Netware 6.5 file/folder permission settings

Posted on 2009-04-29
Last Modified: 2012-08-14
New to it possible to have an admin be able to grant permission to a folder without actually having rights to the folder themselves?  For instance, a new employee comes on and needs access to the HR directory, but the network admin shouldn't have access to the HR directory.  How can the network admin grant the new user access to the HR directory without having access themeselves?
Question by:ccsonline
    LVL 17

    Expert Comment

    Access to a folder is controlled, logically enough, by the "Access Control" right.  Right-click on a folder, choose "properties", then take a look under "Netware Rights". (this presumes that you have the Novell client installed.)  You also have unfettered access to folder on a volume that is hosted on a server to which you have been granted "supervisor" rights.

    It is possible, I suppose, to revoke all rights that the Admin user has to the folder, except "access control".  I've never tried.  You would also have to use an "Inherited Rights Filter", because by default the Admin user is granted supervisory control to everything in the tree -- users, servers, etc.   Although thinking about it I seem to recall than and IRF can't be used to block the "supervisor" right.

     I would also be very leery of fooling too much with the Admin user's permissions -- much of the internals to the server depend on it.  For example, backup processes, Apache, Tomcat, iFolder, NDPS, etc .

    A better strategy would be to reserve the Admin user for login only when needed; perhaps by strictly controlling who has the password.  System administrators can have their own logins, that have been granted a lot of power and rights, except for locations like the HR folder The head of HR can be given "access control" rights to their network folder, then be taught how to grant access to other authroized users.
    LVL 19

    Expert Comment

    As BudDurland states:

    An admin with supervisor rights to the whole tree has supervisor rights to every volume, and that supervisor right (S) cannot be blocked or filtered. As with any server OS, administrators are able to see everything, or give rights to themselves to see everything. When certain parts of your filesystem are sensitive in that Administrators are not allowed to see them the way to go is a company policy to forbid access, and controlled by auditing. An auditor account has his own password, and administrators are unable to change auditing logs. That way an auditor can control what an administrator does.
    LVL 19

    Expert Comment

    It is extremely difficult for the average company to implement such a policy as this. Combine that with a situation in which system admins are not trusted and you have quite a problem.

    Have you considered looking into workflow based tools such as Identity Manager? These can be configured such that when a new employee joins, the HR department select them as being in (for example) the "top secret" department. Identity Manager can then automatically assign them the access they need. No manual intervention required.
    LVL 18

    Accepted Solution

    I have a customer that had the same issue...files/folders on the HR server needed to be offlimits to the admin.  The easy solution for them (multi-server network) was to pull the HR server out of the corporate tree, put it into its own tree and give the HR director the admin password and the ability to change it.  I have no idea what will happen when something breaks, requiring IT staff intervention.

    I agree with buddurland's suggestion to restrict use of the Admin password.  However, as derode suggests, the Admin with rights to the entire tree also has S to all server objects which gives that login-entity non-blockable, non-revokable rights to all mounted volumes/directories/files on all servers in the tree...UNLESS an inherited rights filter (IRF) is placed on the HR server, the HR director is made an explicit trustee of the server object and the S eDirectory right is blocked.  Then Admin won't get any more rights to the HR server than anyone else.  

    The A (access control) trustee assignment allows an entity who possess it to grant access to a file or directory.  And if rights are granted higher in the file system, they inherit downward through a directory structure unless blocked by an IRF or by another, different explicit trustee assignment.  (FWIW, I used to teach a lot of NetWare/eDirectory security topics in classes).

    NetWare 6.5/OES comes with Novell Audit which can be implemented to watch the file system for changes in security.  It isn't terribly difficult to implement following the documentation at  That may not be the solution because you need to grant access while not having the ability to see files/directories.

    LVL 19

    Expert Comment

    ccsonline, can you comment on above suggestions?

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
    Read about the 3 stages of the buyer's journey: awareness, consideration, and decision.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now