Anonymous_User Absent Member.
Absent Member.
743 views

Prevent supervisor / Administrator access to certain folders


Hi,

bin doing quite a bit of research but haven't found a solution. (OES2
Linux, current eDir, iManager).
I am trying to set up one folder with specific access rights for one
user (or a group), without supervisor or administrators having access to
this one folder (CEO wants a folder that his administration team have no
access to).

Any ideas?

Thank you
Torsten


--
topi76
------------------------------------------------------------------------
topi76's Profile: http://forums.novell.com/member.php?userid=47339
View this thread: http://forums.novell.com/showthread.php?t=447811

Labels (1)
0 Likes
10 Replies
Bob-O-Rama
Visitor.

Re: Prevent supervisor / Administrator access to certain folders


You need to clarify specifically what you want and what you mean by
administrators / supervisors. I think you mean the CEO's staff, and not
you as an admin. Of course you can create a folder that only the CEO
or a short list of people he desegnates, have access to, you do that
every day - e.g. a Home Directory. The usual way to prevent downward
flow of rights is the use of Inherited Rights Filters which can block
off the flow of rights to a sub folder.

For example, if you have a departmental shared folder, and have a
subfolder, called "Super Secret" you would provide the desired users
with direct trustee rights over Super Secret, and then apply an IRF to
Super Secret and block all inherited rights from the rest of the users.
At that point nobody but those direct trustees would have access. If
this is more what you are after, the answer is "yes."

Ultimately there is nothing that the Network Admin equivalent cannot
access. An approach to manage the CEO's expectations, reaffirm your
respect for confidentiallity principles, tap dance faster, etc. would
be to outline and document who in IT has access, how those rights are
managed / granted. This will, hopefully, close up the circle of
trust.

BTW this is not different than any other OS.

But if this is the CEO protecting his files from his staff - IRF's are
your friend.

-- Bob


--
Bob Mahar -- Novell Knowledge Partner
Do you do what you do at a .EDU? http://novell.com/ttp
"Programming is like teaching a jellyfish to build a house."
More Bob: 'Twitter' (http://twitter.com/BobMahar) 'Blog'
(http://blog.trafficshaper.com) 'Vimeo' (http://vimeo.com/boborama) <--
Click And Be Amazed!
------------------------------------------------------------------------
Bob-O-Rama's Profile: http://forums.novell.com/member.php?userid=5269
View this thread: http://forums.novell.com/showthread.php?t=447811

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Prevent supervisor / Administrator access to certain folders


Dear Bob,

thank you for your reply. I will try and elaborate (I fear there is no
solution).
I am an external IT consultant and have my own user account within the
network.
The in-house IT department have full Network admin rights (basically
access all areas).
The question is, can one create a folder which the network admin cannot
access anymore, but can only be accessed by two specified user accounts
(without network admin rights).

I know that this constellation can cause other problems (e.g. backup)

Sincerely
Torsten


--
topi76
------------------------------------------------------------------------
topi76's Profile: http://forums.novell.com/member.php?userid=47339
View this thread: http://forums.novell.com/showthread.php?t=447811

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Prevent supervisor / Administrator access to certain folders

On Mon, 07 Nov 2011 08:26:02 +0000, topi76 wrote:

> Dear Bob,
>
> thank you for your reply. I will try and elaborate (I fear there is no
> solution).
> I am an external IT consultant and have my own user account within the
> network.
> The in-house IT department have full Network admin rights (basically
> access all areas).
> The question is, can one create a folder which the network admin cannot
> access anymore, but can only be accessed by two specified user accounts
> (without network admin rights).
>
> I know that this constellation can cause other problems (e.g. backup)


Not easily.

If your CEO doesn't trust his IT staff, that's a problem that needs to be
addressed - and not by telling them "no, you can't have access to these
files". In general, telling IT staff you don't trust them (directly or
indirection) is a bad idea - and in some cases, it does become a self-
fulfilling prophecy.

Never mind the fact that the IT staff has physical access to the server.
Physical access trumps all - and with it, no matter what OS, you're
likely going to be able to access the data.

Now, what he might do is look at storing the files on the server using
encryption. iFolder could be used to do this (the files would be
synchronized to the local drives of those he shares it with).

But the caveat is that if the IT staff doesn't have access to them and he
forgets the password or something happens and he needs the files
restored, obviously, that isn't going to happen.

Jim

--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell Knowledge Partner
0 Likes
Knowledge Partner
Knowledge Partner

Re: Prevent supervisor / Administrator access to certain folders

On Sun, 06 Nov 2011 15:36:01 +0000, Bob-O-Rama wrote:

> You need to clarify specifically what you want and what you mean by
> administrators / supervisors. I think you mean the CEO's staff, and not
> you as an admin.


Given that "admin" has 'S' rights to the NCP Server object, "admin" also
has rights to all files contained on that server. You can't block these
in the file system, and blocking them in eDirectory has other nasty
consequences you should understand before attempting.


> Ultimately there is nothing that the Network Admin equivalent cannot
> access.


Correct. Backups are another thing to consider. Does your CEO want this
super secret data backed up?


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Prevent supervisor / Administrator access to certain folders


dgersic;2151786 Wrote:
> On Sun, 06 Nov 2011 15:36:01 +0000, Bob-O-Rama wrote:
>
> You can't block these
> in the file system, and blocking them in eDirectory has other nasty
> consequences you should understand before attempting.
>
>
> > Ultimately there is nothing that the Network Admin equivalent cannot
> > access.

