CNE Training Guide NetWare 4.1 Administration

Previous chapterNext chapterContents

- 4 -

NetWare 4.x File System Security

This chapter teaches the concepts of NetWare file system security. This security system controls user access to data on the network. You can learn about file system concepts such as NetWare directory and file rights, directory and file trustees, inherited rights, and effective rights. You also can learn how to implement file system security using the NetWare administration tools.

Understanding Rights Access

After a user successfully logs in to the server, NetWare file system security controls access to directories and files on the server. Figure 4.1 shows the different layers of security through which a user needs to go before being granted rights to the NetWare file system. From this figure, you can see that NetWare security consists of the following three levels:

The focus of this chapter is on NetWare file system security.

Figure 4.1 NetWare layered security.

Assigning File System Rights

NetWare file system security is implemented by a NetWare administrator user who has the rights to implement file system security. The administrator grants access to the NetWare file system to users and other objects.

Figure 4.2 shows a user in the act of exercising rights to a directory. The user wants to read and write to files in a directory, but the NetWare NOS must determine whether the user has sufficient privileges to exercise these rights.

Figure 4.2 Exercising rights to a NetWare file system.

A user can be given trustee assignment explicitly. This means that the trustee assignment is assigned on an individual user basis. Figure 4.3 shows that a user is assigned explicit rights to a directory. Setting individual rights for a large number of users can be a very tedious process and difficult to maintain. Many users have similar needs to access directories and files on the server. Consider an example in which all engineers in the engineering department may need access to the same directories. To change an access right for all users becomes a time-consuming and repetitious task. To help with the management and administration of users with similar needs, NetWare uses the concept of groups.

Figure 4.3 Assigning rights on a user basis.

A group is a collection of network users who have the same access privileges to directories and files on the server. All managers, for example, can be considered members of a group called MGRS. In Figure 4.4, group MGRS is implemented as a Group object in context O=SCS. The group MGRS can be given a trustee assignment in a manner similar to that for individual users; the difference being that all members of the group automatically inherit the trustee assignments for that group. If a user needs rights that group MGRS has, he or she can be made a member of the group MGRS. If a user no longer needs these rights, he or she can be removed as a member of group MGRS.

Figure 4.4 Assigning rights on a group basis.

User objects can be members of more than one group. The total rights for a user is the sum of all the rights inherited by virtue of membership to all groups. If a user has Read and Write TA (trustee assignment) to directory SYS:COMMON/DATA because of membership in Group object ACCOUNTING, and Read, Create, and Erase TA to the same directory because of membership in group ENGINEERS, then the user has a TA of Read, Write, Create, Erase to SYS:COMMON/DATA. The user has, in other words, the sum of all rights by virtue of membership to groups ACCOUNTING and ENGINEERS.

If rights are to be assigned to a group of users, the preferred way is through containers or Group objects.

Container objects also can be used for assigning file and directory rights to users in that container (refer to figure 4.4). Containers in the NDS tree have "group" semantics because the members of a container object are the objects defined in that container. When a container is made a trustee of a file or directory, User objects in that container inherit the trustee rights.

Rights also can be assigned via a special group [Public]. [Public] is an implicit group. All users connected to the network are automatically members of group [Public]. If rights are granted through [Public], any user can gain access to directories and files for which [Public] is a trustee. The normal NetWare security mechanisms are bypassed. Unless there is a special reason for bypassing NetWare security, you should avoid granting file/directory rights through [Public]. In Chapter 5, "NetWare Directory Services Security," you are taught that the reason [Public] was created as an implicit group is to give certain default NDS rights to all connected users for an NDS tree.

NDS defines an Organizational Unit object. Users can be assigned members of the Organizational Unit object, and this Organizational Unit object can be made a trustee, in which case all members of the Organizational Unit object inherit the trustee rights. The Organizational Unit object provides a similar functionality as the NetWare Group object for assigning rights. The major difference between the Organizational Unit and the Group object is that the Organizational Unit object is formally defined in the X.500 standard from which NDS was derived. NetWare Group objects is a direct translation of the NetWare 3.x (and 2.x) group concept, and is specific to NetWare-based networks. You may want to use Organizational Role objects if you are interfacing with other X.500 systems.

Another way of assigning rights is through security equivalence, a property of the User object. That lists the users and groups through which a user gains rights.

NetWare 4.x has no default group objects such as group EVERYONE that existed for NetWare 3.x. If you are upgrading a NetWare 3.x server to a NetWare 4.x server, however, the Group object Everyone, which exists on the NetWare server, is created as an NDS Group object in the same context where the server that has been upgraded resides. An example of the Group object Everyone can be seen in figure 4.5. The server NW4CS in this figure was upgraded from a NetWare 3.x server.

Figure 4.5 Group Everyone in a NetWare 3.x upgraded server.

NetWare file system rights can be assigned to individual objects, container objects, and Group objects. Assigning rights on an individual basis can be done when you are dealing with special circumstances for that object. An example of this is assigning a user specific rights to a home directory. By default, when User objects and home directories are created, the User object is given all rights to the home directory. These rights are specific to the user and are granted on an individual basis.

Group objects and their membership can be defined using the NetWare Administrator or the NETADMIN utility. A Group object can have members only of object class user. A Group object cannot be a member of another Group object.

Because Group objects are a preferred way for assigning rights to a large group of users, Group object creation using the NetWare Administrator and NETADMIN are discussed next. The actual details of the meanings of the individual file system and trustee rights are discussed in the section "Understanding Directory Rights and File Rights."

STUDY NOTE: Group objects used for assigning rights can be created using NETADMIN and NWADMIN.

Creating Group Objects Using NetWare Administrator

To create a Group object using the NetWare Administrator, perform the following steps:

1. Start NetWare Administrator while logged in as an Admin user.

2. Highlight the container where you want to create the Group object.

3. Right-click the mouse button and select Create.

4. Select the entry for "Group," and select OK. A panel for creating a Group object appears.

5. Enter the Group object name in the Group Name field.

6. Check the box Define Additional Properties, because you want to define members to this group.

7. Select the Create button.

The property dialog box for the newly created Group object appears (see fig. 4.6).

Figure 4.6 Group object properties--Identification.

The property names in figure 4.6 describe the identification of the Group object. Except for the group name, all of these properties are optional. For documentation purposes, it is a good idea to fill out these group properties.

8. To assign members, select the page button "Members." The membership list for the group appears (see fig. 4.7). Because this is a newly created Group object, it has no members defined.

Figure 4.7 Group object properties--Members.

