Chapter 4 - Managing StreetTalk File Security
Overview of Managing StreetTalk for Windows NT File Security
This chapter explains how to manage security for your StreetTalk for Windows NT file services.
You can protect file services on your StreetTalk for Windows NT server from unauthorized use in two ways:
![]()
Restrict access to the Windows NT Server Console ![]()
Configure Banyan security attributes and access rights
Restricting Access to the Server Console
Unless you implement console security, any user who has access to the Windows NT Server that hosts your StreetTalk file services can delete or change the files and directories. The following section explains how to prevent unauthorized access to the Windows NT console.
A Windows NT administrator who has local or remote access to the Windows NT system that hosts your StreetTalk file system can delete or change the files and directories in a StreetTalk file service.
To prevent unauthorized access to directories used by Banyan clients, lock the Windows NT console and configure NTFS security to grant access to the StreetTalk File directory only to the appropriate Windows NT and StreetTalk administrators.
To Lock the Windows NT Console
1. From the Windows NT Server, press CTRL-ALT-DELETE. The Windows NT Security dialog box appears.
2. Select Lock Workstation. The console is locked.
Configuring Banyan Security for StreetTalk File Services
You can restrict access to a StreetTalk file service by specifying security settings on two levels:
![]()
Object level - Specify attributes for files and directories. An attribute is a property of an object, and globally determines the access of all users to the object. ![]()
User level - Specify user access rights. User access rights affect the access of designated users only. Different user access rights apply to different users.
A Banyan user has access to an object if these security settings - the attributes and access rights - allow it, regardless of the Windows NT sharing and NTFS permissions configured for that object.
The Banyan user access rights to an object in the file service appear to operate independently of the NTFS security in effect for the corresponding directory on the server. This is because the StreetTalk File software runs under the Windows NT SYSTEM account, and inherits all of the access rights associated with this account, including the right to full access to all directories on the server.
Specifying Security Attributes for Files and Directories
Each file or directory has a set of security attributes associated with it. These attributes define special properties for that object, which determine whether users can view the object, alter it, delete it, and so forth (Table 4-1). For example, to prevent all users from modifying a file, you can define a read-only attribute for that file. Use attributes in conjunction with the Access Rights Lists (ARLs) to manage directories and files and to control access to them. Refer to "Specifying User Access Rights for Files and Directories" later in this chapter for information about how to specify ARLs for users.
Directory attributes are a subset of the file attributes. Attributes such as Read Only, Hidden, and System allow broad access or prevent access to directories and files.
StreetTalk for Windows NT does not support the VINES No Delete, No Rename, Sharing, MultiUser, Copy Protect, and Execute Only attributes.
You set security attributes using StreetTalk Explorer, or the SETATTR program, as explained in "Modifying Attribute Settings" later in this chapter.
Attribute | Directory | File | Definition |
Read Only | No1 | Yes | Users can open the file for reading only |
Hidden | Yes2 | Yes | This attribute is set through special programming and is primarily used by programmers. The file name does not appear when a user issues DOS DIR command. |
System | No | Yes | Equivalent to the Hidden attribute. The file name does not appear when a user issues DOS DIR command. Often assigned to operating system files. |
Archive | Yes | Yes | Automatically set to indicate that a file or directory has been modified since the last backup. Set this attribute to select files or directories to back up. |
Notes Yes = Attribute applies No = Attribute does not apply. 1 Although you can set the Read Only attribute for a directory, the file service does not enforce this attribute on directories. 2 Be careful when copying the Hidden attribute from a directory to all the subdirectories and files in the directory. You cannot easily undo this change. You must know the names of each subdirectory or file to turn off the Hidden attribute. |
Windows NT Compressed Attribute
Windows NT supports a new Compressed file attribute that automatically compresses a file or directory on an NTFS partition when set. StreetTalk File does not support displaying of this attribute when it is set on a StreetTalk object. Although you cannot view the attribute with a Banyan management tool, it is set properly, and the file service correctly enables compression for the object.
Determining the Status of an Attribute
When a directory or file is first created, all file and directory attributes except Archive are turned OFF. An attribute that is not set is OFF. The property defined by an attribute is not in effect if the attribute is OFF. SETATTR displays a minus sign ( - ) to indicate that an attribute is not set.
Setting an attribute for a file or directory restricts access to that object according to the definition of the attribute. An attribute that is set is ON and SETATTR displays its status as a plus sign ( + ).
Understanding the Relationship Between Attributes and ARLs
The attributes you set for an object always take precedence over the ARLs set for that object. That is, regardless of the specific access privileges that a user has, if an attribute specifically denies an access privilege, the user cannot access the object in that manner. For example, setting the Read Only attribute for a file, prevents all users from writing to that file, even users to whom the file ARL specifically grants Write access.
Note: Although SETATTR display Macintosh attributes for StreetTalk file services, these attributes have no meaning, because these services do not support Macintosh clients.
You modify the attribute settings using StreetTalk Explorer or SETATTR. SETATTR lets you set attributes from the command prompt or from menus. The sections that follow explain how to run SETATTR.
Note: To modify attribute settings, you must have Search, Read, and Write access to the parent directory of the object you want to modify. Membership on the Admin list is not necessary. Refer to "Specifying User Access Rights for Files and Directories" later in this chapter for information on specifying user access rights.
Managing Attributes Using StreetTalk Explorer
Use StreetTalk Explorer to edit the attribute settings for objects in a file service. You can also copy attributes from one object to other objects. Refer to "To Copy Attributes Using StreetTalk Explorer" later in this chapter for information about copying attributes to other objects.
After you select a file service to manage, if your workstation does not already have a drive mapped to the service, StreetTalk Explorer automatically maps an available drive.
Note: You cannot use StreetTalk Explorer to modify attributes on a local disk.
To Edit Attributes Using StreetTalk Explorer
1. In StreetTalk Explorer, open the Directories property sheet for the file service. A file service icon, labeled with the letter of the currently mapped drive, appears in the left pane of the property sheet. The right pane displays files and directories that reside in the root directory.
2. Select the object to manage (double-click a folder to display its contents.)
3. Right-click the object, and select Properties from the Context menu to display the access control property sheets.
4. Select the File Attributes tab. The File Attributes property sheet displays the attributes for the selected item.
5. Do one of the following for each attribute:
- Select a checkbox to set, or turn on, an attribute,
- Clear a checkbox to disable, or turn off, an attribute.
6. Do one of the following:
- Click OK. StreetTalk Explorer saves any changes and closes the access control property sheets.
- Click Apply. StreetTalk Explorer saves any changes. Proceed to another configuration task or click OK to finish.
To Copy Attributes Using StreetTalk Explorer
1. In StreetTalk Explorer, open the Directories property sheet for the file service. A file service icon, labeled with the letter of the currently mapped drive, appears in the left pane of the property sheet. The right pane displays files and directories that reside in the root directory.
2. Select the object with the attributes you want to copy, right-click, and select Copy, File Attributes from the Context menu.
3. Select the object to which you want to copy the attributes, right-click, and and select one of the following from the Context menu:
- Paste, File Attributes - To copy the attributes to the active object.
