Chances are, when your users place files on your NetWare server, they don’t expect everyone to have access to them. As the network administrator, it’s up to you to set proper security for the files on your network. Of course, if you don’t know what those rights are and how to properly set them, then you can’t effectively do your job. In this Daily Drill Down, I’ll show you what file system rights you can have in NetWare, how to determine what your rights are, and how to set them.

What are my rights?
NetWare’s file system rights determine what files and directories users and groups may access. The rights also determine what users can do with files. You can set rights to both files and directories. Rights set on individual files affect those files only. Rights set on directories affect all of the files in the directory equally, unless you set a specific conflicting right on an individual file.

NetWare includes eight different rights that affect what users can do. These file system rights include:

  • Read (R): This right allows users to open files and read their contents.
  • Write (W): This right allows users to change the contents of files.
  • Create (C): If set on a directory, this right allows users to create files and subdirectories inside that directory. If set on a file, this right allows users to salvage a file if they accidentally delete it.
  • Erase (E): This right allows users to erase files.
  • Modify (M): This right allows users to change the name of a file or directory along with any attributes associated with the file or directory.
  • File Scan (F): This right allows users to view the names of files and directories.
  • Access Control (A): This right allows users to change trustee assignments and inherited rights filters for files and directories.
  • Supervisor (S): This right gives users complete control over files and directories. This right can’t be blocked by an inheritance right filter.

It’s easy to confuse NetWare’s file system rights with NDS rights and file attributes. As the name suggests, NDS rights only deal with the rights that one object has to another within the NDS tree. NDS rights have nothing to do with file system rights.

Even though file attributes and file system rights both control what users and groups can do with files and directories, they’re two different things entirely. You assign file system rights to users and groups whereas you assign file attributes to files. File system rights are specific to users or groups, but file attributes affect everyone, regardless of their rights. Where a file system right conflicts with a file attribute, the file attribute wins. So, if a user has the E right to a file, but the attribute for the file is set to Di (Delete Inhibit), the user can’t erase the file. For more information about file attributes see the Daily Drill Down “Change NetWare file attributes with the Flag command.”

Setting rights to files and directories
NetWare allows you to set file system rights to users and groups. You can set file system rights three different ways: by using NetWare Administrator, ConsoleOne, or the RIGHTS command from a command prompt on your administration workstation. These utilities also let you view rights as well as assign them. The tools all essentially do the same thing, but they go about it differently. The tool you use is a matter of personal preference.

One of the most popular tools for day-to-day administration duties is the old faithful NetWare Administrator. If you prefer to use a fast, GUI-based utility and aren’t comfortable using the command line, stick to NetWare Administrator. To set file system rights using NetWare Administrator, start the utility by running NWADMN32.EXE. Double-click the object whose rights you want set. When the properties notebook for the object appears, click the Rights To Files And Directories tab. When you do, you’ll see the screen shown in Figure A.

Figure A
NetWare Administrator helps you administer file system rights.

When you first open the window, it’s completely blank. Don’t panic. The initial lack of information on this page doesn’t mean the user has no rights on the system. To see rights granted to the user, click the Find button.

When you do, you’ll see all of the available volumes on your network appear in the Volumes list box. Likewise, you’ll see a list of folders appear in the Files And Directories list box. You can ignore the information in the Volumes list box. It doesn’t tell you anything about the user’s rights. However, as you select folders in the Files And Directories list box, you’ll see the value of the check boxes in the Rights box change.

Each check box in the Rights box represents a file system right that the user has in the specific directory or to the selected file. You can change a right by toggling the appropriate check box.

If you want to grant new rights to a file or directory, known in NetWare parlance as granting trustee assignments, click Add. You’ll then see the Select Objects screen. In the Browse Context window, navigate through the server and directory icons to find the directory or file to which you want to grant rights. As you drill through the server icons and directory icons, you’ll see lists of files appear in the Available Objects box. Select the object you want to grant rights to in the Available Objects box and click OK.

The Select Objects window will close and you’ll see the Rights To Files And Directories page appear again. The object you just selected will appear in the Files And Directories list box. Select the rights you want to assign in the Rights box. Click OK to save your changes and close the properties notebook for the user object.