9. Assign members by selecting the Add button.

The Select Object dialog box appears (see fig. 4.8). The right panel in this dialog box shows the NDS directory context, and the left panel shows the User objects in that context. Only User objects appear, because only users can be members of a Group object. If you want to select User objects in a different context as members of the Group object, you can use the up arrow in the directory context to move to the parent container or double-click on a container object to change directory context to that container. The current directory context is displayed in the dialog box.

10. Figure 4.8 shows several User objects in the context O=UNE. You can mark several User objects at once by clicking on each object while holding down the CTRL key. If the User objects that you want to select are in a group, you can mark the first User object by clicking on it; then move to the last object and click on it while holding down the Shift key.

Figure 4.8 The Select Object dialog box for adding users as members.

11. After selecting the User objects, select the OK button.

You should see the selected User objects added as members to the group (see fig. 4.9).

Figure 4.9 Group object--added members.

12. To add more User objects, select the Add button. To delete members from this group, select the Delete button.

13. Now, group membership has been defined.

To save your changes, select OK at the bottom of the Group object properties box.

To assign rights to files and directories for this group, select the page button Rights to Files and Directories and go to the next step.

14. Figure 4.10 shows that there are currently no rights assigned to this Group object.

Figure 4.10 Assigning rights to Group objects.

To add rights to Group object, select Add.

The Select Object dialog box appears.

The right panel in this dialog box shows the NDS directory context. The left panel shows the files and directories for selected Volume object. If no Volume objects are in this directory context, you can use the up arrow in the directory context to move to the parent container or double-click on a container object to change directory context to that container. The current directory context is displayed in the current context field.

15. After you select the Volume object, double-click on it to reveal the directories and files in the Volume object in the Directory Context panel. You then can select the file or directory to which the Group object should be assigned rights. Figure 4.11 shows that the ETC directory in Volume object NW4CS_SYS in the directory context OU=CORP.O=ESL was selected.

Figure 4.11 Select directory for assigning rights to Group objects.

16. Select OK to accept the file or directory.

An entry for the selected directory to which rights can be assigned appears (see fig. 4.12). The list of possible rights is shown in the bottom of the dialog box. You can select the rights and press OK to save changes. The rights you selected are now the rights to the users belonging to the group "Engineers."

The explanation of the meaning of the individual rights is covered later in this chapter.

PRACTICAL TIP: To see rights assigned for a Group object, select the Show button in figure 4.12 and the Volume object for which rights have been assigned.

Figure 4.12 Directory to which rights are assigned for Group object.

Creating Group Objects Using NETADMIN

To create a Group object using NETADMIN, perform the following steps:

1. Start NETADMIN while logged in as an Admin user.

2. Select Change Context and the context in which you want to create the Group object. You can use the Ins key to browse through the NDS tree and select the context. After you select the context, press F10 to accept this as your context.

STUDY NOTE: The context changes made within NETADMIN (and any other Novell text-based utility) are for the duration of execution of this utility. When you quit the utility, the current context reverts to the context that existed before running these utilities.
3. Select Manage Objects.

A list of objects in the current context appears (see fig. 4.13).

Figure 4.13 Objects in selected context within NETADMIN.

4. Press Ins to create the Group object.

A list of object classes that can be created in the current context appears (see fig. 4.14).

Figure 4.14 Object classes that can be created in container.

5. Select the Group object class.

6. Enter the new group name in the Create Group Object window.

NETADMIN informs you that the Group object has been created, and also asks you if you want to create another Group object. You can create as many Group objects as you want. When you select "No" to stop creating Group objects, the newly created Group object is shown (see fig. 4.15). The newly created Group object in figure 4.15 is Consultants.

7. Highlight the newly created object, and press F10.

A list of actions that you can perform on the newly created group appears (see fig. 4.16).

Figure 4.15 Newly created Group object in NETADMIN.

Figure 4.16 Actions on newly created Group object.

8. Select View or edit properties of this object.

A list of properties grouped by Identification, Group members, and See also appears (see fig. 4.17).

Figure 4.17 View or Edit property option for Group object.

9. Select Group members.

A list of members of this group appears. The list initially is empty for a newly created group.

10. Press Ins to add members to this group.

A window asking you to enter a group member opens. Press Ins to browse directory contexts and select User objects as group members. To select a group of users in a directory context, use the F5 key to mark the User objects and press Enter.

Figure 4.18 shows a number of users added to the newly created group.

Figure 4.18 Members added to Group object.

Press F10 to accept the added group members. You are then prompted to Save Changes.

12. Press Esc to go back to the list of actions that you can perform on the newly created Group object.

Now, group membership has been defined. To assign rights to files and directories for this group, select View or edit rights to files and directories.

13. A form for editing rights to files and/or directories appears (see fig. 4.19).

Figure 4.19 NETADMIN form for editing rights to files and/or directories.

For Volume object name, press Enter or Ins to enter the volume where the file or directory resides. Press Ins to browse and select the Volume object name, or type the NDS name of the Volume object and press Enter.

For Beginning path, press Enter or Ins to enter the file or directory path. Press Ins to browse and select the path, or type in the path name.

For Directories/Files, press Enter to select if you want to view directories, files, or both when you are making a trustee assignment.

For Trustee search depth, press Enter and select either Current Directory or All subdirectories for viewing files and directories in current directory only or in all subdirectories.

Figure 4.20 shows an example of a completed form.

Figure 4.20 Completed NETADMIN form with rights to files and/or directories.

Press F10 to display the trustee list.

15. Press Ins to add a trustee list.

16. Select the directory or file to which a trustee should be added.

The default rights for the directory or file appear (see fig 4.21)

Figure 4.21 Default rights for a directory.

17. To change a default trustee right, highlight it and press Enter.

A list of trustee rights that have been granted appears. To remove a right, highlight it and press Del. To add a right, press Ins to display the list of trustee rights that have not been granted. Select the rights you want to add and press Enter.

18. Use the F5 key to mark several rights. Use F10 to save your changes.

19. Use Esc or the shortcut key Alt+F10 to exit NETADMIN.

Understanding Directory Rights and File Rights

Table 4.1 shows the NetWare 4.x directory rights. NetWare 4.x directory and file rights are the same as those in NetWare 3.x, except that the NetWare 3.x Supervisory rights are called Super-visor rights in NetWare 4.x, and the NetWare 3.x term IRM (Inherited Rights Mask) is called IRF (Inherited Rights Filter) in NetWare 4.x.