- Paste Recursive, File Attributes - To copy the attributes to a directory and recursively to all objects it contains.
The attributes are copied immediately.
Note: Pasting attributes recursively to a directory may take some time if the target directory contains many subdirectories and files.
4. Click OK to finish.
Managing Attributes Using SETATTR from the Command Line
The command line version of SETATTR lets you:
![]()
View the status of attributes ![]()
Modify the status of attributes
Viewing Attributes from the Command Line
When viewing the status of attributes, you can request the status of multiple files or directories. SETATTR displays only the status of those attributes that are ON.
Modifying Attributes from the Command Line
When modifying attribute settings, you can specify multiple attributes and multiple files and directories. All of the settings you specify are applied to all specified files and directories. Any changes you make are stored in the composite set of attributes.
If you modify the Sharing attribute for a directory, the new setting applies to all new and existing files in the specified directory, but not to subdirectories and the files they contain.
Use the following syntax to run SETATTR from the command prompt:
SETATTR [+ or -attribute] [DOS pathname(s)] [/SHOW] [/HELP]
where [+ or -attribute] indicates the status you want to apply to the attribute. You can turn either ON (+) or OFF (-). Specify the attribute to modify using the two-character abbreviation shown in Table 4-2.
[DOS pathname(s)] specifies the complete DOS path name for the objects you want to view or modify. If you do not specify a DOS pathname, the command applies to the current directory. To specify more than one DOS pathname, enter both pathnames separated by a space.
[/SHOW] indicates that you want to display the attributes currently set for the specified files and directories. Abbreviate this switch as follows: /S, /SH, or /SHO.
[/HELP] displays the syntax information for the command. If you make a syntax error in entering the command, the program displays this help information. Abbreviate this switch as follows: /H.
Attribute | Abbreviation |
Read Only | RO |
Hidden | HI |
System | SY |
Archive | AR |
Example: Setting the Read Only Attribute
Enter the following at the DOS command line to set the Read Only attribute for the file JANUARY.RPT in the current directory:
SETATTR +RO JANUARY.RPT
SETATTR confirms the change by displaying the following message:
+RO E:\STATUS\JANUARY.RPT
Example: Turning Off the Read Only Attribute
To turn off the Read Only attribute for the two files FEBRUARY.RPT and MARCH.RPT, enter:
SETATTR -RO FEBRUARY.RPT MARCH.RPT
SETATTR confirms the change by displaying the following message:
E:\STATUS\FEBRUARY.RPT
E:\STATUS\MARCH.RPT
Example: Displaying Attributes Set for a File
To display the attributes that are ON for the file JANUARY.RPT, enter:
SETATTR JANUARY.RPT /S
SETATTR displays the attributes set for the file as follows:
+RO +AR E:\STATUS\FEBRUARY.RPT
Example: Using /HELP
To display the syntax for the SETATTR command, enter:
SETATTR /H
Managing Attributes Using the SETATTR Menu
From the SETATTR menu, you can manage attributes for one object at a time. From the SETATTR menu, you can:
![]()
View the current status of the object's attributes ![]()
Change the path to display the attributes of another directory or file ![]()
Edit or modify the status of attributes for the object ![]()
Copy attributes from the object to another object Note: You cannot copy file attributes to a directory.
The SETATTR menu displays all attributes for the target object. The SETATTR menu displays attributes for only one directory or file at a time. Entering multiple pathnames on the command line lets you view attributes for several objects in succession. The attributes of the first object specified appear first. Press F10 to view the attributes of remaining objects.
To Display Attribute Status from the SETATTR Menu
1. From the command prompt, enter:
SETATTR pathname(s)
where pathname(s) is the complete DOS path name for each directory or file whose attributes you want to view, edit, or copy. If you enter the command from a workstation that supports long filenames, you can specify pathnames that include long filenames.
The Set Attributes menu appears and displays the attributes for the first object specified.
2. Press F10 to view attributes for the next object specified.
To View a New Object from the Set Attributes Menu
1. From the Set Attributes menu, select Change Path. You are prompted to enter the path to a new directory or file.
2. Do one of the following:
- Enter the relative pathname for an object on the current drive or the full pathname for an object on any drive. The Set Attributes menu displays the attributes for the specified object.
- Press F5. The Select Pathname screen appears. Use the left and right arrow keys to locate and select the desired object and press ENTER. The Set Attributes menu displays the attributes for the specified object.
To Modify Attributes Using the SETATTR Menu
1. From the Set Attributes menu, select EDIT attributes. The cursor moves to the lower part of the screen and an attribute becomes highlighted.
2. Use the arrow keys to move the cursor and select the attribute you want to modify.
3. Press ENTER. The status of the selected attribute changes.
4. Press F10 to save changes. The new status becomes effective immediately.
5. Select a new object, or press F10 to exit.
To Copy Attributes Using the SETATTR Menu
1. From the Set Attributes menu, select COPY attributes.
2. You are prompted to enter the path to the directories or files to which you want to copy the attributes for the current object.
3. Do one of the following:
- To copy the attributes to all the subdirectories and files in a directory, press F2.
- To copy the attributes to all the files in the current directory, enter the wildcard:
*.*
Wildcards may be used for groups of files also. For example, to copy the attribute to all .doc files, enter:
*.doc
- To select the destination name from a list, press F5. The Select Destination screen appears. Use the left and right arrow keys to locate and select the desired object and press ENTER.
Note: You can copy attributes of files to other files and directories. If you copy from a file to a directory, you receive a warning message if any of the file attributes that do not apply to the directory are ON.
Managing Attributes on a Local Disk
The following restrictions apply when modifying attributes for files on a local disk.
![]()
You cannot simultaneously set attributes on local and network file services. ![]()
For local files, you obtain information about the DOS attributes of the files only.
Specifying User Access Rights for Files and Directories
This section explains how to specify user access rights for a StreetTalk file service.
Banyan ARLs let you specify the level of access that users have to files and directories in a StreetTalk file service. You can set ARLs for files and directories created on Window NTFS systems, or on FAT (File Allocation Table) file systems.
Every file or directory has an (ARL). ARLs specify access privileges for a file or directory based on a user's StreetTalk identity. The ARL in effect for a directory determines the access rights inherited by new subdirectories and files created in that directory. If the file service supports file-level ARLs, you can set file and directory access rights independently of one another.
Note: StreetTalk File does not support NTFS user security. A Banyan user's access to a StreetTalk file service depends on the Banyan access rights specified; not on the NTFS privileges for those users. By default, StreetTalk File, running as a service under the Windows NT SYSTEM account, has access to all files and directories on the server.
Each ARL consists of a set of entries called identifiers. Each identifier in the ARL is associated with a:
Name - A StreetTalk name or template specifying who can use a directory or file.
Set of access rights - Descriptors specifying the type of access named users have to a directory or file. These rights are discussed in detail later in this chapter.
Specifying users to whom an ARL applies is discussed in the next section. Specifying the type of access privileges is discussed later in this chapter.
