7.5 NFARM (OES File Access Rights Management)

OES File Access Rights Management (NFARM) is a shell (Windows) or finder (Mac) extension that enables eDirectory or Active Directory users on Windows and Mac workstation to perform Salvage and Purge operations. In addition,

  • On Windows workstation, enables Windows Active Directory or eDirectory administrators or users to manage the access rights and quotas of AD or eDirectory users or groups on Storage Services (NSS) resources.

  • On Mac workstation, enables Windows Active Directory or eDirectory administrators or users to manage the access rights and quotas of AD users or eDirectory users or groups on Storage Services (NSS) resources.

NFARM on Windows helps AD or eDirectory administrators or users with sufficient rights to manage the following:

  • Trustees explicit rights, inherited rights filter, and view effective rights. You can also view trustees with rights from the selected path and child or parent directories.

  • Owners, NSS attributes and directory quota

  • User quotas

  • All paths that a user is a trustee of

  • Salvage and Purge

NOTE:

  • For Active Directory, ensure the following:

    • User Quota and Files System Rights operations are restricted to AD domain administrators, and to use these features one should have logged in to the Windows workstation using the AD domain administrative credentials.

    • To view or modify User Quota and File System Rights for an AD user from the trusted domain or forest, ensure that the user belongs to AD supervisor group of the domain where OES server is joined.

  • For eDirectory, ensure that the user is an administrator or with administrator equivalent rights.

The term object referred to in this section, indicates a path, folder, or volume.

After performing any operation in NFARM, you can click the following:

  • Apply to save changes to the NSS file system and remain in the same window.

  • OK to save changes to the NSS file system and exit.

  • Cancel to discard changes and exit.

All these operations are performed on a Windows mapped network drive that is mapped to an NSS volume, NSS Folder, or CIFS Share in the Windows client. These shares must be compatible with OES 2015 or later servers that have NSS AD set up and configured.

Similarly, NFARM on Mac helps AD administrators eDirectory administrators or users with sufficient rights to manage the following:

  • Trustees explicit rights, inherited rights filter, and view effective rights. You can also view trustees with rights from the selected path and child or parent directories.

  • Owners, NSS attributes and directory quota

  • User quotas

  • Salvage and Purge (both AD or eDirectory users)

The term object referred to in this section, indicates a path, folder, or volume.

After performing any operation in NFARM, you can click the following:

  • Apply to save changes to the NSS file system and remain in the same window.

  • Revert to undo the changes and remain in the same window.

  • OK to save changes to the NSS file system and exit.

  • Cancel to discard changes and exit.

All these operations are performed on a OES mapped drive that is mapped to an NSS volume, NSS Folder, or CIFS Share in the Mac client.

This section includes the following:

7.5.1 NFARM Support Matrix

This section lists the requirements for installing and running NFARM:

  • Operating Systems: NFARM can be installed on Windows and Mac:

    • Windows (64-bit): Windows 10

    • Mac: Mac OS X 10.15

  • OES: NFARM for Mac is supported beginning with OES 2018.

  • Active Directory: Active Directories installed and configured on Windows 2012 R2 and later.

7.5.2 Prerequisites for Installing NFARM

  • Ensure that you have installed and configured NSS AD following the instruction at Section 4.0, Installing and Configuring NSS AD Support.

  • Ensure that the mapped network drive NSS volumes and CIFS shares are accessible. All NFARM operations are performed on a mapped network drive NSS volume or CIFS share that is compatible with OES 2015 or later servers that have NSS AD set up and configured. For more information on mapping a CIFS share, see Accessing Files from a Windows Client in the OES 2018 SP3: OES CIFS for Linux Administration Guide.

  • Ensure that you have administrative rights on your workstation to install NFARM.

  • Based on your operating system, download and install the correct version of NFARM from the OES Welcome page (https://<OES server IP or the host name>/welcome/client-software.html).

    • Windows: NFARM installer for Windows (64-bit)

    • Mac: NFARM installer for Mac

      NOTE:Beginning with OES 2018 SP2, NFARM on Mac does not support SMBv1 protocol.

  • Ensure that your Windows operating system has been configured to authenticate using Active Directory.

  • The maximum memory units that can be specified for the directory and user quotas in NFARM are as follows:

    • KB: 9007199254740991

    • MB: 8796093022207

    • GB: 8589934591

    • TB: 8388607

    • PB: 8191

7.5.3 Installing and Accessing NFARM

Based on your operating system, download the version of NFARM from the OES Welcome page (http://<OES server IP Address or the host name>/welcome/client-software.html) and install it.

After installing NFARM, map an NSS volume or CIFS share, and do the following to get access to NFARM tabs.

  • On Windows: Right-click > Properties on the mapped share

  • On Mac: Right-click > Rights Management on a OES mapped drive

    or

    To get access to only Salvage and Purge options, right-click > Deleted Files on a OES mapped drive.

On Windows workstation, when you map the volume for the first time as an eDirectory user and access any of the NFARM tabs, it prompts to enter the eDirectory credentials. The eDirectory user name should be in FQDN format. These credentials are used to list the eDirectory objects (only those objects for which the logged in eDirectory user has access to) in the eDirectory Object Selector window.

If there are a large number of trustees, the first launch of NFARM might fail to list them. The issue is caused because it takes time to fetch large number of trustees. Relaunch NFARM and the issue would be resolved because the trustees would be cached.

7.5.4 Managing the Trustee Rights in the NSS File System

On Windows

Using the Trustee Rights tab, you can do the following:

  • View, add, edit, search, and remove trustees and their explicit rights on a selected path. The path can be the root of a volume, a folder in the volume, a file or a CIFS share.

  • View both Active Directory and eDirectory trustees.

  • View and edit the Inherited Rights Filter (IRF) for the selected path.

  • View the effective rights trustees on the selected path, and manage the rights inheritance on the selected path.

Managing the Explicit Rights of Trustees

Explicit rights are the rights defined for the trustee (user or group) on an object. The trustee names are displayed in FQDN (for eDirectory user or group) and it is preceded by the AD domain name (for AD user or group) along with the following eight NSS rights:

  • Supervisor: Grants all rights to the directory or file and any subordinate items. The Supervisor right can't be blocked by an Inherited Rights Filter. Users with this right can grant or deny other users rights to the directory or file.

  • Read: For a directory, grants the right to open files in the directory and read the contents or run the programs. For a file, grants the right to open and read the file.

  • Write: For a directory, grants the right to open and change the contents of files in the directory. For a file, grants the right to open and write to the file.

  • Erase: Grants the right to delete the directory or file.

  • Create: For a directory, grants the right to create new files and directories in the directory. For a file, grants the right to create a file and to salvage a file after it has been deleted.

  • Modify: Grants the right to change the attributes or name of the directory or file, but does not grant the right to change its contents (changing the contents requires the Write right).

  • File Scan: Grants the right to view directory and file names in the file system structure, including the directory structure from that file to the root directory.

  • Access Control: Grants the right to add and remove trustees for directories and files and modify their trustee assignments and Inherited Rights Filters.

    This right does not allow the trustee to add or remove the Supervisor right for any user. Also, it does not allow to remove the trustee with the Supervisor right.

    NOTE:These NSS rights are not related to the Microsoft Windows rights in any way.

This section explains the procedure to add, remove, or search trustees on an object, in addition to managing their explicit rights on the selected object:

  • To add trustees on a selected path:

    • When you map the volume as an AD user, click Add..., search and select the AD users or groups, then select the rights. If you are entering multiple trustee names in the Enter the object names to select (examples) text box, separate each trustee with a semicolon.

    • When you map the volume as an eDirectory user, click Add.... Specify the object name, search context, select the object type, and then click Search. In the User or Group Name list, select the eDirectory user or group and click OK.

    • When you map the volume as an eDirectory user, then to add AD trustees, select List Active Directory trustees also, and click Add. In Identify Source dialogue box, select Active Directory and click OK. Similarly, when you map the volume as an AD user, then you can add eDirectory trustees too.

  • To remove trustees, select the trustees that you want to remove, then click Remove.

    HINT:To delete multiple trustees, press and hold the Ctrl key while selecting multiple trustees.

  • To search for a specific trustee in the trustee list, specify the trustee name, and click Search. To revert to the original trustee list, clear the entry in the search box, and then click Search.

