Chapter 6 - Managing Access Rights
Access rights are the privileges, given to or withheld from users, to open and make changes to folders and files and their contents. Access rights protect your folders and files in a network environment.
Note: If you use your Macintosh in an AppleShare network, note that Apple documentation refers to access rights as "access privileges." This guide uses the term, "access rights."
Your system administrator determines which areas of the network you have access to. Certain file volumes, folders, and files are off-limits; with others you may have limited rights. For example, your system administrator might set up folders that let you read, but not delete, the files in those folders.
With other folders, and with folders you create, you have complete control in deciding who to share your folders and files with.
Access rights are derived from file system protocols, or rules. The Macintosh file system specifies that each folder has a set of access rights associated with it. You have complete access to any folders you create, and any files you create within that folder inherit, or take on, the access rights associated with that folder. To grant access to other users, you use the Apple Get Privileges command, or the VINES Set Access Rights application.
Using the VINES Utilities' Set Access Rights application is compatible with the Apple Get Provileges command, yet provides these additional features:
You can specify that new folders inherit the access rights granted to the parent folder. This makes file sharing easier, as you do not have to explicitly set access rights for other users on the network each time you create a new folder. You can set access rights for files. The Apple Get Privileges command lets you set access rights for folders only. Though any files you create initially inherit the access rights assigned to the parent folder, you can later change the access rights settings for any file. The Apple Get Privileges command specifies a primary list of user categories (Owner, Group, and Everyone). The Set Access Rights application goes one step further by providing an additional user category, the Extended List. The Extended List is used to grant access rights to other users and groups, giving you a greater degree of control over who can access your folders and files.
For workstations running DOS or OS/2, VINES network software specifies its own set of access rights. VINES access rights can be assigned to folders or to files through the Set Access Rights application.
Starting the Set Access Rights Application
The Set Access Rights application is part of the VINES Utilities application. Make sure you have a copy of the VINES Utilities application on your local disk or have access to the application on a VINES file volume.
To start the Set Access Rights application, follow these steps:
1. Log in to the network if you have not already done so. Refer to Chapter 5 for steps for logging in to the network.
2. Double-click the VINES Utilities icon to start the application. The Utilities Selector window appears.
3. Double-click the Set Access Rights icon in the Utilities Selector window. A directory window appears:
The directory window appears superimposed over the Macintosh access rights window.
If you do not have any VINES fie volumes mounted on your desktop, an alert box appears.
Use the directory window to choose the object (file volume, folder, or file) for which you want to view access rights settings. Table 6-1 summarizes the command buttons in the directory window:
Click | To |
Display the access rights settings for the selected folder or file. | |
Display the access rights for the current file volume. | |
Display the directory window for other VINES file volumes mounted on your desktop. This button appears dimmed if there are no other volumes mounted. | |
Quit the Set Access Rights application. The VINES Utilities window appears. |
Viewing Macintosh Access Rights
This section describes viewing Macintosh access rights settings for file volumes, folders, and files.
Because your system administrator sets access rights for the file volumes you use on the network, you cannot change these rights. You can, however, view what rights you are assigned.
To view your access rights for the current file volume, click Volume Info. A screen appears:
Example Viewing Access Rights to a File Volume
Duncan Fraser has See Folders, See Files, and Make Changes rights to the file volume, "Sales Files@Sal@WCTUS." Note that the file volume is owned by Michael Simmons@IS@WCTUS. Because Duncan does not own the volume, he cannot make any changes to the access rights he has to that volume. Nor can he see what access rights have been assigned to anyone else.
To view access rights for a folder:
1. Select a folder in the Directory window.
2. Click Info. Depending on ownership of the folder, you see one of two windows.
If you do not own the folder, you see a window similar to this:
Example Viewing a Folder You Do Not Own
In the above example, Duncan Fraser has no access rights to the folder, "Trip Reports." Because he does not own the folder, he cannot set or change access rights.
If you own the folder, you see a window similar to the one shown below:
Example Viewing a Folder You Own
Because Duncan Fraser owns the folder, he can set and change the access rights settings for that folder.
Using this window to set, review, and change Macintosh access rights is described in the section "Using the Macintosh Window" later in this chapter.
To view access rights for a file:
1. From the directory window, select a file.
2. Click Info. Depending on your access rights, you see a window similar to this:
Note that if you do not own the file, you see a similar window, but without the access rights option boxes.
Using this window to set, review, and change Macintosh access rights is described in the section "Using the Macintosh Window" later in this chapter.
When you start the Set Access Rights application, the Access Rights menu appears in the menu bar:
This menu lists the available commands for setting and managing access rights. Note that the menu includes Command key equivalents.