You must independently specify each of the access rights you want to associate with a given entry; access rights are not cumulative. For example, having Control access to a file does not automatically provide you with Write access. Write access must be assigned separately. Users with Control access can assign additional access rights.
When you first create a StreetTalk file service, the ARLs for any subdirectories are the same as those at the root directory. The ARLs specified at the root of a file service govern:
![]()
User access to all subdirectories and files ![]()
ARLs inherited by new subdirectories and files
Depending on the ARL option specified for the file service, you may be able to modify the ARLs for some files and directories without affecting the ARLs of others. Refer to "Setting the ARL Option" later in this chapter for information about setting the ARL option for a file service.
The previous sections explain how to specify attributes for files and directories. Setting attributes provides one means of restricting access to objects in a StreetTalk file service. Attribute settings are used with access rights settings to provide complete security management for your StreetTalk file service.
The level of access permitted to a user through an ARL does not override the level of access defined by an attribute. That is, regardless of the access rights a user has for an object, the user cannot perform operations that the attribute settings for that object do not permit. For example, a user who has Write permission to a file cannot write to that file if the Read Only attribute for the file is set. A member of the AdminList for the file service can, however, modify file attributes as necessary to allow the appropriate level of user access.
Setting File Service Access Rights
Specifying access rights for a StreetTalk file service involves setting both:
![]()
The ARL option for the file service ![]()
The Banyan Access Rights Lists (ARL) for files and directories
Together, these two settings determine the Banyan Access Rights in effect for a file service and its subdirectories and files.
The ARL option lets you set the number of ARLs that can exist within a file service. Select one of the following three ARL options:
Single ARL - Puts a single ARL in effect for the entire file service. Under this setting, the ARL you create for the root directory applies to all files and directories in the file service. This is the recommended setting for file services mapped to a CD-ROM or other removeable disk.
Directory-Level - Allows a unique ARL for each directory within a file service. By default, a file service uses this setting, and all directories in the service inherit their ARLs from the root directory.
File-Level - Allows a unique ARL for each file and directory within a file service.
You can modify the ARL option at any time. You modify the ARL option using StreetTalk Explorer. Refer to "Modifying the Banyan Access Rights List (ARL) Option" in Chapter 3 for instructions on how to modify the ARL option.
Each identifier in an ARL specifies two types of information:
![]()
The StreetTalk user or group of users to whom the ARL applies ![]()
The access rights to associate with that user or group of users
You specify StreetTalk users in an ARL by entering a StreetTalk name or wildcard. You specify access rights by selecting from among five access rights for the directory and four access rights for new files. The following section discusses specifying the users or groups that an ARL applies to. Refer to "Specifying Type of Access Permitted" later in this chapter for an explanation of each Banyan access right.
To specify the users to whom an ARL applies, you associate a StreetTalk name or template with an ARL identifier. Specifying names for ARL identifiers lets you set different levels of access to an object for different users. You can specify names for identifiers on each of two list types:
![]()
Primary List - Automatically created for the ARL of every object ![]()
Extended List - Optional list for specifying additional names
Using Wildcards in the Name of an Identifier
When specifying a name for an ARL identifier, you can use a wildcard character (*) as a placeholder for the StreetTalk:
![]()
Item (for example, *@group@organization) ![]()
Item@Group (for example *@*@organization)
You cannot use a wildcard character as a placeholder for part of an item, group, or organization name. For example, you cannot specify the name B*@group@organization.
You also cannot specify an item name and then use a wildcard as a placeholder for the StreetTalk group name. For example, you cannot specify the name item@*@organization.
Example: Using Wildcards to Specify Names for an ARL Identifier
Enter "*@Mkt@WCTUS" to add everyone in the Mkt group in the organization WCTUS to the list. You cannot enter "Bob*@Mkt@WCTUS" to add all people named Bob in the group Mkt on the list. In addition, you cannot enter Bob Harris@*@WCTUS.
An ARL can consist of a default value, or a value that you specify. The only true default ARL is that of a root directory of a file service. Subdirectories contained in a file service inherit ARLs according to the ARL option specified and the ARL of the parent directory.
The default name for the Owner identifier is the StreetTalk name of the user who created the file service. The StreetTalk Administrator who created the service, or any member of the AdminList of the group in which the service is created can change this Owner entry.
By default, the Owner of a file service has all access rights to files and directories in the service, and has the right to set access rights for the service.
The default name for the Group identifier is the StreetTalk name of the group to which the Owner belongs. By default, users who belong to this StreetTalk group have no access rights.
The World identifier applies to all users on the Banyan network. By default, users who are not specified by names for other identifiers on the Primary or Extended lists have no access rights to the service.
Modifying Default ARL Settings
Specifying names and rights for the ARL of a file or directory lets you customize the access privileges granted to users, selectively allowing users to access a file or directory at the level appropriate to their role in your organization.
For example, to prevent a user from modifying a file, you can define an ARL for that file or its parent directory that specifies that users in a certain group have search and read access only.
When creating user directories within a file service, provide users with sufficient access to the root directory to allow them to view subdirectories. Users need Search and Read access to the root to properly view its subdirectories.
Depending on the file security required, you can provide users with additional access by:
![]()
Changing the name of the Owner identifier for each user's directory to the StreetTalk name of that user ![]()
Adding names for identifiers to the Extended List for their directory ARL, and assigning them the appropriate access rights
You modify ARLs using StreetTalk Explorer or the SETARL program, as explained in "Managing ARLs" later in this chapter.
Every directory and file in a StreetTalk file service has an ARL Primary List. The Primary List ARL contains the following identifiers:
![]()
Owner ![]()
Group ![]()
World
ARL Owner Identifier
The ARL for every file and directory has to have an Owner. The Owner may be an individual or a file service, but cannot be a group, organization, or list. An Owner can transfer ownership to another user. If you delete the name of the Owner for the ARL, you receive an error message when you attempt to save the ARL.
By default, the default Owner identifier for an object contains one of the names shown in Table 4-3.
Type of Object | Default Name |
New File Service (root directory) | Creator of the service |
VINES Files Service | VINES Files@servername@servers |
New Subdirectory | User who creates the directory |
New File | Determined by ARL for New Files for the directory |
Owner Rights
By default, the Owner of the root directory of a file service has all access rights to all files and directories in the service. Any user with Control access to a file service or one of its files or directories can change the Owner entry, the Group name, and add and delete names to the Extended List.
You have Control access for a file service if:
![]()
The Owner identifier for the file service contains your StreetTalk name ![]()
You are a member of the AdminList of the group in which the file service is created ![]()
The Group identifier contains the StreetTalk name of your group, and Control access is selected for that identifier ![]()
The Extended List includes an identifier with your StreetTalk name or the StreetTalk name of your group, and Control access is selected for that identifier Note: In some cases, a user may be denied Control access even though such access is specified by an ARL entry. If a StreetTalk name is associated with multiple entries in the ARL, StreetTalk File provides the access rights of only one of those entries. For more information about how multiple ARL entries for a user affect access rights, refer to "Determining Access Rights for Users Listed in Multiple ARL Entries" later in this chapter.