Table 4.1 NetWare Directory Trustee Rights

Name Description
S* Supervisor rights to all directory/subdirectories/files
R Read rights to open files in a directory, read contents, and execute
W Write rights to open and write (modify) contents of files
C Create rights to create files and subdirectories in a directory
E Erase rights to delete a directory, its files, and its subdirectories
M Modify rights to change directory and file attributes and rename
F File Scan rights to view names of subdirectories and files
A Access Control rights to other users, modify trustee rights, IRM
*NOTE: NetWare 2.2 does not have Supervisor rights; NetWare 3.x calls its relative equivalent Supervisory rights.

The Read and Write rights in table 4.1 permit the reading and writing of files in a directory. Both of these rights are needed to perform updates on files in a directory. Reading and writing also imply that the user has a right to open files in a directory, because the user cannot do a read or write without opening the files.

The Create and Erase rights are necessary for creating files and subdirectories and for removing them. The Modify rights can be used for the changing of file attributes. Without Modify rights, you cannot use NetWare commands such as FLAG to change file attributes.

The File Scan right allows a user to view names of files and subdirectories. If you do not want a user to see file names in a directory, you can remove the File Scan right. The user can execute DIR or NDIR (NetWare DIR command) but does not see the names of files in the directory. If you know the name of a file, however, you still can access it.

The Access Control rights allow other users to modify trustee rights and the IRF (Inherited Rights Filter). IRF is discussed a little later. This means that a user who has Access Control rights to a directory can use a NetWare utility like FILER to assign rights to other users for this directory. Access Control rights must be assigned with care to trusted users.

Table 4.2 shows file level rights for NetWare 4.x. In NetWare 4.x and 3.x, trustee assignment can be made at the file level. This is unlike NetWare 2.x where a trustee assignment can be made only at the directory level. NetWare 4.x and 3.x permit a finer level of control over files in a directory. The author's experience has been that in most situations, such a fine level of control is not needed, but that it is helpful to have it in situations that need this level of control. The trustee rights for files are similar to that for directories, except that the scope of these rights is limited to an individual file. The same symbols as the ones used for directory trustee rights are used. The Create right for a file means the right to salvage a file after it has been deleted. This is a little different from the Create right for a directory, which implies creating files and subdirectories in a directory.

Table 4.2 NetWare 4.x File Trustee Rights

Name Description
S Supervisor rights to all rights to the file
R Read rights to open a file, read contents, and execute a program
W Write rights to open and write (modify) contents of a file
C Create rights to salvage a file after the file has been deleted
E Erase rights to delete a file
M Modify rights to change a file's attributes and rename a file
F File Scan rights to view the name of a file and its full path name
A Access Control rights to modify file's trustee assignments and IRM

Trustee assignments can be controlled by four utilities: RIGHTS, FILER, NETADMIN, and NWADMIN. The NetWare 3.x GRANT, REVOKE, REMOVE, and ALLOW utilities are combined into the RIGHTS command-line utility. Another less familiar way of assigning a trustee assignment can be done using a batch utility for creating users called UIMPORT.

Understanding the Inherited Rights Filter

A directory or file has a maximum potential right that can control the effective rights a user can have for a directory (or file). Figure 4.23 illustrates this concept, where the individual components of the NetWare directory/file rights are Read, Write, Create, Erase, Modify, File Scan, and Access Control. In figure 4.22, a filter is shown to block out certain rights. In NetWare, the Inherited Rights Filter (IRF) acts like this filter. It can block out any right, except Supervisor rights.

Figure 4.22 Inherited Rights Filter.

Whenever a new directory (or file) is created, the maximum potential rights it can have are all rights. That is, the Inherited Rights Filter is [SRWCEMFA] (the individual letters in the square brackets are the first letters of the individual rights). The IRF can be used to exercise control over the effective rights to a directory (or file).

The Inherited Rights Filter for files and directories can be modified by RIGHTS, FILER, NWADMIN, and NetAdmin.

Computing Effective Rights

A user may have rights assigned to a directory, but the IRF controls the actual or effective rights a user can exercise in a directory. Effective rights can be obtained from trustee assignment and Inherited Rights Filter by applying some rules of combination. These rules of combination are illustrated in figures 4.23 and 4.24 for directories and files.

Figure 4.23 Effective rights for directories.

Figure 4.24 Effective rights for files.

At first glance, the rules of combination look a little complex, but after you study a few examples, you can begin to appreciate the logic in them. The examples that follow are for determining effective rights for directories. The user can construct similar examples for determining effective rights for a file based on the rules in figure 4.24.

Example 1: If no explicit trustee assignment has been granted to a subdirectory, the effective rights for the subdirectory are determined by the logical AND of the Inherited Rights Filter of a subdirectory and the parent directory's effective rights (see fig. 4.25).

Figure 4.25 Assigning effective rights for a subdirectory. The effective rights of subdirectory SUBDIR01 are the logical AND operation shown below:


Effective rights of parent DIR01  [    R W C E  F  ]
IRF for SUBDIR01                  [ S  R        F    ]
----------------------------------------------------------------
Effective rights for SUBDIR01     [    R        F    ]

Example 2: If an explicit trustee assignment has been granted to a subdirectory, the effective rights for the subdirectory are the same as the explicit trustee assignment, regardless of Inherited Rights Filter of the subdirectory (see fig. 4.26). In other words, an explicit TA overrides any IRF setting.

Figure 4.26 Explicit trustee assignment and effective rights for a subdirectory. Effective rights to subdirectory SUBDIR02 follow:


IRF for SUBDIR02                 [ S R            M F  ]
TA for SUBDIR02                  [   R W C E        F  ]
------------------------------------------------------------------
Effective rights for SUBDIR02    [   R W C E        F  ]

Example 3: If Supervisory rights are granted to the parent directory, the user has all rights for the subdirectories and files, regardless of a subdirectory's trustee assignment and Inherited Rights Filter (see fig. 4.27). Care must be exercised in assigning Supervisory rights.

Figure 4.27 Assigning Supervisory rights.

AUTHOR'S NOTE: The rules of computing effective rights have been designed so that effective rights flow down subdirectories, and if no explicit TA is made, the effective rights are modified by the IRF. Whenever an explicit TA is made, a new set of effective rights flow down subdirectories. This is in contrast to pre-NetWare 2.2 versions where trustee assignments flow down subdirectories instead of effective rights. In these situations, unexpected rights can be inherited by users if new subdirect-ories are created. The Inherited Rights Filter concept and the rules of combination were introduced in NetWare 2.2 and NetWare 3.x to overcome these problems, except that the Inherited Rights Filter is called Inherited Rights Mask in NetWare 2.2 and 3.x.

The effective rights can be examined by the NetWare utility FILER or the command-line utility RIGHTS. You also can examine effective rights using NetWare Administrator (NWADMIN) and NETADMIN.