Table 6-2 describes the menu commands:
Choose | To |
Views | Display either the Macintosh view or the VINES view of access rights |
Open... | Display the Directory window to select another volume, folder, or file |
Close | Close the active window |
Save | Save any changes made to access rights settings or to the Extended List |
Revert to Saved | Discard any changes made since the last time you saved changes |
Preview | See how access rights in one view translate to the other view |
Add to List | Add an entry to the Extended List |
Edit List | Edit an entry in the Extended List |
Delete from List | Delete an entry from the Extended List |
Set New File Access Rights... | Set access rights for new files you create |
More detailed descriptions are provided in later sections in this chapter.
To get help at any time, choose Help from the Apple Menu, or type Cmd - H. The Help window appears:
The Help window is divided vertically into two panels. The panel on the left contains a list of topics. To read information about a particular topic, click that topic. The corresponding help information appears in the panel to the right.
To find out about setting access rights, click Set Access Rights in the left panel. Information appears in the right panel.
To return to the application, click the Close box in the upper left corner.
To quit the VINES Access Rights application, you either:
Click Cancel from the directory window Choose the Quit command from the File menu Click the Close box in the Macintosh window
If you made any changes to access rights settings, a dialog box prompts you to either save or discard your changes:
Click Save to save your changes and quit the application Click Discard to discard your changes and quit the application Click Cancel to return to the application without saving changes
If you previously saved any changes just prior to quitting the application, the dialog box does not appear.
Use the Macintosh window to view and assign access rights for folders and files that you create and own.
The Macintosh window is divided into four panels:
The rest of this section describes these panels in detail, and describes how to set and change access rights.
Next to the folder icon is the name of the folder. To view the DOS short name, click the folder icon. Click the icon again to toggle between the DOS short name and the Macintosh name.
Underneath the folder name is the following information, as shown in Table 6-3:
Information | Description |
Location | The name of the current VINES file volume. |
You are | The StreetTalk name used to log on to the server containing the current file volume. In most cases, this is your StreetTalk user name, unless another name was used to log on to the server and mount the file volume on your desktop. |
Your rights are | The access rights currently assigned to you for the object (file volume, folder, or file). Note that if you are the owner, these rights match what is shown in the access rights panel. |
Saved from | The access rights system "view" last used to save access rights. |
The access rights panel identifies the Owner and Group, and displays the current access rights settings for the Primary List of user categories:
Owner Group Everyone
By default, the Owner is the StreetTalk name of the person who created the folder or file. For folders you create, your StreetTalk name appears in this field. Any files you create within the folder inherit the Owner of the parent folder. Only the Owner and authorized system administrators can make changes to access rights settings. Owners automatically receive all three access rights (See Folders, See Files, and Make Changes) when they create a folder.
The Group, by default, represents everyone in the Owner' s StreetTalk group. Members in the Owner' s group have no access rights until the Owner of the folder later grants them.
The third user category, Everyone, refers to any user who has access to the file volumes on the server. Members in this category have no access rights until the Owner grants them. As the Owner you can change access rights settings for the Everyone category.
Note: If you log on to the server as a guest, you have the access rights shown in the Everyone category.
Table 6-4 describes Macintosh access rights:
Use | To |
See Folders | See folders within the current folder |
See Files | See files and applications within the current folder and open and copy those files and applications |
Make Changes | Make changes to folders and files within the current folder |
Changing the Owner and Group
The current owner' s StreetTalk name is automatically selected when you first open the Macintosh window. Your StreetTalk name appears here for every folder you create.
To change the Owner, use standard text editing to edit the current name. The new name must be a proper StreetTalk name (Item@Group@Organization).
Note: Once you give away ownership of your folder to another user, you give away your right to set and change access rights for that folder. Only the Owner and your system administrator can set and change access rights for a folder, file, or file volume.
To change the Group, use standard text editing to select and edit the current group name. The new name must be a proper StreetTalk name for a group (*@Group@Organization). The group name can also be a list of StreetTalk users (List@Group@Organization).
When you change the Owner or Group names, the StreetTalk service checks to see if the new names exist. If they do not exist in the StreetTalk database, an error message appears.
To undo your changes, choose the Revert to Saved command from the Access Rights menu.
To save your changes, choose the Save command from the Access Rights menu. When you choose the Save command, the change of ownership or group takes effect.
Setting Access Rights
Macintosh access rights specify a Primary List of three user categories:
Owner Group Everyone
Each user category can be assigned any of the following access rights:
See Files See Folders Make Changes
These access rights are not cumulative. In other words, granting Make Changes access to a folder does not mean you also grant See Folders and See Files access. Be aware that different combinations of rights do make a difference.
