home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Network Support Library
/
RoseWare - Network Support Library.iso
/
pressgen
/
rights.txt
< prev
next >
Wrap
Text File
|
1988-10-22
|
5KB
|
90 lines
Title: What are my rights?
Many options exist for defining rights in the NetWare environment.
Most notable are the plethora of definable directory and user rights.
Rights for users are known as trustee assignments. Consisting of Read,
Write, Open, Create, Delete, Parental, Search, and Modify directory/trustee
rights/assignments offer many combinations as a means of security.
Defining these rights and how they affect one another is important for
network administrators who have an interest in network management and
security. The following applies to all Advanced NetWare versions, from v1.0
to v2.15 and for all foreseeable future releases.
Assignment of rights encompasses two different entities, directories
and users (and groups). Specifying directory rights is performed via
NetWare's Filer utility. Granting of rights to users may be done by group
membership or specific declaration. NetWare supplies the SysCon utility (or
MakeUser) for the definition of user and group rights.
Definition of each possible right is empirically evident except the
Parental attribute. Granted by the Parent attribute are the abilities to
create subdirectories, delete subdirectories, and modify directory rights
masks (also known as changing other users' rights in subdirectories.) Once
granted, a right is cascaded down the subdirectory tree. For instance, if
the Read privilege is granted in the SYS:PUBLIC directory, that Read
privilege is automatically granted in the SYS:PUBLIC\UTILS directory.
Cascading of rights can be blocked at each directory, but the cascading
continues regardless. Say the following directory structure is in use:
SYS:APPS [RWOCDPSM] <- Maximum directory rights mask (Filer)
SYS:APPS\DATA [R O S ]
SYS:APPS\DATA\MIKE [RWOCDPSM]
now, say there is a user, Mike, (without supervisor equivalence) with the
following trustee right: SYS:APPS [RWOCDPSM].
User Mike will have full rights in the APPS directory and the
APPS\DATA\MIKE directory. But, in the APPS\DATA directory, Mike only has
Read, Open and Search privileges. Now, another approach is:
SYS:APPS [RWOCDPSM] <- Maximum directory rights mask (Filer)
SYS:APPS\DATA [R O S ]
SYS:APPS\DATA\MIKE [R O S ]
Just as above, Mike would be granted the same rights as indicated by the
directory rights mask. Granting specific rights in SYS:APPS\DATA\MIKE will
NOT give Mike full rights [RWOCDPSM] in "his" directory.
To determine a user's Effective Rights, both the directory's rights and
the user's rights must be overlayed. Where the same privilege is indicated
by the directory rights and user's own rights the privilege is granted.
What occurs is a logical AND operation, for each right [RWOCDPSM]:
Right: Directory User (trustee assignment) Result
----------- ------------------------- ---------------
Granted Granted Granted
Not Granted Granted Not Granted
Granted Not Granted Not Granted
Not Granted Not Granted Not Granted
Notes on assigning rights:
If users share rights to a particular directory or directory structure,
trustee rights should not be specifically (user by user) granted. Rather,
grant those trustee assignments through group membership. Besides the
obvious overhead of tediously adding each trustee assignment to each user
(redundant assignments), every five trustees a directory has devours one
directory entry. Every file on the network uses a directory entry. If a
group is assigned as a trustee of a directory, only one trustee "slot" is
used in that directory regardless of the number of members in the group.
And, since a group can have several trustee assignments defined, making a
user a member of group can reduce setup time and ease trustee assignment
changes as well as increase the number of directory entries. In the case of
group membership, only the group's trustee assignments need be modified, all
members (users) will automatically have their rights adjusted upon their
next login.
When a user has a temporary need for access to another user's trustee
assignments (not group membership or security equivalences), the user can
have their security equivalence set to that of the user with the needed
rights.
Every group a user is a member of counts as a security equivalence.
Also, each user a user is set equivalent to counts as a security
equivalence. When determining effective rights, only the first 32 security
equivalences are used. While this is a rare occurrence, it is worth noting.
The manner which directory and user rights are assigned can ease
network management and keep security in check.
John T. McCann
70007,3430
10/14/88