The Owner of a file service may define the ARLs for new subdirectories and files in such a way that subsequent Owners do not have all rights to those objects. However, Control access allows an Owner to modify ARLs as needed to administer security.
You can specify a new Owner for any directory for which you have Control access. You specify the StreetTalk name for an individual user or a file service. After a file service has been created, the Owner of new subdirectories and files is determined by the inheritance rules specified by the ARL option in effect.
Note: A StreetTalk user who is listed as the Owner of a file service in effect owns the ARLs for that service. However, owning the ARLs in a file service is not the same as having the rights configure that file service. To configure a StreetTalk file service (by editing its property sheets in StreetTalk Explorer), you must be a member of both the following AdminLists:
![]()
The AdminList for the group in which the file service is created ![]()
The AdminList of the server on which the file service is located. Refer to "Modifying the Properties of a StreetTalk File Service" in Chapter 3 for more information about managing StreetTalk file services.
ARL Group Identifier
By default, the Group identifier of an ARL is a wildcard name specifying the StreetTalk group in which the file service is created.
Users listed on the AdminList of the file service, and any other users with Control access, can modify the name for the Group identifier. You can delete the StreetTalk name, and enter the name of another StreetTalk group. To specify access rights that will apply to all StreetTalk groups on the network, edit the rights for the World identifier, rather than the Group identifier.
Group Rights
By default, the group identifier permits no access to the file service, with one exception. For a VINES Files service, users in the default group are permitted Search and Read access to the directory, and Execute and Read access for New Files.
ARL World Identifier
The World identifier always contains the name *@*@* and represents the access rights permitted to all users, who are not otherwise named in the ARL. Users who have Control access can change the access rights for this entry, but cannot modify the entry itself.
World Rights
By default, users whose access is governed by the World entry have no access rights to the root directory, with one exception. For a VINES Files service, users are permitted Search and Read access to the directory, and Execute and Read access for New Files.
In addition to the Primary List, each ARL can also have Extended List. The ARL Extended List is contains the following identifiers:
![]()
Maximum - A mandatory identifier that represents the Maximum Rights mask, specifying the maximum rights allowed to any other identifier on the Extended List. You can edit the rights for this identifier, but not the name. ![]()
Extended1 through Extended5 - Five optional identifiers for which you can specify both access rights and the name of a StreetTalk user, list, group, or template.
Use the Extended List to specify exceptions to the access rights specified by the Primary List. For example, if you want to provide Control and Delete privileges for a particular user, but do not want to provide these privileges to all users or users named in the Group entry, add the user to the Extended List.
By default, the Extended List is empty. If you have Control access, you can enter up to five verifiable StreetTalk user, group, or list names to the Extended List.
For best performance, avoid entering items that contain nested StreetTalk lists.
Maximum Rights Mask
The access rights that you can assign to identifiers on the Extended List are governed by a master list known as the Maximum Rights mask. The Maximum Rights mask specifies the set of access rights that you can provide to the identifiers in the Extended List. Users on the Extended List cannot possess access rights that the Maximum Rights mask does not allow.
For example, the users designated in the Extended List may each have been granted Write access to a file. If Write access is not specified in the Maximum Rights mask, then none of those users will have Write access.
Use the Maximum Rights mask to temporarily grant or deny access to the entire Extended List. For example, if you want to temporarily deny access to a file to users on the Extended list for that file, change the maximum rights to no access. Later, change the rights back so that the access granted to the users in the list is restored.
Specifying Type of Access Permitted
You specify the type of access that users have to an object by selecting access rights for each ARL identifier. The access rights that apply to files are different from those that apply to directories, with the rights for files being a subset of those for directories. For directories, you select two sets of access rights, and for files, only one. In a directory, one set of rights that govern access to the directory itself, and another that governs access to new files created in the directory. New subdirectories created in a directory automatically inherit both of these ARLs. Refer to "Inheritance Rules" later in this chapter for more information about how new objects inherit access rights from their parent directory.
Directory ARL - Specifies the rights for the directory itself and the rights that new subdirectories created in the directory will inherit.
New Files ARL - Specifies the rights that each new file created in that directory will inherit.
To specify unique ARLs for a directory, the ARL option for the file service must be set to Directory-Level (the default setting). To specify unique ARLs for a file, the ARL option for the file service must be set to File-Level.
Type of Access | Abbreviation in SETARL | Description |
Control | C | Lets a user change access rights for the directory, and edit names of the Owner and Group identifiers. Control access cannot be taken away from the Owner. |
Search | S | Lets a user search for all files and directories contained in the directory. Also gives users access to the attributes of the directory and the files and subdirectories it contains. You must have Search access for a directory to open files in that directory. |
Read | R | Lets a user view the names of all files and directories contained in the directory. |
Write | W | Lets a user create and change the attributes, and create and rename files and subdirectories within this directory. A user who does not also have Search access can copy files to the directory, but not access those files. |
Delete | D | Lets a user delete subdirectories and files from the directory. |
To use Read, Write, or Delete access, the user must also have Search access to the directory.
Type of Access | Abbreviation in SETARL | Description |
Control | C | Lets a user change access rights for the file, and edit the names of the Owner and Group identifiers. Having Control access does not automatically grant the user any other access rights over the file. |
Execute | E | If the file is an executable program, allows users to run the program. |
Read | R | Lets a user open the file for reading only. Typically, assign Read access if you want to share information with other users but prevent them from modifying the files. |
Write | W | Lets a user write to the file. |
To use Read, Write, or Execute access, the user must also have Search access to the directory containing the file.
Determining Access Rights for Users Specified in Multiple ARL Identifiers
When a user attempts to access a directory or file, StreetTalk File checks the ARL of the directory or file and grants the user the level of access allowed by an applicable ARL identifier. If an applicable identifier is found, the user is given access according to the rights specified for that identifier. In some cases, more than one identifier in the ARL may match a user's StreetTalk name. For example, the name may be included in the Group entry on the Primary List and as part of a StreetTalk list named on the Extended List. When multiple ARL identifiers apply to a user, StreetTalk File grants the user the access rights for only one ARL entry.
The order of entries in the ARL becomes important when a user's name is in two different StreetTalk lists, in two different groups, or in a group and a list.
Note: Users who are members of the AdminList for the group in which a file service is created always have Control access in addition to the rights specified by the ARL entries.
StreetTalk File uses the following rules to determine which of multiple identifiers to apply to a user attempting to use the file service.
Rule 1: Explicitly Matching a StreetTalk Name to an ARL Identifier
To determine which of multiple identifiers in an ARL to use in assigning access rights, StreetTalk File first compares the user's StreetTalk name to the Owner identifier and Extended List identifiers, searching for an explicit match for the user's StreetTalk name.
If a match is found, then the user is permitted the rights specified for that identifier . If more than one identifier explicitly specifies this user, the rights for the first matching identifier apply.
Rule 2: Matching a StreetTalk Name to a Group or List Identifier
If no explicit match for the user's StreetTalk name exists in either the Owner or Extended List identifier, StreetTalk File next attempts to match the group portion of the user' s StreetTalk name to the Group identifier in the Primary List or to group or list identifier on the Extended List.