To set or change access rights, click the appropriate option box.
An "X" in the option box shows that a right is granted. An empty option box shows that a right is withheld. Clicking the option box toggles the "X" on and off.
The Extended List is an additional user category that you use to add other users, lists, groups, and organizations and assign them access rights. This list gives you a greater degree of control over who has access to your folders and files. The Extended List appears in both the Macintosh and VINES access rights windows.
You can add up to five StreetTalk entries to your Extended List.
The Extended List can include:
Those within your StreetTalk group to whom you want to grant different access rights Those outside your group to whom you want to grant access rights different from those granted to the Everyone category Lists of StreetTalk users Other StreetTalk groups in your organization Other StreetTalk organizations on your network
To set or change access rights for entries in the Extended List, click the appropriate option box.
An "X" in the option box shows that a right is granted. An empty option box shows that a right is withheld. Clicking the option box toggles the "X" on and off.
Adding Entries
To add up to five StreetTalk entries to the Extended List:
1. Choose the Add to List command from the Access Rights menu. The StreetTalk Directory Assistance window appears.
2. Enter characters in the Key Search text area or use the Search Editor window to select a name.
3. Click OK. The StreetTalk Directory Assistance window disappears and the name appears in the Extended List.
If the StreetTalk service cannot validate the name, an error message appears.
Repeat the procedure for each entry in the Extended List.
You can assign access rights to the StreetTalk entry at this time or wait until you add the rest of your entries.
Editing Entries
To edit StreetTalk entries in your Extended List:
1. Click the StreetTalk entry in the Extended List to select it.
2. Choose the Edit List command from the Access Rights menu. The StreetTalk Directory Assistance window appears, with the name displayed in the top panel.
3. Enter characters in the Key Search text area or use the Search Editor window to select another name.
4. Click OK when you finish. The StreetTalk Directory Assistance window disappears and the new name appears in the Extended List.
Deleting Entries
To delete StreetTalk entries from the Extended List:
1. Click the StreetTalk entry in the Extended List to select it.
2. Choose the Delete from List command from the Access Rights menu. The name is removed from the Extended List.
Note: If you delete an entry by mistake, choose Revert to Saved from the Access Rights menu. Any changes you made since the last time you saved are discarded.
Ordering Entries
When determining which access rights a user has for an object (volume, folder, or file), the application uses this order of precedence:
1. Owner
2. StreetTalk user names in the Extended List
3. Group
4. StreetTalk groups and lists in the Extended List
5. StreetTalk organizations in the Extended List
6. Everyone
Note that the order of precedence goes from the most restrictive (the Owner of the object) to the least restrictive (Everyone). The order in which entries appear in the Extended List is not important, unless a user appears in two entries.
Example If a User Appears in Two Entries
If Courtney Bryan is a member of two lists that appear in the Extended List, she has the access rights specified in the first entry, even though the second entry might grant fewer access rights.
To change the order of entries:
1. Position the pointer over an entry in the Extended List.
2. Click once to select the entry.
3. Press the option key and the mouse button together. The pointer turns into a hand:
4. Holding the mouse button down, move the selected entry. If you place an entry on top of a second entry and then release the mouse button, the entry appears before the second entry.
To move an entry to the top of the List, move the selection to the top entry and release the mouse button.
Using Wildcards in Lists
You can use a wildcard character (*) as a placeholder for an Item or for a Item and Group in a StreetTalk list, and use that list as an entry in the Extended List. You cannot, however, use a wildcard character as a placeholder for part of an Item, Group, or Organization.
Example Using Wildcards as Placeholders
You can use "*@Mkt@WCTUS" to put everyone in the Marketing group in the organization WCTUS as an entry in the Extended List. However, you cannot use "Bob*@Mkt@WCTUS" to put everyone named Bob in the Marketing group as an entry in the Extended List.
Below the access rights settings for the Everyone category are option boxes for maximum rights. Maximum rights are the governing access rights anyone in your Extended List can have. No matter what access rights you assign to the entries in your Extended List, those rights are governed by the rights you specify as maximum rights.
Example Using Maximum Rights
If you grant See Files and See Folders rights to a user in your Extended List, but specify only See Files rights as maximum rights, this user only has See Files rights to your folder.
Specifying maximum rights lets you temporarily deny or grant access to the entire Extended List.
You specify maximum rights the same way you do for others in your group and organization.
To set or change maximum access rights, click the appropriate option box.
An "X" in the option box shows that a right is granted. An empty option box shows that a right is withheld. Clicking the option box toggles the "X" on and off.