  • To edit or remove rights for the displayed trustees, select or clear the respective rights check boxes. Multiple trustee edit is possible.

  • To list the eDirectory and Active Directory trustees in the trustee list, select List Active Directory trustees also, or List eDirectory trustees also. After listing, you can continue to perform a search, add or remove trustees, edit or remove rights.

After managing the explicit rights, ensure that you click Apply in order for your changes take effect in the NSS file system.

Managing Inherited Rights Filter (IRF)

Subdirectories and files can inherit rights from their parent directory. The directory’s rights flow down through its structure to subdirectories and files, except for specific subdirectories or files with their own trustee assignments that supersede inherited rights. When granting a trustee assignment to a subdirectory or file, the trustee assignment takes precedence over the inherited rights of its parent directory.

The Inherited Rights Filter section displays the list of rights that are inherited from the parent object. To block inheritance of rights from the parent object to the selected object (file or directory), clear the respective NSS rights, then click Apply for the changes to take effect in the NSS file system.

The supervisor rights cannot be blocked.

Viewing the Effective Rights

A user’s explicit rights on a directory are combined with the filtered rights inherited from its parent directory. Any rights through security equivalence are also applied.

A user’s explicit rights on a file override any rights that can be inherited from its parent directory. In this case, the user has only the rights granted, and the inherited rights are ignored. If the user is a member of another group or role that also has explicit rights to the file, the user’s effective rights on the file are a combination of the rights granted for the user and the rights granted for the group or role. If the rights of the group or role are more restrictive than the user’s explicit rights, it has no effect on rights granted to the user.

An object’s effective rights to a subdirectory are the set of distinct rights from the following:

  • Rights inherited for the user from the parent directory, with consideration of the inherited rights filter set for the subdirectory.

  • Rights set explicitly for the user on the directory.

  • Rights set explicitly for a security-equivalent object on the directory:

    • Explicit by assignment (Security Equal To property)

    • Automatic by membership in a group or role

    • Implied by its parent container and by the [Public] container

    More restrictive security-equivalent rights do not override rights granted for the trustee on the directory or for the trustee’s filtered inherited rights.

An object’s effective rights to a file are determined by the following:

  • Rights inherited for the user from the parent directory, with consideration of the inherited rights filter set for the file.

    If the user has rights set on the parent directory or is security equivalent to an object with explicit rights set there, those are the rights that flow down to the file for the user and are subject to the IRF.

    Inherited rights for a file are ignored if rights are set explicitly for the object or for a security equivalent of the object. This behavior is different than for a directory.

  • Rights set explicitly for the user on the file.

    Inherited rights are ignored. Explicit trustee rights for a security equivalent object are added. More restrictive security-equivalent rights do not override rights set for the trustee on the file.

  • Rights set explicitly for a security-equivalent object on the file:

    • Explicit by assignment (Security Equal To property)

    • Automatic by membership in a group or role

    • Implied by its parent container and by the [Public] container

      Inherited rights are ignored. Explicit trustee rights are added.

For more information, see How Effective Rights Are Calculated in the NetIQ eDirectory Administration Guide.

To launch the Effective Rights screen, from the Trustee Rights tab, click Advanced.... By default, for the selected object, the list of trustees along with their rights is displayed. You can use the Search button to view the rights of a specific trustee in the trustee list.

NOTE:To revert to the original trustee list, clear the entry in the search box, and then click Search.

To view the effective rights of some other trustee, click Select:

  • When you map the volume as an AD user, search or enter the trustee name.

  • When you map the volume as an eDirectory user, search the trustee name in the User or Group Name list, select the eDirectory user or group, and then click OK. You can select only one user at a time.

You must have adequate rights to view the effective rights of other trustees.

Managing Trustees for Directories

Using the Trustees for Directories tab, you can get the explicit rights of the trustees from the selected path to the root of the volume and trustees from the selected path to the child directories in the volume.

To launch the Trustees for Directories screen, from the Trustee Rights tab, click Advanced... > Trustees for Directories.