If a match is found, then the user is permitted the rights specified for that identifier. If more than one identifier matches the StreetTalk group for this user, the rights for the first matching identifier apply.
Rule 3: Matching a StreetTalk Name to an Organization Identifier
If no match for the user's StreetTalk group exists among the group identifiers in either the Primary or Extended lists, StreetTalk File next attempts to match the organization portion of the user's StreetTalk name to an identifier on the Extended List.
If a match is found, then the user is permitted the rights specified for that identifier. If more than one identifier matches the StreetTalk organization for this user, the rights for the first matching identifier apply.
Rule 4: Matching a StreetTalk Name to the World Identifier
If StreetTalk File finds no match after attempting to match a StreetTalk name to explicit identifiers, group identifiers, and organization identifiers, the user is granted the rights specified for the World identifier on the Primary List.
The rights specified for any identifier on the Extended List are restricted to those rights permitted by the Maximum Rights mask.
Note: The StreetTalk file service displays and uses access rights for the VINES file system view. Other file system views are not supported for StreetTalk File.
Search Criteria | Identifiers Searched |
1. Explicitly match a users's StreetTalk name |
1. Owner 2. Extended List |
2. Match a user's StreetTalk group (*@Group@Organization) |
1. Group identifier on the Primary List 2. Groups or StreetTalk lists in the Extended List |
3. Match for user's StreetTalk organization (*@*@Organization) |
Organizations or StreetTalk lists in the Extended List |
4. All users (*@*@*) |
World identifier on the Primary List |
Example: Assigning the Appropriate ARL from Multiple Identifiers
A user's StreetTalk name, SalesRep@Sales@Corporation, is included in more than one identifier for an ARL, and each of these identifiers specifies a different set of access rights.
On the Primary List, the StreetTalk name is not listed explicitly, but the Group identifier *@Sales@Corporation specifies the user's StreetTalk group. According to the Group identifier, the user possesses the following access rights:
![]()
For Directories: Search, Read, Write ![]()
For New Files: Execute and Read
The user's StreetTalk name is also included on the Extended List. This identifier explicitly lists the StreetTalk name, SalesRep@Sales@Corporation. According to this Extended List identifier, the user possesses the following access rights:
![]()
For Directories: Control, Search, Read, Write, and Delete ![]()
For New Files: Control, Execute, Read, and Write
To determine the access rights for SalesRep@Sales@Corporation, StreetTalk File applies Rule 1 in comparing this StreetTalk name against each of the identifiers in the Primary and Extended Lists. Because the user' s exact StreetTalk name appears on the Extended List, and in no other identifier, the ARL for this identifier is used to assign access rights.
Note: The rights for identifiers on the Extended List depend on the Maximum Rights mask. You cannot give more rights to an entry than the Maximum Rights mask allows.
Inheritance rules are the rules by which StreetTalk File determines what protection new directories and files have when they are created. The inheritance rules for a StreetTalk file service are governed by both the ARL Option specified for the service and by the following rules:
![]()
New subdirectories inherit both the directory and new file ARLs of the parent directory. ![]()
New files inherit access rights according to the parent directory's new file ARL. ![]()
When a new file or directory is created, the names and access rights in both the Primary and Extended Lists are copied to the ARL of the new file or directory. ![]()
New files are protected by the new file ARL of the parent folder. Depending on how the ARL is set up, the new file ARL may differ from the ARL of the parent folder. ![]()
New folders inherit the exact same ARL that has been assigned to the parent folder. The Owner and Group are the same, no matter who creates the new folder. Note: File system views do not apply to StreetTalk file services. The Macintosh view of the SETARL menu is not supported for StreetTalk for Windows NT.
You can copy the ARLs of an object to other objects. You copy ARLs to:
![]()
Make the ARLs for an object match those of another ![]()
Give all files in a directory the same ARLs
When you copy an ARL, all information associated with the ARL is copied, including StreetTalk names or templates specified in the Primary List and Extended List.
Note: You cannot copy a file ARL to a directory ARL.
Before copying an ARL, verify that the ARLs in the source directory specify the appropriate entries and access rights.
You can copy the following ARLs:
From To File ARL File ARL Directory ARL Directory ARL Directory ARL File ARL (copies the New File ARL of the directory to the file)
Preserving ARLs When Copying Files
When copying files from a StreetTalk or VINES file service to a destination on a StreetTalk file service, you can also copy the ARLs of the source file or directory. To preserve the ARLs of the source object, the ARL option of the destination file service must be configured to support the appropriate number of ARLs. For example, to preserve the ARLs of a directory, the ARL option of the destination file service must be set to Directory-Level or File-Level. The ARLs of the source directory are not preserved if the ARL option for the destination service only allows a single ARL.
Refer to "Preserving ARLs When Copying Files" in Chapter 3 for information about using VCOPY to copy ARLs.
Using Banyan Management Tools to View and Change ARLs
This section explains how to view and modify ARLs, and contains the following topics:
![]()
Managing ARLs using StreetTalk Explorer ![]()
Managing ARLs using SETARL ![]()
Managing ARLs using the Banyan Client for Windows 95/98
Managing ARLs Using StreetTalk Explorer
StreetTalk Explorer is the primary tool for viewing and editing the ARLs of a StreetTalk file service. This section explains how to use StreetTalk Explorer to:
![]()
View the ARL Primary List and Extended List ![]()
Specify the name of an ARL identifier ![]()
Edit access rights for an identifier ![]()
Copy and paste ARLs from one object to another ![]()
Test user access to an object
When you select a file service to manage, StreetTalk Explorer temporarily maps a drive to the selected file service if this drive mapping does not already exist. After you close all property sheet for the file service, the temporary drive mapping is deleted.
Viewing the ARL Primary List and Extended List
As discussed earlier, each ARL consists of a Primary List and an Extended List. In StreetTalk Explorer, you can view and manage entries on either list, but you cannot view both lists simultaneously. The following procedure explains how to select the type of list to view.
To Select the List Type
1. In StreetTalk Explorer, open the Directories property sheet for the file service. A file service icon, labeled with the letter of the currently mapped drive, appears in the left pane of the property sheet. The right pane displays files and directories that reside in the root directory.
2. Select the object to manage (double-click a folder to display its contents.)
3. Right-click the object, and select Properties from the Context menu to display the Access Rights List property sheet.
4. Display the appropriate list by selecting one of the following radio buttons in the List type section:
- Primary list
- Extended list
5. Edit the ARL or click OK to finish.
Specifying Names for an ARL Identifier Using StreetTalk Explorer
As discussed earlier, the two list types, Primary List and Extended List, each contain several identifiers. On the Primary List, the identifiers Owner, Group, and World are each associated with a StreetTalk name or template. On the Extended List there are five editable identifiers for specifying StreetTalk items to add to the list. A sixth identifier on the Extended List, Maximum, lets you specify the maximum rights permitted to any user specified on that list.