Using the RIGHTS Command

Examples of using the RIGHTS command follow:

RIGHTS

The output may resemble the following:

NW4CS\SYS:\PUBLIC
Your rights for this directory are: [SRWCEMFA]
Supervisor rights to directory.       (S)
Read from a file in a directory.      (R)
Write to a file in a directory.       (W)
Create subdirectories and files.      (C)
Erase directory and files.            (E)
Modify directory and files.           (M)
Scan for files and directories.       (F)
Change access control.                (A)

The user has all rights to the SYS:PUBLIC directory. Because the command was issued while the user was logged in as user Admin, the results are as expected because the user Admin has all rights.

The general syntax for using RIGHTS is shown in figures 4.28 to 4.33.

Figure 4.28 RIGHTS /? General Help Summary.

Figure 4.29 RIGHTS /? T Summary.

Figure 4.30 RIGHTS /? F Summary.

Figure 4.31 RIGHTS /? I Summary.

Figure 4.32 RIGHTS /? S Summary.

Figure 4.33 RIGHTS /? O Summary.

The RIGHTS command enables you to:

The examples that follow illustrate these actions.

STUDY NOTE: Study RIGHTS usage in the examples that follow.

Viewing Rights to a Specific Directory

To view the rights for user KSS in SYS:USERS/KSS directory, use the following command:

F:\>RIGHTS SYS:USERS/KSS 
NW4CS\SYS:USERS\KSS

The output is as follows:

Your rights for this directory are:  [ RWCE F ]
Read from a file in a directory.     (R)
Write to a file in a directory.      (W)
Create subdirectories and files.     (C)
Erase directory and files.           (E)
Scan for files and directories.      (F)

This command was issued by user KSS while logged in under his account.

Listing Trustees Using RIGHTS

You can use the /T option to see a list of trustees for a directory.

To view the trustee assignments for a specified directory, such as SYS:USERS/KSS, use the following command:

F:\> RIGHTS SYS:PUBLIC  /T
NW4CS\SYS:\PUBLIC
User trustees:
     CN=KSS.OU=CORP.O=SCS         [ R    F ]
----------
Group trustees:
     CN=Everyone.OU=CORP.O=ESL    [ R    F ]
----------
Other trustees:
     OU=CORP.O=ESL                [ R    F ]

Note that group Everyone is not a predefined group under NetWare. It appears in the preceding example because the server was upgraded from NetWare 3.x to NetWare 4.x.

The output of the previous RIGHTS command shows that a User object, a Group object, and a container object have rights to NW4CS\SYS:\PUBLIC. The User object CN=KSS.OU=CORP.O=SCS, the Group object CN=Everyone.OU=CORP.O=ESL, and the container object OU=CORP.O=ESL all have Read and File Scan rights to NW4CS\SYS:\PUBLIC.

Because the container object has Read and File Scan rights to NW4CS\SYS:\PUBLIC, all User objects in the container have Read and File scan rights to NW4CS\SYS:\PUBLIC.

The /T option lists all trustees that have been given an explicit trustee assignment to SYS:PUBLIC. While NWADMIN and NETADMIN also can display this information, using the previous RIGHTS command is simpler (and usually faster).

Granting and Revoking Rights Using the RIGHTS Command

You can use the /NAME= option to specify the NDS object that must be assigned rights to a file or directory.

The general syntax of RIGHTS using the /NAME= option is the following:

RIGHTS  directory_file_name  [+|-]rights  /NAME=objectname

To set the rights for user KSS in SYS:USERS/KSS directory so that the user has all rights except Supervisor rights, the command is the following:

F:\> RIGHTS SYS:USERS/KSS  CRWEMFA /NAME=.KSS.CORP.SCS
NW4CS\SYS:USERS
Directories                                                  Rights
------------------------------------------------------------ ----------
KSS                                                          [ RWCEMFA]

Rights for one directory were changed for .KSS.CORP.SCS.

To remove the Erase and Create rights for user KSS in SYS:USERS/KSS directory, use the following command:

F:\> RIGHTS SYS:USERS/KSS  -C-E  /NAME=.KSS.CORP.SCS
NW4CS\SYS:USERS
Directories                                                  Rights
------------------------------------------------------------ -----------
KSS                                                          [ RW  MFA]

Rights for one directory were changed for .KSS.CORP.SCS.

STUDY NOTE: According to Novell documentation the command

RIGHTS SYS:USERS/KSS  -CE  /NAME=.KSS.CORP.SCS

should be the same as the command

RIGHTS SYS:USERS/KSS  -C-E  /NAME=.KSS.CORP.SCS

But, in version 4.01 of the RIGHTS command, the first RIGHT command only removes the Create right and not the Erase right.
Using the + option to add a right works correctly. The following two commands, therefore, have the same effect.

RIGHTS SYS:USERS/KSS  +CE  /NAME=.KSS.CORP.SCS

RIGHTS SYS:USERS/KSS  +C+E  /NAME=.KSS.CORP.SCS



To add the Create right back for the user KSS in SYS:USERS/KSS directory, use
the following command:


F:\> RIGHTS SYS:USERS/KSS  +C  /NAME=.KSS.CORP.SCS
NW4CS\SYS:USERS
Directories                                                  Rights
------------------------------------------------------------ -----------
KSS                                                          [ RWCEMFA]



Rights for one directory were changed for .KSS.CORP.SCS.


Two User objects KSS are in contexts CORP.ESL and CORP.OSCS. To assign both users
all rights--except Supervisor right--to the current directory, use the following
command:


RIGHTS . ALL /NAME=.CN=KSS.OU=CORP.O=ESL,.CN=KSS.OU=CORP.SCS
NW4CS\SYS:USERS
Directories                                                  Rights
------------------------------------------------------------ -----------
KSS                                                          [ RWCEMFA]



Rights for the directory were changed, first for .CN=KSS.OU=CORP.O=SCS.


NW4CS\SYS:USERS
Directories                                                  Rights
------------------------------------------------------------ -----------
KSS                                                          [ RWCEMFA]



Rights for the directory were then changed for .CN=KSS.OU=CORP.O=ESL.


Notice that the period (.) can be used for the current directory name. Also, note
that ALL means all rights except the Supervisor right. The /NAME= option enables
you to list a number of NDS names.