For example, assume that you have the following directory structure:

  • \vol1\media\audio

  • \vol1\org\country\us\ny\emp

  • \vol1\org\country\us\slc\emp

  • \vol1\org\country\uk\ln\emp

  • \vol1\org\country\uk\lpl\emp

If you click Parent Directories from the “country” folder, it will list the explicit list of trustees and their rights in the country, org and vol1. It does not consider the media and its sub directories.

If you click Sub Directories from the countries folder, it lists the explicit rights of all the trustees in the following directories:

  • \vol1\org\country\us\

  • \vol1\org\country\us\ny

  • \vol1\org\country\us\slc

  • \vol1\org\country\us\ny\emp

  • \vol1\org\country\us\slc\emp

  • \vol1\org\country\uk

  • \vol1\org\country\uk\ln

  • \vol1\org\country\uk\lpl

  • \vol1\org\country\uk\ln\emp

  • \vol1\org\country\uk\lpl\emp

From this tab, you can also modify the explicit rights of the trustees by clearing or selecting the NSS rights check boxes. You can also remove trustees by using the Remove button. To search for a specific trustee in the trustee list, specify the trustee name, and click Search.

NOTE:To revert to the original trustee list, clear the entry in the search box, and then click Search.

On Mac

Using the Trustee Rights tab, you can do the following:

  • View, add, edit, search, and remove trustees and their explicit rights on a selected path. The path can be the root of a volume, a folder in the volume, a file or a CIFS share.

  • View and edit the Inherited Rights Filter (IRF) for the selected path.

  • View the effective rights trustees on the selected path, and manage the rights inheritance on the selected path.

Managing the Explicit Rights of Trustees

Explicit rights are the rights defined for the trustee (user or group) on an object. The trustee names are displayed in FQDN (for eDirectory user, group, or container) and it is preceded by the AD domain name (for AD user or group) along with the eight NSS rights. For more information on these eight rights, see Managing the Explicit Rights of Trustees on Windows.

This section explains the procedure to add, remove, or search trustees on an object, in addition to managing their explicit rights on the selected object:

  • To add trustees on a selected path, click , search and select the users or groups, then select the rights.

    NOTE:In the Settings tab, if you have enabled the option List eDirectory trustees also or List Active Directory trustees also, then an additional pop-up is displayed to select the identity source.

  • To remove trustees, select the trustees that you want to remove, then click .

    HINT:

    • To select all files: Select the first file, then press COMMAND+A.

    • To select multiple files: Press and hold the ALT key, then click the files of your choice..

    • To select a series of files: Select the first file, press and hold the SHIFT key, and then click the last file.

  • To search for a specific trustee in the trustee list, specify the trustee name in the search box.

  • To edit or remove rights for the displayed trustees, select or clear the respective rights check boxes. Multiple trustee edit is possible.

  • To list the eDirectory and Active Directory trustees in the trustee list, select List both eDirectory and AD trustees. After listing, you can continue to perform a search, remove trustees, edit or remove rights, but you cannot add any user to the trustee list.

After managing the explicit rights, ensure that you click Apply in order for your changes take effect in the NSS file system or click Revert to undo the changes.

Managing Inherited Rights Filter (IRF)

Subdirectories and files can inherit rights from their parent directory. The directory’s rights flow down through its structure to subdirectories and files, except for specific subdirectories or files with their own trustee assignments that supersede inherited rights. When granting a trustee assignment to a subdirectory or file, the trustee assignment takes precedence over the inherited rights of its parent directory.

The Inherited Rights Filter section displays the list of rights that are inherited from the parent object. To block inheritance of rights from the parent object to the selected object (file or directory), clear the respective NSS rights, then click Apply for the changes to take effect in the NSS file system or click Revert to undo the changes.

The supervisor rights cannot be blocked.

Viewing the Effective Rights

A user’s explicit rights on a directory are combined with the filtered rights inherited from its parent directory. Any rights through security equivalence are also applied.

A user’s explicit rights on a file override any rights that can be inherited from its parent directory. In this case, the user has only the rights granted, and the inherited rights are ignored. If the user is a member of another group or role that also has explicit rights to the file, the user’s effective rights on the file are a combination of the rights granted for the user and the rights granted for the group or role. If the rights of the group or role are more restrictive than the user’s explicit rights, it has no effect on rights granted to the user. For more information on effective rights, see Viewing the Effective Rights on Windows.

