In order to have a Container Policy Package affect policies, you must first create it. To create a Container Policy Package, do the following:
The following sections describe each of the tabs, panels, and options available on the Properties of Container Package window. The Policies TabThe Policies tab on the Properties of Container Package page lists the set of available and active policies (see Figure 10.1). Because no platform-specific policies currently exist in the container package, only the General panel of the Policies tab is available. Figure 10.1. The Policies tab on the Properties of Container Package page, showing the General panel.Once you have created a container package, you can now activate policies. By clicking a policy within the policy package, that policy becomes active. An active policy is designated by a check in the check box (refer to Figure 10.1). The details of any particular policy can be modified by selecting the policy and pressing the Properties button. The Reset button resets the selected policy to its system defaults. The Associations TabThe Associations tab on the Properties of Container Package page displays all of the locations in the tree (containers) where the policy package has been associated. These associations do not necessarily reflect where in the directory the policy package is located. The agents that are associated with users or workstations that are in or below those containers have this policy package enforced. Pressing the Add or Remove buttons enables you to add or remove containers in the list that are associated with this policy. The NDS Rights TabThe eDirectory Rights tab on the Properties of Container Package page is made up of three panels. You can get to each of these panels by clicking on the small triangle to the right of the tab's name, and then selecting the desired panel to be displayed. These panels allow you to specify the rights that users have to this object in the directory. The following subsections discuss briefly each of these panels. These eDirectory Rights panels are displayed for every object in the tree. Trustees of This Object PanelOn this panel, you can assign objects rights as trustees of the Container Policy Package. These trustees have rights to this object or to attributes within this object. If the user admin.novell has been added to the trustee list, this user has some rights to this object. To get into the details of any trustee assignment (in order to modify the assignment), you need to press the Assigned Rights button. When you press the Assigned Rights button after selecting the user you want to modify, you are presented with a dialog box that enables you to select either all attribute rights (meaning all of the attributes of the object) or entry rights (meaning the object, not implying rights to the attributes). From within the Assigned Rights dialog box, you can set the rights the object has on this package. You can set those rights on the object as well as any individual property in the object. The attribute rights that are possible are the following:
If you want to add the object as a trustee to an attribute, you need to press the Add Property button to bring up a list of properties or attributes that are available for this object. From this list, you can select a single attribute. This attribute is then displayed in the Assigned Rights dialog box. From there, you can select the attribute and then set the rights you want the trustee to have for that property. A user does not require object rights in order to have rights on a single attribute in the object. TIP Remember that rights flow down in the tree. If you give a user or an object rights at a container level, those rights continue down into that container, and any sub-containers, until that branch is exhausted, or until another explicit assignment is given for that user in a sub-container or on an object. An explicit assignment changes the rights for the user at that point in the tree. Inherited rights filters can also be used to restrict this flow of rights down into the tree. Inherited Rights Filters PanelThis panel allows you to set the IRF (Inherited Rights Filter) for this object. This filter restricts the rights of any user who accesses this object, unless that user has an explicit trustee assignment for this object. You can think of the IRF as a filter that lets only items checked pass through unaltered. Rights that bump up against an IRF are blocked and discarded if the item is not checked. For example, consider a user who has write privileges granted at some container at or above the one at issue in this example. That user runs into an IRF for an object or attribute that has the write privilege revoked (that is, unchecked). When the user gets to that object, his write privilege would be gone for that object. If the object is a container, the user loses write privileges for all objects in that container or sub-container. You can effectively remove supervisor privileges from a portion of the tree by setting an IRF with the supervisor privilege turned off. You must be careful not to do this without someone being assigned as the supervisor of that branch of the tree (that is, given an explicit supervisor trustee assignment at the container where the IRF is done), or you make that part of the tree permanent and unchangeable (that is, you are never able to delete or modify any objects in that branch of the tree). ConsoleOne helps prevent you from performing this action by giving you an error dialog box that keeps you from putting an IRF on the entry rights of the object with the supervisor right filtered away, without having first given an explicit supervisor assignment on the same container. The Effective Rights PanelThe Effective Rights panel allows you to query the system to discover the rights that selected objects have on the object you are administering. Within this panel you are presented with the Distinguished Name (DN) of the object whose rights you want to observe. Initially, this is your currently logged in user running ConsoleOne. You can press the Browse button to the right of the trustee field and browse throughout the tree to select any object. When the trustee object is selected, you can then move to the properties table on the lower half of the screen. As you select the property, the rights box to the right changes to reflect the rights that the trustee has on that property. These rights can be via an explicit assignment or through inheritance. The Other TabThe Other tab on the Properties of Container Package page might not be displayed for you, depending on your rights to the plug-in that now comes with ConsoleOne. The intention of this property page is to give you generic access to properties that you cannot modify or view via the other plugged-in pages. The attributes and their values are displayed in a tree structure, allowing for those attributes that have multiple types (such as compound types consisting of, say, an integer and a distinguished name, or a postal code with three separate address fields). WARNING This page is particularly powerful. Users who don't have an intimate knowledge of the schema of the object in question and its relationships with other objects in the directory should avoid using this page. Every attribute in eDirectory is defined by one of a specified set of syntaxes. These syntaxes identify how the data is stored in eDirectory. For this page, ConsoleOne has developed an editor for each of the different syntaxes that are currently available in eDirectory. You can invoke the editor to modify an object that is displayed on this page by clicking on a specific attribute. For example, if the syntax of an attribute were a string or an integer, an in-line editor is launched. This allows the administrator to modify the string or the integer value on the screen. More abstract syntaxes such as octet-string require that an octet editor be launched giving the administrator access to each of the bytes in the string, without interpretation of the data. The danger with this screen is that some applications require that there be a coordination of attribute values between two attributes within the same object or across multiple objects. Additionally, many applications assume that the data in the attribute is valid, because the normal user interface checks for invalid entries and does not allow them to be stored in the attribute. If you should change a data value in the other page, no knowledge of related attributes or objects or valid data values are checked, because the generic editors know nothing about the intention of the field. Should you change a value without making all the other appropriate changes, or without putting in a valid value, some programs and the system could be affected. Rights are still in effect in the Other property tab, and you are not allowed to change any attribute values that are read-only or that you do not have rights to modify. The Rights to Files and Folders TabThis tab on the Properties of Container Package page is present in all objects in the directory and enables you to view and set rights for an object onto the volumes and specific files and folders on that volume. You must first select the volume that contains the files and folders in which you are interested. To use the options on this tab, do the following:
You can also see the effective rights that the object has on the files by pressing the Effective Rights button. This displays a dialog box, enabling you to browse to any file in the volume and view the object's effective rights (in bold). These effective rights include any explicit plus inherited rights from folders higher in the file system tree. NOTE Remember that the person with supervisor rights to the server or volume objects automatically gets supervisor rights in the file system. |