>
> Correct. Backups are another thing to consider. Does your CEO want
> this
> super secret data backed up?
>
>


Thank you for your response.
So in theory one could strip one folder of admin(supervisor) rights on
eDir object level, and add specific users (CEO, backup) that then still
have access?
Oder does it not work on folder level, only on volume level?

Sincerely
Torsten Pierro


--
topi76
------------------------------------------------------------------------
topi76's Profile: http://forums.novell.com/member.php?userid=47339
View this thread: http://forums.novell.com/showthread.php?t=447811

0 Likes
Knowledge Partner
Knowledge Partner

Re: Prevent supervisor / Administrator access to certain folders

On Mon, 07 Nov 2011 16:26:01 +0000, topi76 wrote:

> dgersic;2151786 Wrote:
>> On Sun, 06 Nov 2011 15:36:01 +0000, Bob-O-Rama wrote:
>>
>> You can't block these
>> in the file system, and blocking them in eDirectory has other nasty
>> consequences you should understand before attempting.
>>
>>
>> > Ultimately there is nothing that the Network Admin equivalent cannot
>> > access.

>>
>> Correct. Backups are another thing to consider. Does your CEO want this
>> super secret data backed up?
>>
>>
>>

> Thank you for your response.
> So in theory one could strip one folder of admin(supervisor) rights on
> eDir object level, and add specific users (CEO, backup) that then still
> have access?


Your CEO can have file system rights, or not, that's not especially
interesting. Same for backups. Blocking the rights inherited to the NCP
Server object, and maybe the Volume objects as well, may work. I haven't
tried it.


> Oder does it not work on folder level, only on volume level?


The problem is that 'S' rights to the NCP Server are interpreted as 'S'
rights in the file system. 'S' rights in eDirectory can be blocked by an
Inherited Rights Filter, but 'S' rights in the file system cannot.


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

0 Likes
Bob-O-Rama
Visitor.

Re: Prevent supervisor / Administrator access to certain folders


On the file system, S cannot be blocked by an IRF's set up via any of
the shipping tools. ( The low level API's support this, but the UI and
tools don't let you. ) Of course anything you can do as admin can be
undone by any admin. What the OP wants is a practical impossibility.

The Ancient Egyptians has a solution to this issue: the admins were
buried with the pharaoh.

-- Bob


--
Bob Mahar -- Novell Knowledge Partner
Do you do what you do at a .EDU? http://novell.com/ttp
"Programming is like teaching a jellyfish to build a house."
More Bob: 'Twitter' (http://twitter.com/BobMahar) 'Blog'
(http://blog.trafficshaper.com) 'Vimeo' (http://vimeo.com/boborama) <--
Click And Be Amazed!
------------------------------------------------------------------------
Bob-O-Rama's Profile: http://forums.novell.com/member.php?userid=5269
View this thread: http://forums.novell.com/showthread.php?t=447811

0 Likes
Knowledge Partner
Knowledge Partner

Re: Prevent supervisor / Administrator access to certain folders

On Tue, 08 Nov 2011 03:36:01 +0000, Bob-O-Rama wrote:

> On the file system, S cannot be blocked by an IRF's set up via any of
> the shipping tools.


Right. But they're not granted at the file system level, they're
inherited from the eDir object. I haven't tested this, but I don't see
why they couldn't be blocked. It would make the server these files are
stored on unmanageable, and it's probably not a workable solution, but it
might be possible.


> tools don't let you. ) Of course anything you can do as admin can be
> undone by any admin. What the OP wants is a practical impossibility.


Right. And as Jim pointed out, you have to trust your admins. If an
organization can't trust them, then the organization is badly broken.


> The Ancient Egyptians has a solution to this issue: the admins were
> buried with the pharaoh.


I'm not so sure I want to sign up for that retirement plan.


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Prevent supervisor / Administrator access to certain folders


dgersic;2152080 Wrote:
> On Tue, 08 Nov 2011 03:36:01 +0000, Bob-O-Rama wrote:
>
>
>
>
> > The Ancient Egyptians has a solution to this issue: the admins were
> > buried with the pharaoh.

>
> I'm not so sure I want to sign up for that retirement plan.
>
>
> --
> ---------------------------------------------------------------------------
> David Gersic
> dgersic_@_niu.edu
> Novell Knowledge Partner
> http://forums.novell.com
>
>
> Please post questions in the newsgroups. No support provided via
> email.


Thank you all for your input. I will solve the problem differently.
Playing with eDir rights when one doesn't know the results does not seem
sensible. 🙂

Cheers,
Torsten


--
topi76
------------------------------------------------------------------------
topi76's Profile: http://forums.novell.com/member.php?userid=47339
View this thread: http://forums.novell.com/showthread.php?t=447811

0 Likes
Knowledge Partner
Knowledge Partner

Re: Prevent supervisor / Administrator access to certain folders

> The Ancient Egyptians has a solution to this issue: the admins were
> buried with the pharaoh.


I am more blunt with clients when this comes up.

If you are this untrusting of your admins fire them right now. Three
reasons.

1) If you cannot trust them this far, you cannot trust them at all.
Fire them now.

2) No matter what you put in place to block them, if they are good
enough they will get around it. So if you do not trust them this far,
fire them.

3) If they cannot get around them, they are not very good at their job
so fire them.

I like Bob's thought.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.