If you are a member of the AdminList for the StreetTalk Group, or have Control access for the file service, you can edit the names associated with an identifier. On the Primary List, you can replace the default names of the Owner and Group identifiers. On the Extended List, you can add StreetTalk names or templates for any of the five editable identifiers. You cannot edit the name of the World identifier, which always has the value *@*@*, nor the name of the first identifier on the Extended List (Maximum), which is not a StreetTalk name.
To Add or Edit the Name of an Identifier
1. In StreetTalk Explorer, open the Directories property sheet for the file service. A file service icon, labeled with the letter of the currently mapped drive, appears in the left pane of the property sheet. The right pane displays files and directories that reside in the root directory.
2. Select the object to manage (double-click a folder to display its contents.)
3. Right-click the object, and select Properties from the Context menu to display the Access Rights List property sheet.
4. In the List type section, select the radio button for the type of list you want to view.
5. Double-click an item in the Identifier column. The Browse StreetTalk Name dialog box appears and displays the StreetTalk name currently configured for the selected identifier.
6. Enter the full StreetTalk name of a user or list, or the StreetTalk template for a group, and click OK.
7. Do one of the following:
- Click OK. StreetTalk Explorer saves any changes and closes the Access Rights List property sheet.
- Click Apply. StreetTalk Explorer saves any changes. Proceed to another configuration task or click OK to finish.
Specifying the Access Rights for an ARL Identifier
After you have placed the appropriate names on the ARL Primary and Extended lists, use StreetTalk Explorer to specify the type of access permitted for each identifier. You can specify the following types of access:
For directories: Control, Search, Read, Write, and Delete
For files: Control, Execute, Read, and Write
For specific information about the rights associated with each of these access types, refer to "Specifying Type of Access Permitted" earlier in this chapter.
To Edit Access Rights for an Identifier
1. In StreetTalk Explorer, open the Directories property sheet for the file service. A file service icon, labeled with the letter of the currently mapped drive, appears in the left pane of the property sheet. The right pane displays files and directories that reside in the root directory.
2. Select the object to manage (double-click a folder to display its contents).
3. Right-click the object, and select Properties from the Context menu to display the Access Rights List property sheet.
4. In the List type section, select the radio button for the type of list you want to view.
5. Select the identifier for which you want to specify access rights. The current rights for that identifier appear. For directories, two sets of rights display: New file and Directory. For files, only File rights display.
Copying ARLs Using StreetTalk Explorer
From the Directories property sheet for a file service, you can copy the ARLs of an object to other objects within the same file service. You cannot copy ARLs from an object in one file service to an object in another file service.
To Copy and Paste ARLs Using StreetTalk Explorer
1. In StreetTalk Explorer, open the Directories property sheet for the file service. A file service icon, labeled with the letter of the currently mapped drive, appears in the left pane of the property sheet. The right pane displays files and directories that reside in the root directory.
2. Select the object with the ARLs you want to copy, right-click, and select Copy, ARL from the Context menu.
3. Select the object where you want to copy the ARL to, right-click, and and select one of the following from the Context menu:
- Paste, ARL - To copy the ARL to the active object.
- Paste Recursive, ARL - To copy the ARL to a directory and recursively to all objects it contains.
Note: You cannot copy a file ARL to a directory ARL.
The ARLs are copied immediately. Pasting an ARL recursively to a directory may take some time if the target directory contains many subdirectories and files.
4. Click OK to finish.
Setting a Consistent File ARL Using StreetTalk Explorer
The ARL settings on files in in deeply nested directories can complex, and you may be tempted to reset them to simplify them and ensure greater consistency. You cannot reset these ARLs by changing the ARL option to Single, and then back to File-Level. To reset the ARLs on all files in a file service, set the ARL option to File-Level, and copy the desired ARL recursively to the root directory.
Testing a User's Access to a File or Directory Using StreetTalk Explorer
Use StreetTalk Explorer to test a user's access to an object. Testing access assists you in troubleshooting access problems.
When you test a user's access, StreetTalk Explorer displays all ARL identifiers that apply to the tested user, and the access rights permitted to the user by the controlling identifier.
Note: StreetTalk Explorer indicates Control access for an object only if such access is specifically permitted by the controlling identifier. Members of the AdminList always retain Control access, even if the access test does not indicate that the user has this right.
For more information about how StreetTalk File determines access to an object for users to whom multiple identifiers apply, refer to "Determining Access Rights for Users Specified in Multiple ARL Identifiers" earlier in this chapter.
To Test a User's Access Using StreetTalk Explorer
1. In StreetTalk Explorer, open the Directories property sheet for the file service. A file service icon, labeled with the letter of the currently mapped drive, appears in the left pane of the property sheet. The right pane displays files and directories that reside in the root directory.
2. Select the object to manage. (Double-click a folder to display its contents.)
3. Right-click the object, and select Properties from the Context menu to display the access control property sheets.
4. Select the Test User Access property sheet.
5. Enter the StreetTalk name or nickname of the user to test, or click Browse to select a user from the StreetTalk database.
6. Click Test. The Status window displays the ARL identifier that governs the user's access. The access rights specified for the applicable identifier appear below the Status window.
SETARL is a command-line program for managing the ARLs of a StreetTalk file service. This section explains how to perform the following tasks using SETARL:
![]()
Modify the Name of an ARL identifier ![]()
Modify access privileges for an ARL identifier ![]()
View ARLs for other directories and files ![]()
Copy ARLs from one object to another ![]()
Test user access to an object
New subdirectories created in the root directory of a file service inherit the ARL for the directory and the ARL for new files. New files inherit the rights granted in the ARL for new files.
Preparing to Use SETARL
When viewing or modifying an ARL, do the following:
![]()
Verify that the ARL displayed is the one you want. Check the Volume and Path fields for the name of the file service and the correct name of the file or directory. ![]()
Verify that the Current View field on the left side of the screen indicates that you are viewing the VINES view. StreetTalk File does not support the Macintosh view.
Table 4-7 lists the editing keys available in SETARL for modifying ARLs.
Key | Function |
F2 | Allows you to choose StreetTalk names from a list when modifying an entry. You can select one name at a time. |
F4 | Previews the effects of edits on another file system view of the access rights. File system views do not apply to StreetTalk File. |
F6 | Moves an entry in the Extended List down one line. |
F8 | Tests the ARL you are editing against a StreetTalk name. Only the view you are editing is tested. To test against all views, exit Edit mode and select the Test Access command. |
F10 | Saves edits and exit to the Set Access Rights menu. |
TAB | Moves cursor from left to right among the three columns (the list of names and the two columns of access rights). |
ENTER | Moves the cursor from the end of one line to the beginning of the next (within the column, list of names or set of access rights). |
SPACE | Moves the cursor from one access right to the next, without changing the setting. |
Arrow keys | Move the cursor up or down one line, or left or right one space. Within the access rights columns, move the cursor from one access right to the next without changing the setting. |
ESC | Exits the Edit screen without saving changes. |
To Modify the Name of an ARL Identifier
1. At the command prompt, enter:
SETARL pathname
where pathname is the complete DOS pathname of the directory or file for which you want to manage ARL. If you omit the pathname, the path defaults to the current directory.
The Set Access Rights menu appears.