If you want to grant rights to multiple users, the best way to do so is to create a Group object. You can then make users members of the group and grant the rights you want to the group. However, if you don’t want to create a group, you can also select multiple users at the same time and grant rights all at once. To do so, press [Ctrl] while selecting the users you want to use. After you’ve selected them all, select Details On Multiple Users from the Object menu. You can then access the Rights To Files And Directories tab and use it just like you would individual users.

The second way of setting rights is to use ConsoleOne. Like NetWare Administrator, ConsoleOne is a GUI utility, but you can run it on operating systems other than Windows. In fact, you can run it from your server’s console. Unfortunately, because ConsoleOne is a Java application, it runs more slowly than NetWare Administrator.

ConsoleOne works essentially the same as NetWare Administrator when it comes to granting and viewing rights. Start ConsoleOne and then double-click the object to which you want to grant rights. When the Properties notebook appears for the object, click the Rights To Files And Folders tab. You’ll then see the screen shown in Figure B.

Figure B
You can set rights in ConsoleOne.

As with NetWare Administrator, you add rights by clicking the Add button and navigating the Select Object window. You can set and view current rights in the Rights box. Click OK to save your changes.

The final way you can change file systems rights is by using the RIGHTS command. You use the RIGHTS command at the command prompt from your administration workstation. Unlike NetWare Administrator and ConsoleOne, RIGHTS is a text-based utility, so there’s no point-and-clicking involved. The command line switches you use on the command control everything you do.

To set rights for a user or group using the RIGHTS command, open a command prompt on your administration workstation. Type rights filename right /name=user and press [Enter] where filename is the name of the file or directory where you want to grant rights, right is the letter-equivalent of the right you want to assign, and user is the fully qualified domain name of the user or group receiving the right.

To add a right, precede the letter of the right with a +. You can revoke a right by preceding the right with a -. You can grant all rights to a user or group by using the ALL switch instead of an individual right. Likewise, you can remove all rights by using the REM switch.

RIGHTS has some additional switches you can use to determine file system rights. These switches are:

  • /C
    This switch causes RIGHTS to scroll output without pausing.
  • /F
    Use this switch to display the inherited rights filter for the file.
  • /I
    This switch displays where the user inherits rights from.
  • /S
    If you use this switch, RIGHTS applies to any subdirectories as well as the current directory.
  • /T
    This switch displays the rights assignments for the directory.
  • /VER
    This switch displays the version of the RIGHTS command.
  • /?
    This switch displays help for the command.

Viewing file system rights
You can use the RIGHTS command to display current rights as well as set them. To see which users and groups have rights in the directory, type rights /t and press [Enter]. You can also view the users and groups that have rights to an individual file by typing rights filename /t and pressing [Enter]. In both cases, the RIGHTS command will display the name of the file along with the names of the trustees and the rights that the trustees have.

If the RIGHTS command says that there are no trustee rights associated with the file or directory, again, don’t panic. The message doesn’t necessarily mean that nobody has rights to the file or directory. Objects can inherit file system rights from higher directory levels.

You can also use NetWare Administrator and ConsoleOne to display current rights a user or group has to a file or directory. Here NetWare Administrator and ConsoleOne work almost identically. To display current rights, start the utilities and find the volume object that contains the directory you want to check. Expand the volume object in the left pane. In NetWare Administrator, you must double-click the volume object, but in ConsoleOne, all you have to do is click the + next to the volume object’s icon.

You’ll then see folders representing directories appear beneath the volume object. You can further expand the folders to view subdirectories and files within them. Once you find the file or directory you want to check, right-click it and select Details if you’re using NetWare Administrator or Properties if you’re using ConsoleOne. Next, click the Trustees tab of the Properties notebook that appears. You can then view the rights the user has, as shown in Figure C for NetWare Administrator and Figure D for ConsoleOne.

Figure C
You can view the rights a user has to a file using NetWare Administrator.

Figure D
ConsoleOne also displays file system rights for files.

If you want to give users rights to the file or directory, you can do so by clicking Add Trustee. When the Select Object window appears, find the user or group you want to have rights to the file. Select it and click OK. When the Trustees window reappears, select the rights you want to grant in the Access Rights box.

You have the right to an ATTORNEY.TXT file
Maintaining file system rights is an integral part of a network administrator’s job. Even though inheritance, security equivalencies, and inherited rights filters can affect effective rights, once you know what your rights are and how to grant them, you can ensure that users have the proper file system rights to access their files. Fortunately, Novell provides the tools you need to get the job done right.