NetWare 4.1/9000 Concepts
1-69
NetWare Glossary
I
In the following figure, Nick’s trustee assignment to Organizational Unit
SALES grants him BCDR object rights.
Figure 1-24 Inherited Rights Filter
Because Nick does not have a trustee assignment to any of the three objects
within that container, Nick’s effective rights to those objects are inherited
from SALES, and must pass through the IRF of each object.
The IRF for MANAGERS allows all rights to pass through, so Nick’s rights
to MANAGERS are the same as his rights to SALES. SPREADSHEET and
ACCOUNTING block some or all of the rights that Nick was granted to
SALES, so they aren’t effective on those objects.
The IRF of an object and its properties can block the Supervisor right. This
allows distributed management of the Directory tree.
NetWare utilities won’t allow you to block the Supervisor right, however,
unless a trustee is already granted the Supervisor right to that object. This
prevents cutting off Supervisor-level access to a part of the Directory tree.
Because of the ability to block the Supervisor right to objects and properties,
you should grant a trustee all rights that are appropriate.
For example, do not grant the Supervisor right only. Even though that right
allows all actions on an object, if the Supervisor right is blocked, the trustee
will be left with no rights.
OU=SALES
Profile=MANAGERS
IRF
Nick's effective rights
[SBCDR]
[ BCDR]
IRF
Nick's trustee assignment
Nick's effective rights
object rights
[SB ]
[ BCDR]
[ BCDR]
object rights
Directory Map=SPREADSHEET
IRF
Nick's effective rights
[SB ]
[ B ]
object rights
Group=ACCOUNTING
IRF
Nick's effective rights
[ ]
[ ]
object rights