Netware 6.5 file/folder permission settings

New to it possible to have an admin be able to grant permission to a folder without actually having rights to the folder themselves?  For instance, a new employee comes on and needs access to the HR directory, but the network admin shouldn't have access to the HR directory.  How can the network admin grant the new user access to the HR directory without having access themeselves?
Who is Participating?
I have a customer that had the same issue...files/folders on the HR server needed to be offlimits to the admin.  The easy solution for them (multi-server network) was to pull the HR server out of the corporate tree, put it into its own tree and give the HR director the admin password and the ability to change it.  I have no idea what will happen when something breaks, requiring IT staff intervention.

I agree with buddurland's suggestion to restrict use of the Admin password.  However, as derode suggests, the Admin with rights to the entire tree also has S to all server objects which gives that login-entity non-blockable, non-revokable rights to all mounted volumes/directories/files on all servers in the tree...UNLESS an inherited rights filter (IRF) is placed on the HR server, the HR director is made an explicit trustee of the server object and the S eDirectory right is blocked.  Then Admin won't get any more rights to the HR server than anyone else.  

The A (access control) trustee assignment allows an entity who possess it to grant access to a file or directory.  And if rights are granted higher in the file system, they inherit downward through a directory structure unless blocked by an IRF or by another, different explicit trustee assignment.  (FWIW, I used to teach a lot of NetWare/eDirectory security topics in classes).

NetWare 6.5/OES comes with Novell Audit which can be implemented to watch the file system for changes in security.  It isn't terribly difficult to implement following the documentation at  That may not be the solution because you need to grant access while not having the ability to see files/directories.

Access to a folder is controlled, logically enough, by the "Access Control" right.  Right-click on a folder, choose "properties", then take a look under "Netware Rights". (this presumes that you have the Novell client installed.)  You also have unfettered access to folder on a volume that is hosted on a server to which you have been granted "supervisor" rights.

It is possible, I suppose, to revoke all rights that the Admin user has to the folder, except "access control".  I've never tried.  You would also have to use an "Inherited Rights Filter", because by default the Admin user is granted supervisory control to everything in the tree -- users, servers, etc.   Although thinking about it I seem to recall than and IRF can't be used to block the "supervisor" right.

 I would also be very leery of fooling too much with the Admin user's permissions -- much of the internals to the server depend on it.  For example, backup processes, Apache, Tomcat, iFolder, NDPS, etc .

A better strategy would be to reserve the Admin user for login only when needed; perhaps by strictly controlling who has the password.  System administrators can have their own logins, that have been granted a lot of power and rights, except for locations like the HR folder The head of HR can be given "access control" rights to their network folder, then be taught how to grant access to other authroized users.
deroodeSystems AdministratorCommented:
As BudDurland states:

An admin with supervisor rights to the whole tree has supervisor rights to every volume, and that supervisor right (S) cannot be blocked or filtered. As with any server OS, administrators are able to see everything, or give rights to themselves to see everything. When certain parts of your filesystem are sensitive in that Administrators are not allowed to see them the way to go is a company policy to forbid access, and controlled by auditing. An auditor account has his own password, and administrators are unable to change auditing logs. That way an auditor can control what an administrator does.
It is extremely difficult for the average company to implement such a policy as this. Combine that with a situation in which system admins are not trusted and you have quite a problem.

Have you considered looking into workflow based tools such as Identity Manager? These can be configured such that when a new employee joins, the HR department select them as being in (for example) the "top secret" department. Identity Manager can then automatically assign them the access they need. No manual intervention required.
deroodeSystems AdministratorCommented:
ccsonline, can you comment on above suggestions?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.