To create a Service Location Policy Package, do the following:
The following sections describe the options available in the Service Location Policy Package. Policies TabAll the user policies are activated within the Policies tab on the Location Policy page. Initially, the Policies tab displays the General panel. In the Service Location Policy Package, no platform-specific policies currently exist. Therefore, no drop-down menu is present on the Policies tab. The Policies tab lists the set of available policies (see Figure 11.1). Figure 11.1. The Policies tab of the Service Location Package page.Once you have created a Service Location Policy Package, you can activate policies. By clicking on a policy within the policy package, that policy becomes active. You can modify the details of any particular policy by selecting the policy and then pressing the Properties button. The Reset button on the policies page resets the selected policy to the system defaults. Associations TabThe Associations tab of the Service Location Policy Package page displays all of the locations in the tree (containers) where the policy package has been associated. These associations do not necessarily reflect where the policy package is located in the directory. The agents associated with users or workstations in or below those containers have this policy package enforced. The Add and Remove buttons enable you to add or remove containers in the list that are associated with this policy. NDS Rights TabThe NDS Rights tab is made up of three panels. You can get to each of these panels by clicking on the small triangle to the right of the tab's name, and then selecting the desired panel. These panels enable you to specify the rights that users have to this object in the directory. The following sections discuss briefly each of these panels, which are displayed for every object in the tree. Trustees of This Object PanelHere you can assign objects rights as trustees of the Service Location Policy Package. These trustees have rights to this object or to attributes within this object. If the user admin.novell has been added to the trustee list, this user has some rights to this object. To view the details of any trustee assignment (in order to modify the assignment), you need to:
NOTE A user does not require object rights in order to have rights on a single attribute in the object. Remember that rights flow down in the tree. If you give a user or an object rights at a container level, those rights continue down into that container and any sub-containers until that branch is exhausted or another explicit assignment is given for that user in a sub-container or on an object. An explicit assignment changes the user's rights at that point in the tree. You can also use inheritance rights filters to restrict the flow of rights down into the tree. Inherited Rights Filters PanelThis panel enables you to set the IRF (Inherited Rights Filter) for this object. This filter restricts the rights of any user who accesses this object, unless that user has an explicit trustee assignment for this object. You can think of the IRF as a filter that lets only checked items pass through unaltered. Rights that bump up against an IRF are blocked and discarded if the item is not checked. For example, consider a user who has write privileges inherited at some point above the current container (explicitly granted at some container at or above the one in question). That user runs into an IRF for an object or attribute that has the write privilege revoked (that is, unchecked). When the user gets to that object, his write privilege would be gone for that object. If the object is a container, the user loses write privileges for all objects in that container or sub-container. You can effectively remove supervisor privileges from a portion of the tree by setting an IRF with the supervisor privilege turned off. You must be careful not to do this without someone being assigned as the supervisor of that branch of the tree (given an explicit supervisor trustee assignment at the container where the IRF is done). Otherwise, you'll never be able to delete or modify any objects in that branch of the tree. ConsoleOne helps prevent you from performing this action by giving you an error dialog box that keeps you from putting an IRF on the entry rights of the object, without having first given an explicit supervisor assignment on the same container. Effective Rights PanelThe Effective Rights panel enables you to query the system to discover the rights that selected objects have on the object you are administering. Within this panel, you are presented with the Distinguished Name (DN) of the object whose rights you want to observe. Initially, this is your currently logged in user running ConsoleOne. You can press the Browse button to the right of the trustee field and browse throughout the tree to select any object. When the trustee object is selected, you can then move to the properties table on the lower half of the screen. As you select the property, the rights box changes to reflect the rights that the trustee has on that property. These rights can be gained via an explicit assignment or through inheritance. Other TabThis tab might not be displayed for you, depending on your rights to the plug-in that now comes with ConsoleOne. The intention of this tab is to give you generic access to properties you cannot modify or view via the other plugged-in pages. The attributes and their values are displayed in a tree structure, allowing for those attributes that have multiple types, such as compound types consisting of an integer and a distinguished name, or postal codes that have three separate address fields. WARNING The options on this tab are particularly powerful. People who do not have an intimate knowledge of the schema of the object in question and its relationships with other objects in the directory should avoid these options. Every attribute in eDirectory is defined by one of a specified set of syntaxes. These syntaxes identify how the data is stored in eDirectory. For this tab, ConsoleOne has developed an editor for each of the different syntaxes currently available in eDirectory. When an attribute is displayed on this tab, the editor displays the data and then modifies it should the user click the specific attribute. For example, if the syntax for an attribute were a string or an integer, an in-line editor is launched. This editor enables the administrator to modify the string or the integer value on the screen. More abstract syntaxes, such as octet-string, require that an octet editor be launched, thus giving the administrator access to each of the bytes in the string, without interpretation of the data. The danger with this screen is that some applications require that there be a coordination of attribute values between two attributes within the same object or across multiple objects. Additionally, many applications assume that the data in the attribute is valid, because the normal user interface checks for invalid entries and does not enable them to be stored in the attribute. If you should change a data value on the Other tab, no knowledge of related attributes, objects, or valid data values are checked, because the generic editors know nothing about the intention of the field. Should you change a value without making all the other appropriate changes or without putting in a valid value, some programs and the system could be affected. Rights are still in effect on the Other tab, and you are not allowed to change any attribute values that are read-only or that you do not have rights to modify. Rights to Files and Folders TabThis tab is present in all objects in the directory. It enables you to view and set rights of the files and folders on the volume in question. To set such rights, use the following steps:
NOTE Remember that anyone who has supervisor rights to the server or volume objects automatically gets supervisor rights in the file system. |