By default, for the selected object, the list of trustees along with their rights is displayed. You can use the Search button to view the rights of a specific trustee in the trustee list.

To view the effective rights of some other trustee, click Select, then search or enter the trustee name.

NOTE:If you enable the List both eDirectory and AD trustees option on the Rights tab, you cannot view the effective rights of other trustees.

You must have adequate rights to view the effective rights of other trustees.

Managing Trustees for Directories

Using the Trustee for Directories tab, you can get the explicit rights of the trustees from the selected path to the root of the volume and trustees from the selected path to the child directories in the volume.

For example, assume that you have the following directory structure:

  • \vol1\media\audio

  • \vol1\org\country\us\ny\emp

  • \vol1\org\country\us\slc\emp

  • \vol1\org\country\uk\ln\emp

  • \vol1\org\country\uk\lpl\emp

If you click Parent Directories from the “country” folder, it will list the explicit list of trustees and their rights in the country, org and vol1. It does not consider the media and its sub directories.

If you click Sub Directories from the countries folder, it lists the explicit rights of all the trustees in the following directories:

  • \vol1\org\country\us\

  • \vol1\org\country\us\ny

  • \vol1\org\country\us\slc

  • \vol1\org\country\us\ny\emp

  • \vol1\org\country\us\slc\emp

  • \vol1\org\country\uk

  • \vol1\org\country\uk\ln

  • \vol1\org\country\uk\lpl

  • \vol1\org\country\uk\ln\emp

  • \vol1\org\country\uk\lpl\emp

From this tab, you can also modify the explicit rights of the trustees by clearing or selecting the NSS rights check boxes. You can also remove trustees by using the button. To search for a specific trustee in the trustee list, specify the trustee name in the search box.

7.5.5 Information or Directory Quota

On Windows

Using the Information tab, you can view and modify:

  • The owner of a file

  • NSS attributes

  • Directory quotas

  1. To change the owner of a file, click Change, then search for and select the new owner.

  2. To set the NSS attributes for the selected path, select or clear the respective attributes. These attributes vary based on the object chosen (file or directory).

  3. To change the directory quota of a selected path, click Edit, then specify the quota limit and the memory unit (KB, MB, GB, TB, PB). After setting the quota, you will be able to view the quota limit set, the used quota and the available quota.

  4. Click Apply for the changes to take effect in the NSS file system.

On Mac

Using the Directory Quota tab, you can view and modify:

  • The owner of a file

  • NSS attributes

  • Directory quotas

  1. To change the owner of a file, click , then search for and select the new owner.

    NOTE:In the Settings tab, if you have enabled the option List eDirectory trustees also or List Active Directory trustees also, then an additional pop-up is displayed to select the identity source.

  2. To set the NSS attributes for the selected path, select or clear the respective attributes. These attributes vary based on the object chosen (file or directory).

  3. To change the directory quota of a selected path, click , then specify the quota limit and the memory unit (MB, GB, TB, PB). After setting the quota, you will be able to view the quota limit set, the used quota and the available quota.

  4. Click Revert to undo the changes or click Apply for the changes to take effect in the NSS file system.

7.5.6 User Quota

Using the User Quota tab, you can add, edit, or remove the user quota limit for a single or multiple users concurrently. For every user, it lists the quota limit, used, and remaining.

On Windows

To set the user quota:

  • For Active Directory users, you should either be an AD domain administrator or a user who has administrative privileges. You should also be logged in to the Windows workstation using the AD domain administrative credentials.

  • For eDirectory users, you should either be an eDirectory administrator or a user who has administrative privileges.

To search for a specific trustee in the trustee list, specify the trustee name, and click Search. To revert to the original trustee list, clear the entry in the search box, and then click Search.

  1. To assign quotas for a single or multiple users, click Add..., search and select users, then specify the quota limit.

  2. To edit the quota limit, select users, click Edit..., then modify the quota limit. Press and hold the Ctrl key while selecting multiple users.

  3. To remove the quota set for users, select the users, then click Remove.

NOTE:The user quota is always set at the volume level, regardless of the folder or share from where you have invoked the User Quota.

On Mac

To set the user quota:

  • For Active Directory users, you should either be an AD domain administrator or a user who has administrative privileges. You should also be logged in to the Windows workstation using the AD domain administrative credentials.

