A reader recently asked the following question:

“The eDirectory Admin Guide talks about how effective rights are calculated, but what does this mean: ‘eDirectory moves down a level in the branch of the tree that contains the target resource.’ I read this as going to the branch in which the object in question resides, and then looking at a branch below that one. I have branches in my tree that have multiple lower brances to move down to, and I have branches that have no lower branches to move down to. And why would a filter that applies to a branch below the object in question figure into the rights of that object?”

And here’s the response from Novell’s Aaron Burgemeister …

This is describing how rights are calculated for a given object when requesting “Effective Rights” to that object. The statement you are mentioning is taking place recursively from the top of the tree UNTIL the object in question is found. It does not go beyond where the desired object is.

For instance,


has a few levels to churn through. First, the server starts at the top of the tree (or partition for inherited ACLs to prevent excessive traffic) and determines what rights are applicable there. By default everybody can browse the tree, so eDirectory remembers that the user requesting the information can browse objects. It then moves to the next level toward the desired object and calculates rights at that level, removing/adding/merging
rights as appropriate from/to/with the previous level’s rights. This continues all the way to the desired object itself.

eDirectory does not calculate rights beyond the desired object, because rights only flow down the tree (tree to leaf).

To clarify on what the statement means, realize that every part of the tree can be considered a branch (even including the root and the leaves, for my purposes here). eDirectory starts moving down the branch toward the desired object from the topmost branch (tree root) and then to the next branch (dc=myorgs) and then to the next branch (o=novell)…and then to the last “branch” or leaf (cn=destUser).

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: ab
Mar 1, 2006
5:00 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow