Setting Up a Container Policy Package

Previous page
Table of content
Next page

In order to have a Container Policy Package affect policies, you must first create it. To create a Container Policy Package, do the following:

  1. Start ConsoleOne.

  2. Browse to the container where you want to create the policy package.

    NOTE

    Remember that you do not have to create the policy package in the container where you are doing the associations. You can associate the same policy package with many containers in your tree.

  3. Create the policy package by right-clicking and choosing New, Policy Package or by selecting the Policy Package icon on the toolbar.

  4. Select the Container Policy Package object in the wizard panel and press Next.

  5. Enter the desired name of the package in the policy package name field and select the container where you want the package to be located. The container field is already filled in with the selected container, so you should not have to browse to complete this field. If not, press the Browse button next to the field, browse to and select the container where you want the policy object stored, and then press Next.

  6. Select the define additional attributes field in order to go into the properties of your new object and activate some policies, and then click Finish.

  7. Check and set any policies you desire for this Container Policy Package, and then click OK.

The following sections describe each of the tabs, panels, and options available on the Properties of Container Package window.

The Policies Tab

The Policies tab on the Properties of Container Package page lists the set of available and active policies (see Figure 10.1). Because no platform-specific policies currently exist in the container package, only the General panel of the Policies tab is available.

Figure 10.1. The Policies tab on the Properties of Container Package page, showing the General panel.

graphics/10fig01.jpg

Once you have created a container package, you can now activate policies. By clicking a policy within the policy package, that policy becomes active. An active policy is designated by a check in the check box (refer to Figure 10.1). The details of any particular policy can be modified by selecting the policy and pressing the Properties button. The Reset button resets the selected policy to its system defaults.

The Associations Tab

The Associations tab on the Properties of Container Package page displays all of the locations in the tree (containers) where the policy package has been associated. These associations do not necessarily reflect where in the directory the policy package is located. The agents that are associated with users or workstations that are in or below those containers have this policy package enforced. Pressing the Add or Remove buttons enables you to add or remove containers in the list that are associated with this policy.

The NDS Rights Tab

The eDirectory Rights tab on the Properties of Container Package page is made up of three panels. You can get to each of these panels by clicking on the small triangle to the right of the tab's name, and then selecting the desired panel to be displayed.

These panels allow you to specify the rights that users have to this object in the directory. The following subsections discuss briefly each of these panels. These eDirectory Rights panels are displayed for every object in the tree.

Trustees of This Object Panel

On this panel, you can assign objects rights as trustees of the Container Policy Package. These trustees have rights to this object or to attributes within this object.

If the user admin.novell has been added to the trustee list, this user has some rights to this object. To get into the details of any trustee assignment (in order to modify the assignment), you need to press the Assigned Rights button.

When you press the Assigned Rights button after selecting the user you want to modify, you are presented with a dialog box that enables you to select either all attribute rights (meaning all of the attributes of the object) or entry rights (meaning the object, not implying rights to the attributes).

From within the Assigned Rights dialog box, you can set the rights the object has on this package. You can set those rights on the object as well as any individual property in the object. The attribute rights that are possible are the following:

  • Browse Although not in the list, this right shows up from time to time (especially in the effective rights screens). This right represents the capability to view this information through public browse capabilities.

  • Supervisor This right identifies that the trustee has all rights, including delete, for this object or attribute.

  • Compare This right provides the trustee with the capability to compare values of attributes.

  • Read This right enables the trustee to read the values of the attribute or attributes in the object.

  • Write This right provides the trustee with the capability to modify the contents of an attribute.

  • Add self This right enables the trustee to add themselves as a member to the list of objects of the attribute. For example, if this right were given on an attribute that contains a list of linked objects, the trustee could add himself or herself (a reference to their object) into the list.

If you want to add the object as a trustee to an attribute, you need to press the Add Property button to bring up a list of properties or attributes that are available for this object.

From this list, you can select a single attribute. This attribute is then displayed in the Assigned Rights dialog box. From there, you can select the attribute and then set the rights you want the trustee to have for that property. A user does not require object rights in order to have rights on a single attribute in the object.

TIP

Remember that rights flow down in the tree. If you give a user or an object rights at a container level, those rights continue down into that container, and any sub-containers, until that branch is exhausted, or until another explicit assignment is given for that user in a sub-container or on an object. An explicit assignment changes the rights for the user at that point in the tree. Inherited rights filters can also be used to restrict this flow of rights down into the tree.


Inherited Rights Filters Panel

This panel allows you to set the IRF (Inherited Rights Filter) for this object. This filter restricts the rights of any user who accesses this object, unless that user has an explicit trustee assignment for this object.

