Title: What are my rights? Many options exist for defining rights in the NetWare environment. Most notable are the plethora of definable directory and user rights. Rights for users are known as trustee assignments. Consisting of Read, Write, Open, Create, Delete, Parental, Search, and Modify directory/trustee rights/assignments offer many combinations as a means of security. Defining these rights and how they affect one another is important for network administrators who have an interest in network management and security. The following applies to all Advanced NetWare versions, from v1.0 to v2.15 and for all foreseeable future releases. Assignment of rights encompasses two different entities, directories and users (and groups). Specifying directory rights is performed via NetWare's Filer utility. Granting of rights to users may be done by group membership or specific declaration. NetWare supplies the SysCon utility (or MakeUser) for the definition of user and group rights. Definition of each possible right is empirically evident except the Parental attribute. Granted by the Parent attribute are the abilities to create subdirectories, delete subdirectories, and modify directory rights masks (also known as changing other users' rights in subdirectories.) Once granted, a right is cascaded down the subdirectory tree. For instance, if the Read privilege is granted in the SYS:PUBLIC directory, that Read privilege is automatically granted in the SYS:PUBLIC\UTILS directory. Cascading of rights can be blocked at each directory, but the cascading continues regardless. Say the following directory structure is in use: SYS:APPS [RWOCDPSM] <- Maximum directory rights mask (Filer) SYS:APPS\DATA [R O S ] SYS:APPS\DATA\MIKE [RWOCDPSM] now, say there is a user, Mike, (without supervisor equivalence) with the following trustee right: SYS:APPS [RWOCDPSM]. User Mike will have full rights in the APPS directory and the APPS\DATA\MIKE directory. But, in the APPS\DATA directory, Mike only has Read, Open and Search privileges. Now, another approach is: SYS:APPS [RWOCDPSM] <- Maximum directory rights mask (Filer) SYS:APPS\DATA [R O S ] SYS:APPS\DATA\MIKE [R O S ] Just as above, Mike would be granted the same rights as indicated by the directory rights mask. Granting specific rights in SYS:APPS\DATA\MIKE will NOT give Mike full rights [RWOCDPSM] in "his" directory. To determine a user's Effective Rights, both the directory's rights and the user's rights must be overlayed. Where the same privilege is indicated by the directory rights and user's own rights the privilege is granted. What occurs is a logical AND operation, for each right [RWOCDPSM]: Right: Directory User (trustee assignment) Result ----------- ------------------------- --------------- Granted Granted Granted Not Granted Granted Not Granted Granted Not Granted Not Granted Not Granted Not Granted Not Granted Notes on assigning rights: If users share rights to a particular directory or directory structure, trustee rights should not be specifically (user by user) granted. Rather, grant those trustee assignments through group membership. Besides the obvious overhead of tediously adding each trustee assignment to each user (redundant assignments), every five trustees a directory has devours one directory entry. Every file on the network uses a directory entry. If a group is assigned as a trustee of a directory, only one trustee "slot" is used in that directory regardless of the number of members in the group. And, since a group can have several trustee assignments defined, making a user a member of group can reduce setup time and ease trustee assignment changes as well as increase the number of directory entries. In the case of group membership, only the group's trustee assignments need be modified, all members (users) will automatically have their rights adjusted upon their next login. When a user has a temporary need for access to another user's trustee assignments (not group membership or security equivalences), the user can have their security equivalence set to that of the user with the needed rights. Every group a user is a member of counts as a security equivalence. Also, each user a user is set equivalent to counts as a security equivalence. When determining effective rights, only the first 32 security equivalences are used. While this is a rare occurrence, it is worth noting. The manner which directory and user rights are assigned can ease network management and keep security in check. John T. McCann 70007,3430 10/14/88