To remove all rights (except Supervisor, if given) for the two User objects KSS
in contexts CORP.ESL and CORP.OSCS, use the following command:


RIGHTS . -ALL /NAME=.CN=KSS.OU=CORP.O=ESL,.CN=KSS.OU=CORP.OSCS
NW4CS\SYS:USERS
Directories                                                  Rights
------------------------------------------------------------ -----------
KSS                                                          [        ]



Rights for the directory were then changed for .CN=KSS.OU=CORP.O=SCS.


NW4CS\SYS:USERS
Directories                                                  Rights
------------------------------------------------------------ -----------
KSS                                                          [        ]



Rights for one directory were changed for .CN=KSS.OU=CORP.O=ESL.


Notice that all rights have been removed for the two User objects.


RIGHTS . -ALL /NAME=.CN=KSS.OU=CORP.O=ESL,.CN=KSS.OU=CORP.SCS
NW4CS\SYS:USERS
Directories                                                  Rights
------------------------------------------------------------ -----------
KSS                                                          [        ]



Rights for one directory were changed for .CN=KSS.OU=CORP.O=SCS.


NW4CS\SYS:USERS
Directories                                                  Rights
------------------------------------------------------------ -----------
KSS                                                          [        ]



Rights for one directory were changed for .CN=KSS.OU=CORP.O=ESL.


Notice that all rights have been removed for the two User objects.


Table 4.3 shows the rights letter codes that can be used with the RIGHTS command.


Table 4.3 Rights Letter Codes in the RIGHTS Command





	

		Rights Letter Codes
		Description
	

	

		ALL
		Grants all rights except supervisor
	

	

		N
		Revokes all rights
	

	

		S
		Supervisor right
	

	

		C
		Create right
	

	

		R
		Read right
	

	

		W
		Write right
	

	

		E
		Erase right
	

	

		M
		Modify right
	

	

		F
		File Scan right
	

	

		A
		Access Control right
	

	

		+
		Adds the right to existing rights
	

	

		-
		Removes a right from existing rights
	





Observing Inherited Rights Using
the RIGHTS Command


The /I option enables you to see how the inherited rights contribute to effective
rights.


To see your inherited rights for SYS:PUBLIC for the user KSS defined in container
OU=CORP.O=SCS, use the following command:


F:\>RIGHTS SYS:PUBLIC  /NAME=.KSS.CORP.SCS  /I
Name= .KSS.CORP.SCS
Path                                       Rights    
------------------------------------------------------------ ------
NW4CS\SYS:
Inherited Rights Filter:                   [                      ]
Inherits from above:                       [                      ]
     ________
Effective Rights =                         [                      ]
------------------------------------------------------------ ------
NW4CS\SYS:\PUBLIC
Inherited Rights Filter:                   [SRWCEMFA              ]
Inherits from above:                       [                      ]
KSS.CORP.SCS                               [ R    F               ]
             ----------------
Effective Rights =                         [ R    F               ]
------------------------------------------------------------ ------



The /I option enables you to see inherited rights. It shows you the sequence of
steps for computing rights.

Removing a User as a Trustee for
a Directory


When you precede the /NAME= with the keyword REM, the names listed in the /NAME
parameter are removed as trustees to the file or directory. This method is different
from removing trustee rights. Removing trustee rights can remove rights, including
all rights, but the user is still listed as a trustee.


To remove user .KSS.CORP.ESL as a trustee of SYS:USERS/KSS, use the following
command:


RIGHTS SYS:USERS/KSS  REM /NAME=.KSS.CORP.ESL
NW4CS\SYS:USERS\KSS
User .KSS.CORP.ESL is no longer a trustee of the specified  directory.
Trustee .KSS.CORP.ESL was removed from the directory.



Changing the Inherited Rights Filter


You can use the /F option to examine or change the Inherited Rights Filter. To
see the current IRF for SYS:USERS/KSS, use the following command:


RIGHTS SYS:USERS/KSS  /F
NW4CS\SYS:USERS
Directories                                                  Rights
------------------------------------------------------------ ----------
KSS                                                          [SRWCEMFA]  



You can precede a right with a + or - to add or remove that right from the IRF.
You can remove all rights from the IRF, except the Supervisor right.


To remove the Write right from the IRF for SYS:USERS/KSS, use the following command:


RIGHTS SYS:USERS/KSS  -W   /F
NW4CS\SYS:USERS
Directories                                                  Rights
------------------------------------------------------------ ----------
KSS                                                          [SR CEMFA]  



To set the IRF for SYS:USERS/KSS to [SR F], use the following command:


RIGHTS SYS:USERS/KSS  SRF   /F
NW4CS\SYS:USERS
Directories                                                  Rights
------------------------------------------------------------ ----------
KSS                                                          [SR    F ]  



Using Attribute Security


Individual files or directories can be assigned attributes that can override a
user's effective rights. In figure 4.34, USER1 has Read, Write, Create, and Erase
effective rights to SYS:APPS/DATA. But the file FILE.1 is flagged with a Delete Inhibit
attribute, and this prevents the file from being deleted, even though the user has
Erase effective rights to the directory.


Figure 4.34 Use of Attribute
security.


Directory attributes and file attributes common to both NetWare 3.x and 4.x are
illustrated in tables 4.4 and 4.5. File and Directory attributes are set by the FLAG
command. Type FLAG /? to see help on setting file and directory attributes.


Table 4.4 Directory Attributes for NetWare 3.x, 4.x





	

		Directory
		Meaning Attribute
	

	

		D
		The Delete Inhibit attribute prevents a directory from being erased.
	

	

		H
		The Hidden attribute hides a directory from a DOS DIR command.
	

	

		P
		The Purge attribute purges all files in a directory when deleted.
	

	

		R
		The Rename Inhibit attribute prevents a directory from being renamed.
	

	

		Sy
		The System attribute similar to H; used for system directories.
	






Table 4.5 File Attributes for NetWare 3.x, 4.x





	

		File
		Meaning Attribute
	

	

		A
		The Archive Needed attribute is automatically assigned to files modified after
			backups.
	

	

		CI
		The Copy Inhibit attribute restricts copy rights for Macintosh users.
	

	

		DI
		The Delete Inhibit attribute prevents files from being erased.
	

	

		X
		The Execute Only attribute prevents files from being copied, and is permanent.
	

	

		H
		The Hidden attribute hides a file from a DOS DIR scan.
	

	

		I
		The Indexed attribute speeds access to large files; automatically assigned
			for files with over 64 FAT entries.
	

	

		P
		The Purge attribute purges a file when deleted.
	

	

		Ro
		The Read only attribute cannot write to, erase, or rename files.
	

	

		Rw
		The Read Write attribute is the default setting for a file.
	

	

		R
		The Rename Inhibit attribute prevents a file from being renamed.
	