2. Select EDIT. The Edit ARL screen appears and the cursor moves to the Owner entry.
3. Use the arrow keys to position the cursor at the entry to edit, and do the following:
- To edit the StreetTalk name of the Owner entry, enter a three-part StreetTalk name, or press F2 to select a user name. Press F10 to insert the name of the selected user.
- To edit the StreetTalk name of the Group entry, enter a StreetTalk name in the format *@Group@Organization, or enter anygroup to allow the same level of access to all groups on the network.
- To edit an entry on the Extended List, press PAGEDOWN to view the Extended List, and enter a three-part StreetTalk name, or press F2 to select a user name. For more information about how to use the Extended List, refer to "The ARL Extended List" earlier in this chapter.
4. Do one of the following:
- Press F10 to save changes to the entries and exit to the Set Access Rights menu.
or
- Continue your editing by modifying access rights as described in "To Modify the Access Rights for an Identifier," which follows.
To Modify the Access Rights for an Identifier
1. From the Edit ARL screen, position the cursor at the appropriate entry, and press TAB to move the cursor to the first access right field.
2. To set the access rights, for that entry, do the following:
- To grant an access right, type a plus sign (+ ).
- To deny an access right, type a minus sign (- ).
After you type a plus or minus sign, the cursor automatically moves to the field for the next access right.
3. Press F10 to save your changes.
To Copy an ARL to Another Destination Using SETARL
1. At the command prompt, enter:
SETARL pathname
where pathname is the complete DOS pathname of the directory or file from which you want to copy an ARL. If you omit the pathname, the path defaults to the current directory.
The Set Access Rights menu appears.
2. Select Copy ARL to Target. You are prompted to enter the directory or file to which you want to copy the current ARL.
3. Do one of the following:
- Enter a path name to another directory or file. Go to step 5.
or
- Press F5 to select a path name from a directory listing. The Select Destination screen appears. Continue with step 4.
4. Do one of the following:
- Use the arrow keys to highlight the directory or file to which you want to copy the ARL, and press ENTER to select it. You can select more than one destination directory or file. An asterisk appears next to the path name. Pressing ENTER a second time deselects a destination directory or file.
- Press F2 to select all subdirectories and files in a directory.
Note: If you are copying ARLs from a file, directory names do not appear among the list of destinations to which you can copy the ARL. You cannot copy file ARLs to a directory.
5. Press F10 to begin copying the ARLs. Each of the selected files and directories are displayed as the ARL is copied. After the ARLs have been copied, The Set Access Rights menu appears and displays the number of ARLs copied.
To Change the ARL of all Files in a Directory
1. Edit the New File ARL of the directory
2. Copy it to all files in the directory.
Copying ARLs from Other Sources With SETARL
If you know that the ARL of another directory or file is appropriate for the current directory or file, you can use SETARL to copy the ARL of that directory to the current directory.
To Copy the ARL of Another Directory or File Using SETARL
1. At the command prompt, enter:
SETARL pathname
where pathname is the complete DOS path name of the directory or file from which you want to copy an ARL. If you omit the pathname, the path defaults to the current directory.
The Set Access Rights menu appears.
2. Select Copy ARL from source. You are prompted to enter the directory or file from which you want to copy the ARL.
3. Do one of the following:
- Enter a path name to another directory or file. Go to step 5.
or
- Press F5 to select a path name from a directory listing. The Select Destination screen appears. Continue with step 4.
4. Use the arrow keys to highlight the directory or file from which you want to copy the ARL, and press ENTER to select it.
5. The ARL is copied to the current file or directory. The Set Access Rights menu appears and reports that the ARL was copied.
Note: If you are copying ARLs to a directory, file names do not appear as sources from which you can copy ARLs. You cannot copy file ARLs to a directory.
Changing the Current Path to View a Different ARL
While viewing the ARLs for a file or directory, you can change the path to view the ARLs for a different object.
To View the ARLs of a Different File or Directory
1. From the Set Access Rights menu, select Change Path. You are prompted to enter the path to another file or directory.
2. Do one of the following:
- Enter a pathname. Go to step 4.
or
- Press F5 to select a file or directory from a directory listing. The Select Path screen appears. Continue with step 3.
3. Use the arrow keys to highlight the directory or file to which you want to copy the ARL, and press ENTER.
4. The Set Access Rights menu appears, displaying the ARL of the directory or file you selected.
Testing a User's Access to a File or Directory Using SETARL
Use SETARL to test a user's access to an object. Testing access assists you in troubleshooting access problems.
When you test a user's access, SETARL displays the ARL identifier (Applicable entry) that controls access, and access rights permitted to the user by the controlling identifier.
Note: SETARL indicates Control access for an object only if such access is specifically permitted by the controlling identifier. Members of the AdminList always retain Control access, even if the access test does not indicate that the user has this right.
For more information about how StreetTalk File determines access to an object for users to whom multiple identifiers apply, refer to "Determining Access Rights for Users Specified in Multiple ARL Identifiers" earlier in this chapter.
To Test a User's Access Rights Using SETARL
1. From the Set Access Rights menu, select Test Access. The Test Access menu appears.
2. Do one of the following:
- Enter the StreetTalk name of the user to test. If you enter an invalid StreetTalk name, you are prompted to try again.
or
- Press F2 to select a name from a list. Press F10 to test rights for the selected user.
The access rights permitted to the specified user appear, along with the applicable ARL entry that determines those access rights.
Note: The Access Rights Lists for Macintosh and UNIX rights do not apply to StreetTalk File.
3. If you are testing the ARL of a directory, press F4 to toggle between the ARL of the directory and the ARL for new files in the directory.
4. Press ESC to exit the Test Access menu.
To Test a User's Access from the Edit ARL Screen
1. From the Edit ARL screen, press F8.
2. When prompted, enter a StreetTalk name, or press F2 to select a name. Press F10 to test rights for the selected user.
The access rights permitted to the specified user appear, along with the applicable ARL entry that determines those access rights.
3. Press ESC to clear the test results from the screen, or continue editing with the results displayed. The test results change as you edit the applicable entry of the user tested.
Managing ARLs Using the Banyan Client for Windows
You can perform a limited range of ARL management tasks using the Windows Explorer on a Banyan Client for Windows 95/98. For any object on a Banyan file service, you can edit identifier names and access rights. In addition, for directory ARLs, you can recursively copy the ARL to all directories and files beneath the directory.
To Edit ARLs from the Windows 95/98 Explorer
1. Double-click the Network Neighborhood or My Computer icon, and locate the file or directory for which you want to set access rights.
2. Right-click the file or directory, and select Properties from the Context menu. The property sheets for the item appear and display the following tabs:
- Primary ARL
- Extended ARL
- Primary ARL New Files
- Extended ARL New Files
3. Click the tab for the type of ARL you want to set.
4. Edit the entries and access rights for the ARLs, as follows:
- Enter a StreetTalk name for the Owner, Group, or Extended List entry.
- Select the appropriate checkbox to provide access rights for the entry.
5. Do one of the following:
- Click Apply to save changes and continue editing ARLs.
- Click OK to finish and save changes.
