Disable inherited right on a sub folder

I can't find an option to disable inherited right on a folder like I can on a Windows environment.

Say I have a folder structure:

Share\main\restricted.

Users in the Everyone group has full access to the main folder.

I create a new a new restricted folder under main and give the 'restricted' group access to the restricted folder.

But users in the Everyone group can still access the restricted folder based on inherited right.

Is this doable in the "OES rights" tab when I right click on the select properties on the folder?

Thanks.
  • It may depend on what you mean by 'full access'; Supervisor rights cannot
    be blocked as I recall, but anything else can be via an IRF within the
    filesystem. If you have any objects with too many rights to the Volume or
    NCP Server objects, I believe that may imply Supervisor within the
    filesystem, though having that for 'Everyone' seems unlikely for security
    reasons.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • Hi. Thanks for you reply.

    The users groups do have supervisor access. But I can change this if need be. Users only need read/write access.
    I just need to be able to restrict a subfolder for read/write access to to a particular group. However this is achieved.

    Eg on a Windows server:
    -I browse to a subfolder
    -Go to security properties
    -Disable inheritence.
    -And then give write access to specific groups which means restricting all other groups.
  • On 09/12/2018 10:56 PM, Cougie wrote:
    >
    > Hi. Thanks for you reply.
    >
    > The users groups do have supervisor access. But I can change this if
    > need be. Users only need read/write access.


    Do; if you give them too many rights, unless something has changed in the
    past few years without my knowing (possible) you cannot block that.
    Supervisor can be blocked within eDirectory, but it cannot (or at least
    could not) within the filesystem itself.

    Giving more rights than necessary violates the Least Privilege principle,
    and ultimately causes all kinds of problems in the world. It's best if
    you can give what is needed, and nothing more, to avoid bigger, not
    necessarily limited to IT, problems.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • In article <Cougie.8nis3c@no-mx.forums.microfocus.com>, Cougie wrote:
    > -Disable inheritence.


    This is just one of the things that shows now opposite of good security
    processes that Microsoft designed their NTFS file system rights back in
    the 90's and now we are stuck with them and the warped mindsets it
    causes. I still find is so hard to set up a Windows file share because
    of have to start with the whole 'drop pants' path of let anyone write
    as the first step.
    90's Microsoft path was to let anyone do anything from anywhere, which
    of course caused more than a few issues. This is one reason they are
    building a very different mindset for storing files just to escape this
    legacy.

    NSS was designed with the best practical of only allowing what is
    expressly granted with a natural flow down of rights. So it is hard
    to easily map methods between the two. When you want to block rights,
    that is when you explicitly set the IRFs AFTER making sure someone key
    has the right rights within those folders.



    Andy of
    http://KonecnyConsulting.ca in Toronto
    Knowledge Partner
    https://forums.novell.com/member.php/75037-konecnya
    If you find a post helpful and are logged in the Web interface, please
    show your appreciation by clicking on the star below. Thanks!