	

		S
		The Sharable attribute enables a file to be used by more than one user.
	

	

		Sy
		The System attribute is similar to H; used for system files.
	

	

		T
		The Transactional attribute protects against incomplete operations on files.
	






Additional NetWare 4.x directory and file attributes are listed in table
4.6.


Table 4.6 Additional NetWare 4.x Attributes





	

		Attribute
		File/Directory
		Abbreviation
		Description
	

	

		Migrate
		File
		M
		Indicates that the file has migrated to near-line storage.
	

	

		Don't Migrate
		File/Directory
		Dm
		Prevents a file or the files in a directory from migrating.
	

	

		Compress
		File
		Co
		Indicates whether a file has been compressed.
	

	

		Don't Compress
		File/Directory
		Dc
		Prevents a file or the files in a directory from being compressed.
	

	

		Immediate Compress
		File/Directory
		Ic
		Marks a specified file or files in a directory marked for compression as soon as
			the OD can perform compression.
	

	

		Can't Compress
		File
		Cc
		Indicates that a file cannot be compressed because of limited space-saving benefit.
	






The attributes Migrate (M), Compress (Co), and Can't Compress (Cc) are status
attributes and indicate the status of individual files only. The attributes Don't
Migrate (Dm), Don't Compress (Dc), and Immediate Compress (Ic) apply to both files
and directories and specify actions that are to be performed or prevented from occurring.


The Data Migration feature is installed using INSTALL.NLM and requires a near-line-storage
media that acts as a secondary storage area to the primary hard disk storage area.


The compression feature is enabled or disabled on a volume-by-volume basis during
installation. It can be further controlled by a variety of SET parameters.

Using the FLAG Utility


The NetWare 4.x FLAG utility consolidates the functions of the NetWare 3.x
FLAG, FLAGDIR, and SMODE commands. You can use a single FLAG utility to change both
the file and directory attributes and the search mode for executable files. The FLAG
utility also enables you to change the owner of a directory or a file.


The functions of the FLAG utility also can be performed by the FILER menu utility.


Figure 4.35 shows a summary of the FLAG command usage.


Figure 4.35 FLAG /? Help
Summary.

Using the FILER Utility


The FILER utility combines the functions of the NetWare 3.x FILER, SALVAGE,
DSPACE, and VOLINFO utilities.


FILER can be used to perform many file-, directory-, and volume-related tasks.


You can use FILER to perform the following tasks:





Figure 4.36 shows the main menu for FILER when the command FILER is run at a workstation.


Figure 4.36 The FILER
main menu.


The Manage files and directories option in the main menu shows you a list of directories
and files in the current directory (see fig. 4.37).


The Manage according to search pattern option in the main menu gives you the ability
to set search patterns for the files and directories to view (see fig. 4.38).


Figure 4.37 FILER Directory
contents.


Figure 4.38 Managing
according to search patterns.


The Select current directory option in the main menu gives you the ability to
set the current directory (see fig. 4.39). The current path is displayed on the top
of the screen.


Figure 4.39 Setting the
current directory.


The View volume information option in the main menu gives you the ability to view
statistics, features, and date and time information for a volume (see fig. 4.40).
The volume information is shown in figures 4.41, 4.42, and 4.43.


Figure 4.40 Viewing volume
information.


Figure 4.41 FILER volume
statistics.


Figure 4.42 FILER volume
features.


Figure 4.43 FILER volume
dates and times.


The Salvage deleted files option in the main menu gives you the ability to view/recover
deleted files, salvage from deleted directories, and set salvage options (see fig.
4.44). The Purge deleted files option in the main menu enables you to set a file
pattern for all files to be purged (see fig. 4.45).


Figure 4.44 FILER salvage
deleted files options.


Figure 4.45 FILER purge
deleted files options.


The Set default filer options option in the main menu gives you the ability to
confirm deletions, copy operations, and overwrites (see fig. 4.46). It also enables
you to specify what file attributes should be preserved, and if you should be notified
if you are going to lose file attribute information when copying from one name space
to another.


Figure 4.46 Filer settings.


You also can specify whether the files should be copied in their sparse format.
NetWare 4.x enables the implementation of sparse files, which are common in database
applications when a file may currently contain only a few of the total records that
the file can contain. Because the valuable data is a small portion of the overall
file size, a sparse representation of a file that occupies much less space can be
designed. You also can specify whether or not to copy files in a compressed format.

Setting Directory Trustees and
Attributes Using FILER


To set directory rights and attributes using FILER, use the following procedure
as a guideline:



	
1. Log in as Admin and run FILER.

	

	2. Select the Manage files and directories option from the Available Options
	menu.

	

	3. Highlight a directory for which you want to set the directory trustees
	and attributes, and press F10.

	

	4. To view trustee assignments to the directory, select Rights list from the
	Subdirectory Options menu.

	

	A list of trustee assignments to the directory appears (see fig. 4.47).




Figure 4.47 Using FILER
to view trustee assignments to a directory.



	
5. Press Esc to return to the Subdirectory Options screen.

	

	6. To set directory trustee assignments or attributes, select View/Set directory
	information from the Subdirectory Options menu, after highlighting a directory and
	pressing F10. Information on the directory appears (see fig. 4.48).




Figure 4.48 Using FILER
to view directory information.



	
7. To assign a trustee to the directory, select the Trustees field, then
	press Enter.

	

	A list of trustees to the directory appears.

	

	To remove a trustee, highlight the trustee and press Del.

	

	To add a trustee, press Ins. A list of objects in the current context that can be
	assigned as trustees to the directory appears. Select the trustee(s) and press Ins.
	To select more than one trustee, mark them using F5.

	

	Figure 4.49 shows that two new trustees have been added using this step. These trustees
	are the Group object CN=Mgrs.OU=CORP.O=ESL and the User object CN=UNIXUSER.OU=CORP.O=ESL.




Figure 4.49 Using FILER
to add trustees.



	
8. Press Esc to return to the directory information screen.

	

	9. To set attributes for the directory, select the Directory attributes field
	and press Enter.

	

	A list of attributes that have been set for the directory appears.

	

	To remove an attribute, highlight the attribute and press Del.

	

	To add an attribute, press Ins. A list of other attributes that can be assigned to
	the directory appears (see fig. 4.50). You can use the F5 key to mark several directory
	attributes to set.




Figure 4.50 The list
of other attributes that can be assigned to a directory.



	
10. Press Enter to see a list of directory attributes to be assigned (see
	fig. 4.51). Figure 4.51 shows that the Purge attribute and Delete Inhibit attribute
	have been set.




Figure 4.51 The list
of attributes set for a directory.