Optimizing Access Rights Lists
The design of your ARLs can affect your network performance. This is because the file service verifies the object names on an ARL directly with StreetTalk. This means that for every StreetTalk name on the ARL, the file service issues a separate request to the StreetTalk service that maintains the group where the name belongs. One example of a potential problem occurs if a StreetTalk service maintaining a given user or list name on an ARL happens to be located across a WAN from the file service. Then, every time the file service scans the ARL and comes across that user or list name, the file service must call a StreetTalk service across the wide area link - a very slow process! Furthermore, even if the WAN link becomes unavailable, the file service continues its attempts to contact the StreetTalk service until a timeout occurs.
Example: Placing List Names on Extended Lists
The access rights list for the file service FS-Data@Mkt-Bos@WCTUS has an Extended List that contains the following two individual user names, and one list name:
![]() |
Lisa Perkins@Mkt-Bos@WCTUS |
![]() |
Phil Lakey@Mkt-Bos@WCTUS |
![]() |
SalesList@Mkt-Bos@WCTUS |
All the members of SalesList@Mkt-BOS@WCTUS belong to the group Mkt-Bos@WCTUS with the exception of Jeri Feingold@Mkt-Chi@WCTUS.
If the user Phil Lakey accesses a directory with this ARL, the file service first looks up Lisa and then Phil, based on the order of the entries in the ARL. Since both Lisa and Phil are "local" to the server, the requests to the StreetTalk service to verify their names does not take much time. Phil will not experience a performance problem.
On the other hand, when Candice Moakley@Mkt-Bos@WCTUS attempts to access the same directory, she experiences delays in access. Candice is a member of the SalesList, and she is a local user, so the look-up process should go quickly. However, Candice's user name appears on the list after that of Jeri Feingold in Chicago. The file service now must:
1. Look up Lisa
2. Look up Phil
3. Look up the SalesList
4. Look up Jeri in Chicago across a wide-area link
5. Look up Candice. >
In this scenario, Candice consistently experiences delays in performance, even though she is located in the Boston office.
Problems can even arise if there are simply too many user or list names on the ARL from different servers, or if there are nested lists in the extended list of the ARL.
Preventing ARL Performance Problems
In order to prevent problems, try to follow these suggestions whenever possible:
![]() |
Keep ARLs as simple as possible. |
![]() |
Try to limit lists on ARLs. If you do use lists, make sure the lists do not contain other lists, or users on remote systems. |
![]() |
On the extended list, try to use individual user names on the same server as the file service. If you must refer to users on other servers, try to make sure those users are accessible via LANs and not WANs where possible. |
![]() |
Wherever possible, use wildcard patterns instead of lists to refer to multiple users. Wildcard patterns on ARLs do not generate the network overhead that StreetTalk lists and users do. This is because the file service does not need to perform StreetTalk lookup services on wildcard patterns. |
![]() |
If you have users on remote networks who need to access the file service, create entries for those users that invoke wildcards. For example, if Mack Forchett@Sales-Tor@WCTCA must access a Chicago-based file service, enter his name in a list in the extended list as *Mack Forchett@Sales-Tor@WCTCA. |
It is not possible to place a partial template as a specific entry in the Extended List. Instead, create a StreetTalk list as an entry in the extended list. In this StreetTalk list, place the partial templates for the individual users who need to access the file service.
Location of ARL Data on the Windows NT Server
StreetTalk File uses two files to store the ARL information for Windows NT files and directories contained in StreetTalk file services. This information is stored separately from the files and directories themselves, and is directly linked to a Windows NT file or directory, not to the name of any StreetTalk file service.
If you install the StreetTalk File software in the default location, ARL information is stored in the following two files:
C:\Program Files\Banyan\File\Data\Arls
C:\Program Files\Banyan\File\Data\Files.idx
Because of the direct association between a Windows NT object and the Banyan ARL, each object can have only one ARL. In other words, if you include a Windows NT directory as part of multiple StreetTalk file services, you cannot specify one set of access rights for the directory in File Service A and another set for File Service B. The ARLs are the same for both file services. Changing the ARL for the directory in one file service would also change it for any others. It is recommended that you include a Windows NT directory in only one StreetTalk file service.
ARL information for a Windows NT object is not deleted when deleting a file service or share point that included that object. If you later include the object as part of a new StreetTalk file service, the object retains the ARL that was specified in the deleted service.
Every 24 hours, at 12:20 a.m., StreetTalk File checks the accuracy of the objects and Windows NT paths in the ARL database (FILES.IDX). During ARL cleanup, each record in the ARL database is checked to verify that the object referred to exists. StreetTalk file deletes the record and ARL entries for objects that no longer exist, or for which the path is no longer valid.
You cannot configure this process to occur at another time.
StreetTalk File includes a utility, DumpARL that reports the ARLs associated with all StreetTalk file services on the Windows NT Server. By running DumpARL you obtain the information you need to verify the ARL settings for a file service. After creating or modifying file services, it is recommended that you generate a list of the current ARL settings. Use DumpARL to assist you in verifying and restoring ARLs.
DumpARL uses the following syntax:
DumpARL [PATH] [>filename] [ | MORE]
To Generate an ARL Report
1. From the DOS prompt of the Windows NT Server, make the StreetTalk File directory the active directory.
For example, enter:
cd c:\Program Files\Banyan\File
2. Run DumpARL and redirect the output to a file. For example, enter:
DumpARL > c:\ARL2.txt
3. Reset the ARLs as necessary.
Example: Running DumpARL for Two StreetTalk File Services
You must run DumpARL from the directory containing your StreetTalk File software.
c:\stfile> dumparl
ARL Dump
--------------------------------------------------------------
Path Offset
c:\DIRECTORY1 #1
c:\DIRECTORY2 #2
---------------------------------------------------------------
Off : #1
Cnt : 1
Owner: User1@Group@Organization CSRWD
CERW
Group: *@Group@Organization -SR-- -ER-
World: *@*@* -SR-- -ER-
Ext : AdminList@Group@Organization CSRWD
CERW
-------------------------------------------------------
Off : #2
Cnt : 1
Owner: User1@Group@Organization CSRWD
CERW
Group: *@Group@Organization -SR-- -ERW
World: *@*@* -SR-- -ER-
Ext : AdminList@Group@Organization CSRWD
CERW
---------------------------------------------------------------
Reading the DumpARL Report
The report that DumpARL generates provides the following information:
Path - Path names for Windows NT directories being used as StreetTalk file services.
Offset - A number indicating a unique ARL. For example, if the directory ARLs for two file services are identical, but the ARLs for new files in the second file service provides the Group with Write access, the two file services will have different offset numbers. The number of offsets indicates how many different ARLs exist for all configured file services (Table 4-8).
Cnt - Number of directories with a given offset.
Owner - StreetTalk name of the user with ownership rights for file services with the given offset.
Group - StreetTalk group for which additional access rights for file services with the given offset have been set.
World - World (*@*@*) rights for file services with the given offset.
Ext - Extended List rights for file services with the given offset.
File Service 1 C:\directory1 |
File Service 2 C:\directory2 |
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|