SolutionBase: Managing simple file rights in Open Enterprise Server

Sharing files in an Open Enterprise Server environment is easy, but you need to make sure you've secured rights to files and folders properly to make sure users don't go places they shouldn't. In this article, Scott Lowe shows how to configure filer rights in Novell OES.

In the previous article in this series, you learned how to create and manage users and printers using the iManager component of Novell's Open Enterprise Server. In this article, you'll learn the next step: Managing volume and access rights. Tangentially, you'll also see the Novell Client and be exposed to some other ways to manage your environment.

Author's Note

As before, client examples will focus on Windows XP, not on a Linux desktop. Windows on the server side is not quite a pervasive as Windows on the desktop and many companies continue to run either NetWare or Open Enterprise Server to manage their Windows environments.

Directory and file rights

There are a lot of ways to get things done with just about any operating system and Open Enterprise Server isn't an exception. In the case of file and volume rights, you could use a tool such as iManager or ConsoleOne to set some of the rights you need, but a much less painful option is to simply install the Novell client on a Windows workstation and manage rights from there.

Download the latest Novell client for Windows from here. Install the client onto your Windows machine. After the installation completes, you'll need to reboot your workstation and log into eDirectory (or directly into your Open Enterprise Server system) using an account that has administrative rights.

Figure A

Log in to your server using an administrative account.

File rights

When it comes to rights to storage, you'll most often have to deal with modifying the rights to individual files and folders on your Open Enterprise Server system. If you've used NetWare in the past, or if you are well-versed in security rights in Windows, this process will be very familiar.

First step: Browse to the server and directory for which you would like to modify rights. You can modify the rights by right-clicking a file or folder and choosing the Properties option at the bottom of the shortcut menu (Figure B).

Figure B

Choose the Properties option.

From the Properties page, choose the NetWare Rights tab. A window like the one in Figure C appears showing you the users with rights to the selected folder.

Figure C

The users under the Trustees section have rights to the folder/file in question.

To add another user to the rights list, select that user from the bottom window and click the Add button. That user's name and the default rights of R (Read) and F (File Scan) show up in the Trustees section of the window. You can see this in action in Figure D. Novell uses the term Trustee, but just consider that term to mean User.

Figure D

The user 'Scott' now has Read and File Scan rights to this user's home folder.

If you're new to NetWare/Open Enterprise Server, the file rights may not make a lot of sense, so here's a list of what each letter means:

  • S - Supervisor: Grants all rights to the folder or file. Users with this right can also grant or deny other users rights to the folder or file.
  • R - Read:
    Folder: Grants the right to open files in the folder, read contents of files or run executables.
    File: Grants the right to open and read the file.
  • W - Write:
    Folder: Grants the right to open and change contents of files in the folder.
    File: Grants the right to open and write to the file.
  • E - Erase: Allows the user to delete the file or folder.
  • C - Create:
    Folder: Grants the right to create new files and folders in the folder.
    File: Grants the right to create a file and to salvage it after it has been deleted.
  • M - Modify: Allows the user to change the attributes or name of a file or folder, but does not allow a user to change file or folder contents (requires W if you want to allow users to change contents).
  • F - File Scan: Grants the right to see the file or folder in directory listing and when browsing the server.
  • A - Access Control: Grants the right to change the trustee assignments of the folder or file.

Volume rights

There may come a day when you want to make a change to the overall volume on which your files and folders are stored. Just like NetWare servers of old, your new Open Enterprise Server system has a volume named SYS (and may have others). By default, the SYS volume doesn't have any explicit trustees, although the admin account always has access. Suppose you want to assign someone else the rights to be able to completely manage the SYS volume for you.

When you installed the Novell Client on your Windows machine, a little red N appeared in your system tray. Right-click this Novell icon and choose Novell Utilities | Object Properties as seen in Figure E.

Figure E

Open Object Properties to find your volume.

Now, in the Network Resources window, browse to the volume for which you would like to modify the trustee assignments, as seen in Figure F. Select the volume, and click OK.

Figure F

Browse to your volume and click OK.

From here, the trustee assignment process is the same as you saw earlier.

Limiting access to iPrint-based printers

In the previous article in this series, you learned how to create an iPrint-based printer. The major flaw with the method you used in the previous article was the inability to limit the users allowed to print to the printer. In that article's examples, I actually printed documents to the printer from a workstation that didn't even have the iPrint client installed and that was not logged in to eDirectory. However, with just a little work, you can limit rights to your printers so that the general public isn't walking into your company to print out the latest edition of their thesis.

From iManager (available at http://{name or IP of your Open Enterprise Server system}/nps, choose iPrint | Manage Printer. In the iPrint Printer Name box, type in the name of your printer, or use one of the lookup buttons. Click the OK button. Figure G shows you this printer selection screen.

Figure G

Enter the name of the printer you want to configure.

From the Manage Printer window, choose the Client Support tab. On this tab, check the box next to Enable Secure Printing and click the Apply button as seen in Figure H.

Figure H

Choose the Enable checkbox to provide more secure printing.

Now, go to the Access Control tab on the Manage Printer screen. You'll see the screen shown in Figure I. On this screen are three places that require information:

  • User role: A list of the users that are allowed to use this printer. Users are allowed to perform such operations as submitting print jobs and managing their own print jobs. By default, iPrint assigns all of the users in the printer's home container (as well as the users in any subcontainers) to this role.
  • Operator role: An Operator can pause or restart printers, and reorder and delete print jobs.
  • Manager role: Those assigned to the Manager role can add other managers and operators and modify or delete eDirectory printer objects.

Figure I

Here's a look at the Access Control tab under Manage Printers.

I'm going to add juser1 to the User role and will then add this printer to a client workstation using appropriate credentials. His account is already granted rights to this printer by virtue of the example user role assignment (his account is in the example container). I am, however, also going to delete the example container from the rights list since there are other users in this container that should not be able to print to the printer.

Delete an entry from the Users list by choosing a selection and clicking the Delete button.

Conversely, to add an entry, click the Add button. From the resulting window, shown in Figure J, use the up and down arrows (blue and at the left-hand side of the right-hand window) to browse through your eDirectory tree. Once at the right location, click the name of the user, group, or container object to which you would like to assign rights to print to the printer. Click the OK button when you're done.

Figure J

Select as many users, groups, or containers as you like and click OK.

Now, at the workstation side of the house, open a browser and browse to http://{name or address of your iPrint server}/ipp. Check the screen shown in Figure K.

Figure K

The /ipp page shows you all of the printers on your server.

Note that there is a link that allows you to install the iPrint client onto your workstation if you have not yet done so.

Click on the name of the printer you would like to install. When prompted, on the screen shown in Figure L, provide credentials for a user with rights to the printer. Check the box next to Remember My Password if you don't want to do this again.

Figure L

Provide credentials for a user with rights to the printer.

On the next screen, Figure M, you'll be asked if you want to install the printer. Choose Yes. On this screen you can also choose to make this your default printer.

Figure M

Choose Yes to install the printer.

iPrint will now go through the process of installing drivers for your printer (Figure N) and will notify you when iPrint has completed the process (Figure O). Once you're done, go to Start | Printers and Faxes (Figure P).

Figure N

The iPrint client shows you the status of the driver installation.

Figure O

The printer has been successfully installed...

Figure P

..and here is the proof.

Ready to go!

Users, files and printers are the most commonly touched objects in an enterprise directory. Between this article and the previous article in this series, you have learned how to create users and printers and have learned how to assign access rights to files and printers.

The beauty of the iPrint product under Open Enterprise Server is its almost clientless capability. If you don't care who uses a printer, you don't need to worry about any client, but if you want to assign access rights to a printer, you need to take the additional step of installing the thin iPrint client.