Novell OPEN ENTERPRISE SERVER - PLANNING AND IMPLEMENTATION GUIDE 12-2010 Implementation Manual page 165

Access Rights Explanation
Table 16-2
eDirectory File System Trustee
Objects Rights
eDirectory File system trustee
objects (in rights govern access
most cases and usage by the
users and eDirectory object
groups) gain specified for the
access to directory or file to
the file which the rights are
system granted.
through
Trustee rights are
eDirectory.
overridden by
directory and file
attributes.
For example, even
though Nancy has the
Supervisor (all)
trustee right at the
directory (and,
therefore, to the files it
contains), she cannot
delete File2 because it
has the Read Only
attribute set.
Of course, Nancy
could modify the file
attributes so that File2
could then be deleted.
NSS Access Control on OES
Table 16-3 provides links to documentation that discusses the various NSS-specific access control
features.
Directory and File
Directories and Files
Attributes
Each directory and The possible actions by the eDirectory
file has attributes users and group shown in this example
associated with it. are as follows:
These attributes

apply universally to
all trustees
regardless of the
trustee rights an
object might have.
For example, a file
that has the Read
Only attribute is
Read Only for all
users.
Attributes can be set
by any trustee that

has the Modify
trustee right to the
directory or file.


Nancy has the Supervisor trustee
right at the directory level, meaning
that she can perform any action not
blocked by a directory or file
attribute.
The Di (Delete Inhibit) and Ri
(Rename Inhibit) Attributes on
Directory A prevent Nancy from
deleting or renaming the directory
unless she modifies the attributes
first. The same principle applies to
her ability to modify File2.
Because Joe is a member of the
Reporters group, he can view file and
directory names inside DirectoryA
and also see the directory structure
up to the root directory.
Joe also has rights to open and read
any files in DirectoryA and to execute
any applications in DirectoryA.
Because Bert is a member of the
Reporters group, he can view file and
directory names inside DirectoryA
and also see the directory structure
up to the root directory.
Bert also has rights to open and read
File1 and to execute it if it's an
application.
And Bert has rights to grant any
eDirectory user access to File1.
Because all three users are
members of the Reporters group,
they can grant any eDirectory user
access to File2.
Of course, for Nancy this is
redundant because she has the
Supervisor right at the directory level.
Access Control and Authentication 165