of zero all property rights at Acctg_Vol overrides the assignment of Write all properties at Accounting.

    • Marketing: Zero all properties

      The assignment of Write all properties at the top of the tree is filtered out by the IRF at Accounting.

    • Tree: No rights

      No rights are assigned for Tree anywhere in the pertinent branch of the tree.

    • [Public]: Browse object, Read all properties

      These rights are assigned at the root and aren't filtered or overridden anywhere in the pertinent branch of the tree.

  3. Combining the rights from all these trustees results in the following:

    DJones: Browse object, Read all properties

  4. Adding the Compare all properties right that is implied by the Read all properties right, DJones has the following final effective rights to Acctg_Vol:

    DJones: Browse object, Read and Compare all properties


Blocking Effective Rights

Because of the way that effective rights are calculated, it is not always obvious how to block particular rights from being effective for specific users without resorting to an IRF (an IRF blocks rights for all users).

To block particular rights from being effective for a user without using an IRF, do either of the following:


Security Equivalence

Security equivalence means having the same rights as another object. When you make one object security equivalent to another object, the rights of the second object are added to the rights of the first object when the system calculates the first object's effective rights.

For example, suppose you make User object Joe security equivalent to the Admin object. After you create the security equivalence, Joe has the same rights to the tree and file system as Admin.

There are three types of security equivalence:

Security equivalence is only effective for one step. For example, if you make a third user security equivalent to Joe in the example above, that user does not receive Admin rights.

Security equivalence is recorded in eDirectory as values in the User object's Security Equal To property.

When you add a User object as an occupant to an Organizational Role object, that User automatically becomes security equivalent to the Organizational Role object. The same is true when a User becomes a member of a Group role object.


Access Control List (ACL)

The Access Control List (ACL) is also called the Object Trustees property. Whenever you make a trustee assignment, the trustee is added as a value to the Object Trustees (ACL) property of the target.

This property has strong implications for network security for the following reasons:

For these reasons, be careful giving Add Self rights to all properties of a container object. That assignment makes it possible for the trustee to become Supervisor of that container, all objects in it, and all objects in containers beneath it.


Inherited Rights Filter (IRF)

The Inherited Rights Filter allows you to block rights from flowing down the eDirectory Tree. For more information on configuring this filter, see "Blocking Inheritance" in "Administering Rights in ConsoleOne User Guide.


Default Rights for a New Server

When you install a new Server object into a tree, the following trustee assignments are made:


Table 23. Trustee Assignments

Default Trustees Default Rights

Admin (first eDirectory server in the tree)

Supervisor object right to the Tree object.

Admin has the Supervisor object right to the NetWare Server object, which means that Admin also has the Supervisor right to the root directory of the file system of any volumes on the server.

[Public] (first eDirectory server in the tree)

Browse object right to the Tree object.

Tree

The Tree Read property right to the Host Server Name and Host Resource properties on all Volume objects.

This gives all objects access to the physical volume name and physical server name.

Container objects

Read and File Scan rights to SYS: \PUBLIC. This allows User objects under the container to access NetWare utilities in \PUBLIC.

User objects

If home directories are automatically created for users, the users have the Supervisor right to those directories.


Delegated Administration

eDirectory lets you delegate administration of a branch of the tree, revoking your own management rights to that branch. One reason for this approach is that special security requirements require a different administrator with complete control over that branch.

To delegate administration:

  1. Grant the Supervisor object right to a container.

  2. Create an IRF on the container that filters the Supervisor and any other rights you want blocked.

IMPORTANT:  If you delegate administration to a User object and that object is subsequently deleted, there are no objects with rights to manage that branch.

To delegate administration of specific eDirectory properties, such as Password Management, see "Granting Equivalence" in ConsoleOne User Guide.

To delegate the use of specific functions in role-based administration applications, see "Configuring Role-Based Administration" in ConsoleOne User Guide.



Previous | Next