ccsonline
asked on
Netware 6.5 file/folder permission settings
New to Netware...is it possible to have an admin be able to grant permission to a folder without actually having rights to the folder themselves? For instance, a new employee comes on and needs access to the HR directory, but the network admin shouldn't have access to the HR directory. How can the network admin grant the new user access to the HR directory without having access themeselves?
As BudDurland states:
An admin with supervisor rights to the whole tree has supervisor rights to every volume, and that supervisor right (S) cannot be blocked or filtered. As with any server OS, administrators are able to see everything, or give rights to themselves to see everything. When certain parts of your filesystem are sensitive in that Administrators are not allowed to see them the way to go is a company policy to forbid access, and controlled by auditing. An auditor account has his own password, and administrators are unable to change auditing logs. That way an auditor can control what an administrator does.
An admin with supervisor rights to the whole tree has supervisor rights to every volume, and that supervisor right (S) cannot be blocked or filtered. As with any server OS, administrators are able to see everything, or give rights to themselves to see everything. When certain parts of your filesystem are sensitive in that Administrators are not allowed to see them the way to go is a company policy to forbid access, and controlled by auditing. An auditor account has his own password, and administrators are unable to change auditing logs. That way an auditor can control what an administrator does.
It is extremely difficult for the average company to implement such a policy as this. Combine that with a situation in which system admins are not trusted and you have quite a problem.
Have you considered looking into workflow based tools such as Identity Manager? These can be configured such that when a new employee joins, the HR department select them as being in (for example) the "top secret" department. Identity Manager can then automatically assign them the access they need. No manual intervention required.
Have you considered looking into workflow based tools such as Identity Manager? These can be configured such that when a new employee joins, the HR department select them as being in (for example) the "top secret" department. Identity Manager can then automatically assign them the access they need. No manual intervention required.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ccsonline, can you comment on above suggestions?
It is possible, I suppose, to revoke all rights that the Admin user has to the folder, except "access control". I've never tried. You would also have to use an "Inherited Rights Filter", because by default the Admin user is granted supervisory control to everything in the tree -- users, servers, etc. Although thinking about it I seem to recall than and IRF can't be used to block the "supervisor" right.
I would also be very leery of fooling too much with the Admin user's permissions -- much of the internals to the server depend on it. For example, backup processes, Apache, Tomcat, iFolder, NDPS, etc .
A better strategy would be to reserve the Admin user for login only when needed; perhaps by strictly controlling who has the password. System administrators can have their own logins, that have been granted a lot of power and rights, except for locations like the HR folder The head of HR can be given "access control" rights to their network folder, then be taught how to grant access to other authroized users.