You can think of the IRF as a filter that lets only items checked pass through unaltered. Rights that bump up against an IRF are blocked and discarded if the item is not checked. For example, consider a user who has write privileges granted at some container at or above the one at issue in this example. That user runs into an IRF for an object or attribute that has the write privilege revoked (that is, unchecked). When the user gets to that object, his write privilege would be gone for that object. If the object is a container, the user loses write privileges for all objects in that container or sub-container.

You can effectively remove supervisor privileges from a portion of the tree by setting an IRF with the supervisor privilege turned off. You must be careful not to do this without someone being assigned as the supervisor of that branch of the tree (that is, given an explicit supervisor trustee assignment at the container where the IRF is done), or you make that part of the tree permanent and unchangeable (that is, you are never able to delete or modify any objects in that branch of the tree).

ConsoleOne helps prevent you from performing this action by giving you an error dialog box that keeps you from putting an IRF on the entry rights of the object with the supervisor right filtered away, without having first given an explicit supervisor assignment on the same container.

The Effective Rights Panel

The Effective Rights panel allows you to query the system to discover the rights that selected objects have on the object you are administering. Within this panel you are presented with the Distinguished Name (DN) of the object whose rights you want to observe. Initially, this is your currently logged in user running ConsoleOne. You can press the Browse button to the right of the trustee field and browse throughout the tree to select any object.

When the trustee object is selected, you can then move to the properties table on the lower half of the screen. As you select the property, the rights box to the right changes to reflect the rights that the trustee has on that property. These rights can be via an explicit assignment or through inheritance.

The Other Tab

The Other tab on the Properties of Container Package page might not be displayed for you, depending on your rights to the plug-in that now comes with ConsoleOne. The intention of this property page is to give you generic access to properties that you cannot modify or view via the other plugged-in pages. The attributes and their values are displayed in a tree structure, allowing for those attributes that have multiple types (such as compound types consisting of, say, an integer and a distinguished name, or a postal code with three separate address fields).

WARNING

This page is particularly powerful. Users who don't have an intimate knowledge of the schema of the object in question and its relationships with other objects in the directory should avoid using this page.


Every attribute in eDirectory is defined by one of a specified set of syntaxes. These syntaxes identify how the data is stored in eDirectory. For this page, ConsoleOne has developed an editor for each of the different syntaxes that are currently available in eDirectory. You can invoke the editor to modify an object that is displayed on this page by clicking on a specific attribute.

For example, if the syntax of an attribute were a string or an integer, an in-line editor is launched. This allows the administrator to modify the string or the integer value on the screen. More abstract syntaxes such as octet-string require that an octet editor be launched giving the administrator access to each of the bytes in the string, without interpretation of the data.

The danger with this screen is that some applications require that there be a coordination of attribute values between two attributes within the same object or across multiple objects. Additionally, many applications assume that the data in the attribute is valid, because the normal user interface checks for invalid entries and does not allow them to be stored in the attribute.

If you should change a data value in the other page, no knowledge of related attributes or objects or valid data values are checked, because the generic editors know nothing about the intention of the field. Should you change a value without making all the other appropriate changes, or without putting in a valid value, some programs and the system could be affected.

Rights are still in effect in the Other property tab, and you are not allowed to change any attribute values that are read-only or that you do not have rights to modify.

The Rights to Files and Folders Tab

This tab on the Properties of Container Package page is present in all objects in the directory and enables you to view and set rights for an object onto the volumes and specific files and folders on that volume. You must first select the volume that contains the files and folders in which you are interested. To use the options on this tab, do the following:

  1. Press the Show button on the right and then browse the directory to the volume object. Selecting the volume object places it in the volumes view.

  2. When that volume is selected, you can then go to the Add button to add a file or folder of interest. This brings up a dialog box enabling you to browse to the volume object.

  3. Clicking the volume object moves you into the file system. You can continue browsing that volume until you select the file or directory to which you are interested in granting rights.

  4. Selecting the file or folder in the lower pane displays the rights that the object has been granted on that file or folder.

  5. To modify the rights, simply select the rights that you want to have explicitly granted for the object.

You can also see the effective rights that the object has on the files by pressing the Effective Rights button. This displays a dialog box, enabling you to browse to any file in the volume and view the object's effective rights (in bold). These effective rights include any explicit plus inherited rights from folders higher in the file system tree.

NOTE

Remember that the person with supervisor rights to the server or volume objects automatically gets supervisor rights in the file system.



Previous page
Table of content
Next page
Novell's ZENworks for Desktops 4. Administrator's Handbook
Novell ZENworks for Desktops 4 Administrators Handbook
ISBN: 0789729857
EAN: 2147483647
Year: 2003
Pages: 198
Authors: Brad Dayley
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Software Configuration Management
C++ How to Program (5th Edition)
Cisco CallManager Fundamentals (2nd Edition)
Microsoft WSH and VBScript Programming for the Absolute Beginner
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy