Re: Override Container Level File System rights.
Kevin Parris <KPARRIS <at> sde.state.sc.us>
2005-06-01 14:35:34 GMT
You are correct, what you have tried does not work, and is operating as
designed. The NetWare rights model is additive, not subtractive. As
each level of the tree is evaluated, whatever is explicitly granted at
one is added to those already found at higher levels. There is no
"deny" setting in the Trustee matrix in this system, but other file
systems do have that. There is only the absence of the "grant" property
in the mask, and this absence is *not* interpreted as deny or revoke.
If the user is a member of a group/container that has a rights
assignment, then the user enjoys those rights. If you have a user who
should not enjoy the rights of a group or container, you must make the
user not a member. You wrote in your original message "we can't stop
the container rights flowing down" and that is correct - on NetWare you
cannot do that.
You'll need to create a new unit of organization, and re-locate the
rights assignment. In other words, create a new group, and give that
group the rights currently held by the container. Make "those who need
access" members of the new group. Remove the rights granted to the
container. Or the inverse- create a new container, and move those who
do NOT need access there.
>>> G.Ross <at> ccw.gov.uk 5/27/2005 5:19 AM >>>
Hang on. By your implication, we should be able to do explicit trustee
assignments for the users to give them rights of nothing, but that does
>>> tim <at> nds8.co.uk 05/27/05 12:58 PM >>>