	
11. Press Esc to return to the directory information screen.

	

	12. To change IRF for a directory, select the Inherited Rights Filter field
	from the directory information screen and press Enter.

	

	To remove a right, highlight the attribute and press Del.

	

	To add a right, press Ins (see fig. 4.52) and select the right. After selecting the
	right, press Enter to see the new IRF, and Esc to go back to the directory information
	screen.




Figure 4.52 Modifying
IRF using FILER.

Setting File Trustees and Attributes Using FILER


To set file rights and attributes using FILER, use the following procedure as
a guideline:



	
1. Log in as Admin and run FILER.

	

	2. Select the Manage files and directories option in the Available Options
	menu.

	

	3. Highlight the file for which you want to set file trustees and attributes,
	then press F10.

	

	4. To view trustee assignments to the directory, select Rights list from the
	File options menu.

	

	A list of trustee assignments to the file appears (see fig. 4.53).




Figure 4.53 Using FILER
to view trustee assignments to a file.



	
5. To set file trustee assignments or attributes, select View/Set file
	information from the File options menu, after highlighting a file and pressing F10.

	

	Information on the file appears (see fig. 4.54).




Figure 4.54 Using FILER
to view file information.



	
6. To assign a trustee to the file, select the Trustees field, then press
	Enter.

	

	A list of trustees for the file appears.

	

	To remove a trustee, highlight the trustee and press Del.

	

	To add a trustee, press Ins. A list of objects in the current context that can be
	assigned as trustees to the file appears. Select the trustee(s) and press Ins. To
	select more than one trustee, mark them by using the F5 key.

	

	7. Press Esc to return to the file information screen.

	

	8. To set attributes for the file, select the Attributes list from the file
	information screen.

	

	A list of attributes that have been set for the directory appears.

	

	To remove an attribute, highlight the attribute and press Del.

	

	To add an attribute, press Ins. A list of other attributes that can be assigned to
	the file appears (see fig. 4.55). You can use the F5 key to mark several file attributes
	to set.




Figure 4.55 The list
of other attributes that can be assigned to a file.



	
9. Press Enter to see a list of file attributes to be assigned.

	

	10. Press Esc to return to the file information screen.

	

	11. To change IRF for a file, select Inherited rights filter from the file
	information screen and press Enter.

	

	To remove a right, highlight the attribute and press Del.

	

	To add a right, press Ins and select the rights. After selecting the rights, press
	Enter to see the new IRF, and Esc to go back to the file information screen.




Assigning Trustee Rights Using NetWare Administrator Use the following steps as
a guideline to assign rights to a file directory using the NetWare Administrator:



	
1. Start NetWare Administrator while logged in as Admin.

	

	2. Highlight the Volume object on which the directory/files resides. You might
	need to browse the tree until you find the Volume object you want.

	

	3. Double-click on the Volume object to see an expanded view of directories/files
	in the volume.

	

	4. Right-click on the selected directory/file.

	

	5. Select Details. The property dialog box for the directory/file opens. Figure
	4.56 shows the property screen for a directory attribute.




Figure 4.56 The properties
of a directory.



	
The remaining steps use the directory as an example. The procedure for assigning
	rights to a file are similar to the procedure previously described.

	

	6. Select the Trustees of this Directory page button. A list of trustees appears
	in the Trustees panel (see fig. 4.57).




Figure 4.57 The Trustees
of this Directory property screen.



	
7. To see trustee assignments for a listed trustee, highlight the trustee
	(see fig. 4.58).




Figure 4.58 Viewing trustee
assignments of a trustee.



	
In figure 4.58, the trustee assignment for user KSS.IMF is [CRWEMFA] as seen
	in the bottom half of the figure.

	

	8. To see effective rights for a trustee, select the button Effective
	Rights.

	

	You see the effective rights for the selected trustee (see fig. 4.59). The browse
	button on the Effective Rights screen can be used to determine effective rights for
	other trustees.




Figure 4.59 The Effective
Rights screen.



	
9. To add a trustee, select the Add Trustee button.

	

	Use the Select Object dialog box to select a trustee.

	

	Figure 4.60 shows that a new trustee, the Group object Engineers.CORP.ESL, has been
	assigned. This trustee has the rights [R F] to the NW4CS_SYS:USERS directory.




Figure 4.60 New trustee
added.



	
To delete a trustee, select the Delete Trustee button.

	

	11. To add directory attributes, select the Attributes page button. The Directory
	Attributes for the directory appear (see fig. 4.61).




Figure 4.61 The Directory
Attributes screen.



	
To set an attribute, check the box for that attribute. If an attribute is grayed
	out, it means that feature has not been enabled for the Volume object.







	



STUDY NOTE: Practice using the NetWare
	Administrator to assign and view file system rights to users, groups, and containers.
	You may be asked to perform these tasks using a simulated NetWare Administrator tool.
	








Study Guide for the Chapter


If you are preparing for the NetWare 4.x Administration exams, review the
chapter with the following goals:



	
1. Understand the NetWare file system security rights concepts.

	

	2. Pay particular attention to the tools used to implement NetWare file system
	security, and the procedure for assigning rights.




After studying this chapter, attempt the sample test questions for this chapter.
If you miss the answers to a question, review the appropriate topic.

Chapter Summary


In this chapter, you learned about the concepts behind NetWare file system security
and how to use NetWare file system security to control access to data on the network.
You also learned about file system concepts such as NetWare directory and file rights,
directory and file trustees, inherited rights, and effective rights. You were given
a guided tour of some of the critical steps that need to be performed to implement
file system security using the NetWare administration tools.

Chapter Test Questions


Test questions can have a single correct answer or multiple correct answers. A
l notation preceding possible answers indicates that a single answer is
desired. Some questions require you to select more than one answer; these questions
are indicated by the n preceding each answer. Certain questions are repeated
in different ways so that you can recognize them even when the wording is different.
Taking practice quizzes not only tests your knowledge, it also gives you confidence
when you take your exam.