Below the Extended List in the Macintosh window are three option boxes:
Can't be moved, renamed, or deleted
To ensure that your folder cannot be moved, renamed or deleted
(even by you), enable the top option by clicking the option box.
This is also referred to as locking a folder. Disable
this option by clicking it again to toggle it off.
Make all currently enclosed folders
and files like this one
Enable this option if you want the same access rights you set
for the current folder to apply to all files and folders stored
within the current folder.
New folders inherit the access rights
of this one
The bottom option allows you to specify that any new folders
or files you create inherit the access rights of the parent folder.
This includes the Owner, Group and Extended List entries.
Note that this is different from how access rights are usually assigned. If you create a folder, you (as the Owner) receive See Folders, See Files, and Make Changes access to that folder. Others in your StreetTalk group or on the network receive no access rights at all.
To give other users access, you need to use the Macintosh window (or use the Get Privilges command) to grant access rights for each folder you create.
Enabling this option provides a way to avoid having to explicitly grant access rights to other users on the network. This option specifies that each new folder inherit the Owner, Group, and Extended List, as well as the access rights assigned to those user categories.
Undo your changes at any time by choosing the Revert to Save command from the Access Rights menu. This command changes the access rights settings back to those you had when you last saved.
To save your changes, choose the Save command from the Access Rights menu. Remember, once you save your changes, you can no longer undo them through the Revert to Save command.
Use the VINES window to set VINES access rights for file volumes, folders and files.
To display the VINES window, open the Views submenu from the Access Rights menu:
Note that you display the VINES window by choosing the VINES command from the Views submenu. Likewise, you display the Macintosh window by choosing the Macintosh command.
The Macintosh window appears by default. You can display both the VINES and the Macintosh windows at the same time. Opening one window does not close the other window.
Using the VINES window is similar to the Macintosh window, except for the different access rights:
VINES Access Rights Definitions
The VINES access rights scheme specifies a Primary List of three user categories, Owner, Group, and Everyone; and an additional user category, the Extended List. As shown in Table 6-5, each user category can be assigned any of the following access rights:
Access Rights |
|
|
For Volumes and Folders | For Files | |
Control | Set access rights for that folder | Set access rights for that file |
Search | Search through a folder for folders and files | |
Execute | Use the file as an application file (execute the file) | |
Read | See all folder and file names within the current folder | Open the file for reading only |
Write | Create and rename folders and files contained in the current folder | Make changes to the file |
Delete | Delete folders and files within the current folder |
Note that the Search and Delete access rights apply only to file volumes and folders, and the Execute access right applies only to files.
These access rights are not cumulative. In other words, granting Control access to a file only provides the right to change access rights settings. It does not provide the right to open, edit, or delete the file.
This section describes the differences and similarities between the VINES window and the Macintosh window:
The two windows look similar, except that the access rights schemes are different. Setting and changing access rights, and managing the Extended List are the same for each window. Changes made to access rights settings are automatically "mapped" to the other access rights scheme. Note also that any changes made to the Extended List in one window are automatically copied to the other window.
The Preview command lets you see how access rights set in the Macintosh window translate to VINES access rights in the VINES window. You can also see how these rights translate by making the other window active.
In both the Macintosh window and the VINES window, the Saved From: field displays which window was active the last time access rights settings were saved.
This is important because access rights combinations map differently, depending on which access rights scheme you use.
Example Using the Preview Command
If you use the Macintosh window to grant only See Files access to a user, then choose the Preview command, no access rights (such as Read) appear in the VINES window.
Conversely, if you use the VINES window to grant only Read access to a user, then choose the Preview command, no access rights (such as See Files or See Folders) appear.
Setting New File Access Rights
Use the Set New File Access Rights command to set access rights for new files you create. This command is only useful when the VINES window is active.
Note: If you are working in the Macintosh window and choose the Set New File Access Rights command, the following dialog box appears. The boxes are dimmed because this window is "read only:"
If you are working in the VINES window, the following dialog box appears when you choose the Set New File Access Rights command:
You assign new file access rights the same way you assign access rights. You can assign the user categories (Owner, Group, Everyone, and the Extended List) any of the access rights.
Note that any changes you make to the maximum rights are reflected in the maximum rights settings shown in both the Macintosh and VINES windows.
The access rights settings you choose for your folders and files depends on how you and your colleagues agree to use the file volumes on your network.
Remember that your system administrator sets access rights for the file volumes on your network, and might set access rights for certain public folders. Any folder that you create, however, is automatically a private folder - only you (or your system administrator) can set access rights so that others can share information.