  • For eDirectory users, you should either be an eDirectory administrator or a user who has administrative privileges.

  1. To assign quotas for a single or multiple users, click . A new window is displayed, click , search and select users, then specify the quota limit.

    NOTE:In the Settings tab, if you have enabled the option List eDirectory trustees also or List Active Directory trustees also, then an additional pop-up is displayed to select the identity source.

  2. To edit the quota limit, select users, click , then modify the quota limit and click Ok. Press and hold the Alt key while selecting multiple users.

  3. To remove the quota set for users, select the users, then click .

  4. Click Revert to undo the changes or click Apply for the changes to take effect in the NSS file system.

NOTE:The user quota is always set at the volume level, regardless of the folder or share from where you have invoked the User Quota.

7.5.7 File System Rights

On Windows

Using the File System Rights tab, you can do the following:

  • View all the objects that a user is a trustee of

  • Modify the explicit rights that the trustee has on an object

  • Add or remove the objects

  • View the rights of all groups to which the user is a member

NOTE:To view or modify the File System Rights:

  • For Active Directory users, you should either be an AD domain administrator or a user who has administrative privileges. Further, you should have logged in to the Windows workstation using the AD administrative credentials.

  • For eDirectory users, you should either be an eDirectory administrator or a user who has administrative privileges.

  1. To view the explicit rights of a trustee across objects at the volume level, click Select, then search and select a user or group.

    NOTE:If you enable the List both eDirectory and AD trustees option on the Trustee Rights tab, you cannot select any user or group name to view the explicit rights of a trustee.

  2. To modify the explicit rights that the trustee has on an object, select or clear the respective NSS rights check boxes next to the object name.

  3. To add an object and to assign rights to the trustee, click Add..., then select the path.

  4. To remove an object on which the trustee has rights, select the object, then click Remove. Press and hold the Ctrl key while selecting multiple objects.

  5. To view rights of all the groups to which the trustee belongs, click Group Rights. Group Rights is disabled if a group is selected.

On Mac

Using the File System Rights tab, you can do the following:

  • View all the objects that a user is a trustee of

  • Modify the explicit rights that the trustee has on an object

  • Add or remove the objects

  • View the rights of all groups to which the user is a member

NOTE:To view or modify the File System Rights:

  • For Active Directory users, you should either be an AD domain administrator or a user who has administrative privileges. Further, you should have logged in to the Mac workstation using the AD administrative credentials.

  • For eDirectory users, you should either be an eDirectory administrator or a user who has administrative privileges.

  1. To view the explicit rights of a trustee across objects at the volume level, click ,then search and select an user or a group.

    NOTE:In the Settings tab, if you have enabled the option List eDirectory trustees also or List Active Directory trustees also, then an additional pop-up is displayed to select the identity source.

  2. To modify the explicit rights that the trustee has on an object, select or clear the respective NSS rights check boxes next to the object name.

  3. To add an object and to assign rights to the trustee, click Add or remove path, select the object, then assign rights and click Apply.

  4. To remove an object on which the trustee has rights, select the object, then click Add or remove path. Press and hold the Ctrl key while selecting multiple objects.

  5. To view the rights of all the groups to which the trustee belongs, click Group Rights. Group Rights is disabled if a group is selected.

  6. Click Revert to undo the changes or click Apply for the changes to take effect in the NSS file system.

7.5.8 Settings (Mac)

Using the Settings tab, you can enable the ability to manage trustees from both eDirectory and Active Directory across all the tabs.To enable managing the trustees from both Active Directory and eDirectory, select the checkbox List Active Directory trustees also or List eDirectory trustees also.

7.5.9 Salvage and Purge

The Salvage and Purge utility lets you recover or delete the files and directories permanently from the NSS file system. The files that have been purged cannot be recovered. This tool gets automatically installed when you install NFARM.

For information on how to perform salvage and purge operations on Windows, see Salvage and Purge on Windows in the OES 2018 SP3: OES CIFS for Linux Administration Guide.

For information on how to perform salvage and purge operations on Mac, see Salvage and Purge on Mac in the OES 2018 SP3: OES CIFS for Linux Administration Guide.