	
1. The default IRF for a newly created directory is ______.








	

		
A. SRWCEMFA

		
B. SRWF

		
C. SRCEMFA

		
D. RWCEMFA

	








	
2. Using RIGHTS one can remove all rights from the IRF except ______.








	

		
A. Access Control

		
B. Modify

		
C. Supervisor

		
D. File Scan

	








	
3. If a trustee assignment is given to a directory, ______.








	

		
A. the effective rights for the directory depends on the Inherited Rights Mask

		
B. the effective rights for the directory depends on the Inherited Rights Filter

		
C. the effective rights for the directory depends on the Maximum Rights Mask

		
D. the effective rights for the directory is the same as the trustee assignment

	








	
4. For a directory that has not been given an explicit trustee assignment,
	______.








	

		
A. the effective rights for the directory depends on the Inherited Rights Filter
		and the parent directory's trustee assignment

		
B. the effective rights for the directory depends on the Inherited Rights Filter
		and the parent directory's effective rights

		
C. the effective rights for the directory depends on the Maximum Rights Filter
		of the parent's directory

		
D. the effective rights for the directory is the same as the Inherited Rights
		Filter

	








	
5. For a subdirectory that has no explicit trustee assignment, the effective
	rights are determined by ______.








	

		
A. rights derived from group EVERYONE

		
B. rights derived from parent's trustee assignment

		
C. the effective rights of the parent directory, less what is disallowed by the
		IRF of the subdirectory

		
D. the trustee assignment of the parent directory, less what is disallowed by
		the IRF of the subdirectory

	








	
6. User John is a member of group WPUSERS. The group WPUSERS has a TA
	of [R WCE] for SYS:WP. John tries to create a new directory SYS:WPUSERS\JOHN. Which
	of the following is true?








	

		
A. The IRF for JOHN for directory SYS:WPUSERS\JOHN is [SRWCEMFA].

		
B. The IRF for JOHN for directory SYS:WPUSERS\JOHN is [S].

		
C. The IRF for JOHN for directory SYS:WPUSERS\JOHN is [R WCE].

		
D. No IRF is set, because JOHN does not have rights to create a directory.

	








	
7. The group Acct has a TA of [R F] in SYS:PUBLIC. The Administrator creates
	a subdirectory SYS:PUBLIC\SCRIPTS and SYS:PUBLIC\UTILS. What rights does the user
	Bob have in these directories?








	

		
A. No rights

		
B. [SRWCEMFA] because the IRF for the subdirectories is [SRWCEMFA]

		
C. [R F]

		
D. Insufficient information

	








	
8. Bill has the following trustee and IRF settings:

	

	For Directory DIR01:

	

	IRF is [S ] TA is [ RWCE F ]

	

	For Directory DIR01\SUBDIR01:

	

	IRF is [SR ]

	

	What are Bill's effective rights for DIR01\SUBDIR01?








	

		
A. [R]

		
B. [SR ]

		
C. [ RWCE F ]

		
D. No Rights

	








	
9. Nina has the following trustee and IRF settings:

	

	For Directory DIR01:

	

	IRF is [S W E ] TA is [ RWCE F ]

	

	For Directory DIR01\DIR02:

	

	IRF is [SRW F ]

	

	For Directory DIR01\DIR02\DIR03:

	

	IRF is [ RW CEM A]

	

	TA is [ R ]

	

	What are Nina's effective rights for DIR01\DIR02\DIR03?








	

		
A. [RW CEM A]

		
B. [R ]

		
C. [ RW]

		
D. [W]

	








	
10. Lisa has the following trustee and IRF settings:

	

	For Directory DIR01:

	

	IRF is [S W E ] TA is [ RWCE F ]

	

	For Directory DIR01\DIR02:

	

	IRF is [SRW F ]

	

	For Directory DIR01\DIR02\DIR03:

	

	IRF is [ RW CEM A]

	

	The file attribute for DIR01\DIR02\DIR03\FILE.1 is set to [S Ro]

	

	What operations can Lisa perform on FILE.1?








	

		
A. Read and Write to file

		
B. Read only

		
C. Read only and share file with other users

		
D. No operations

	








	
11. The RIGHTS SYS:DATA -R /NAME=JAN command ______.








	

		
A. removes a trustee right from a user or a group for a file or directory

		
B. removes file access for a trustee

		
C. removes a user or group from a trustee list for a file or directory

		
D. removes all permissions to a file or directory

	








	
12. Setting the Read Only attribute file also sets the following attributes
	on the file:








	

		
A. DI Sy

		
B. RI DI

		
C. H RI

		
D. S DI

	








	
13. NDS Group objects used for assigning rights can be created using ______.








	

		
A. NETADMIN

		
B. FILER

		
C. SYSCON

		
D. MAKEUSER

	








	
14. Giving a user Supervisor file system rights to the root of a server
	volume ______.








	

		
A. is not possible because only the Supervisor user and equivalent are allowed
		this permission

		
B. gives a user all file system rights to the volume

		
C. gives a user all rights to a volume only if that user is a supervisor equivalent

		
D. gives a user all rights to all volumes on the file server

	








	
15. Assigning a user a trustee assignment of Write to a directory ______.








	

		
A. assigns the user write rights to files in a directory, but open rights must
		be granted separately to allow writes

		
B. assigns the user the right to open and write to files in the directory

		
C. assigns the user write rights but denies him or her open rights

		
D. assigns the user write rights but denies him or her read rights

	








	
16. Assigning the user Access Control rights to a directory ______.








	

		
A. gives the user the right to change directory and file attributes and rename
		the directory

		
B. gives the user the right to assign rights to other users and to modify trustee
		assignments and inherited rights filter

		
C. gives the user the right to modify contents of a directory

		
D. gives the user the right to control access to all files and directories by
		modifying his attributes

	








	
17. User Mary has an IRF of [S ] in the directory SYS:COMMON and an IRF
	of [S A] in SYS:COMMON\DATA.

	

	Trustee assignments of [R W] have been given to Mary for SYS:COMMON\DATA and [W ]
	for the SYS:COMMON directory.

	

	What are Mary's effective rights in SYS:COMMON?








	

		
A. W

		
B. R W

		
C. S A

		
D. R

	








	
18. To see a list of trustee assignments for directory SYS:DATA, you can
	use the command ______.








	

		
A. RIGHTS SYS:DATA /F

		
B. RIGHTS SYS:DATA /T

		
C. RIGHTS SYS:DATA /S

		
D. RIGHTS SYS:DATA /I

	








	
19. To see the IRF for directory SYS:DATA, you can use the command ______.








	

		
A. RIGHTS SYS:DATA /F

		
B. RIGHTS SYS:DATA /T

		
C. RIGHTS SYS:DATA /S

		
D. RIGHTS SYS:DATA /I

	








	
20. To see the inherited rights for directory SYS:DATA, you can use the
	command ______.








	

		
A. RIGHTS SYS:DATA /F

		
B. RIGHTS SYS:DATA /T

		
C. RIGHTS SYS:DATA /S

		
D. RIGHTS SYS:DATA /I


	











Previous chapterNext chapterContents 








© Copyright, Macmillan Computer Publishing. All
rights reserved.