LAN Manager provides two ready-made user accounts on each server:
• Guest is a generic account for guests.
• Admin is a generic account for administrators.
Managing User-Level
8
Security
8-5
You should assign passwords for each of these accounts when you install a user-level server. You can later delete these accounts if you want, or change their names. If you change the name of the guest account, you must also change the guestacct= entry in the LANMAN.INI file.
Groups
For ease in dealing with large numbers of users, you can define groups of users and assign them groupnames. Then, when you need to make a change that affects the users in a group, you avoid having to exhaustively list all of the group's members by user name.
A group cannot contain other group names. For example, jackst and jennyt can be members of the group modem-users, but modem-users cannot in turn be a member of another group.
NOTE: Beware the similarity of the tenns group and LAN group. A group is a collection of usernames, whereas a LAN group is a collection of computernames.
When LAN Manager displays a groupname, it prints an asterisk at the beginning of the name. This asterisk is not part of the name; it simply indicates that this is a groupname rather than a username. For example, when you type NET GROUP at the OS/2 prompt, LAN Manager shows you all the groups on the server:
User Groups for \\MIS
*USERS *MODEM-USERS *WORD-USERS
includes every user who has an account on the server except users who have guest privilege. See the next section for a discussion of the guest privilege.
You cannot delete or change the automatic membership of the users group.
A user can be a member of any number of groups.
Privileges
Every user's account has an assigned privilege level. The privilege level determines what kinds of actions that user can take on this server.
The three privilege levels are listed in Table 8-1.
T bl 8
a
e -1.u
ser A ccount nVlege L eves Privilege Level Pu~User Can Eenonn alllocal area network tasks except those specifically reserved for administrators. The user privilege level is the one you will assign to most users.
Guest Same as user privile~e, exc~at users are not members of the users group. ThlS lets a °nistrators control a guest's use of the local area network.
Admin Can create accounts, assign permissions for resources, manage device queues, and grant privileges to other users.
Any user to whom you grant this privilege level should have the same qualifications and knowledge as the administrator, since that person will have full access to every part of this server. The admin privilege overrides all other pennissions and privileges, so assign it with discretion.
Privilege is an attribute of user accounts, rather than of specific resources. The next section explains resource permissions.
Managing User-Level
8
Security
8-7
Permissions
You can define who can and cannot use each resource on a user-level-security server, and what each user can do with each resource. This is known as defining user permissions for that resource. You can assign a different set of pennissions to each user of a resource.
Setting Access Permissions
The most basic permission you can give a user is permission to access a resource.
You do this by dividing users into two categories: those who can access the
resource and those who cannot. Groups are very useful here, especially the default group users which includes all user accounts except those with guest privilege. If you do not give access permission to a user, either individually or as part of a group, that user cannot access the resource.
As a special case, you can give users the ability to set their own permissions on selected resources. For example, you might set up a home directory for a user on your server, then give the user the ability to set permissions on anything within that directory. The user can then control who else can read, write, or modify files in that directory. See the discussion of the P permission in the "Disk Resource Permission" section later in this chapter.
How LAN Manager Determines Access
LAN Manager evaluates a request for access to a resource in this order:
1. Does the user have admin privilege? If so, grant the request. The admin privilege overrides all permissions.
2. Does this user have specific permissions for this resource? If so, use those permissions to determine access. User permissions override group
permissions.
access. For example, if the user belongs to two groups, one with read permission and one with write permission, the user has both read and write permission.
4. If the user fails all of these tests, deny access to the resource.
Setting Other Permissions
After you define who can use a resource, you must decide how each user can use the resource. There are different types of permissions for different types of resources.
The following sections describe the permissions for each type of resource as shown in Table 8-2 in detail:
Table 8-2. Resource Permissions
Resource Type Permission
Communication Device Queue y Yes (RWC)
N No
IPC y Yes (RWC)
N No
Managing User-Level Security
Disk Resource Permissions
8
8-9
A disk resource is a disk drive, a directory, or a file. The pennissions for a disk resource are as follows:
• Create (C) pennission allows a user to create flies and directories within the shared disk resource. The C permission does not grant read or write access to existing flies. After creating a flie, a user can read or write to that file only until closing it.
• Delete (D) pennission allows a user to delete flies and directories within the disk resource (but not to delete the disk resource itself).
• Read (R) pennission allows a user to read or open flies and to change directories.
• Write (W) pennission allows a user to write to a file.
• Execute (X) pennission allows a user to open a file for execution.
NOTE: If you assign R permission, you do not need to assign X permission. If you assign X permission without R pennission, LAN Manager netstations can execute the flie but not read it, while DOS netstations cannot read or execute the file.
• Change Attributes (A) pennission allows a user to change physical file attributes. OS/2 provides four physical flie attributes:
• R (Read only).
• H (Hidden).
• S (System).
• A (Change Attributes).
also the OS/2 R attribute, the user cannot write to the file.
• Change Permissions (P) permission allows a user to change the LAN Manager pennissions for the resource. See the "Changing Pennissions as a Non-Administrative User" section later in this chapter.
• Yes (Y) permission is a convenient abbreviation for the RWCDA group of permissions.
• No (N or none) permission prevents a user from doing anything. For disk resources, the N permission is sometimes indicated by a colon with nothing after it; you don't actually see the letter "N". When you assign this permission, you cannot assign any other pennissions. Use this permission to exclude individual users from access despite whatever groups to which those
individuals might belong. For example, if you give read and write pennissions to the users group, you can exclude a specific user in the users group by assigning that user the N permission.
The N permission should not be assigned to groups. When evaluating group permissions, LAN Manager considers the union of all applicable group permissions. For example, if you give RWC permission on a directory to the users group, but N permission to the modem-users group, members of modem-users could still use the directory if they were also members of users. You gain nothing by assigning N permission to groups.
The LAN Manager screen provides convenient groupings of these permissions, so that you can easily assign common permission combinations. Thus, you can find RW (read and write) or RWCDA (read, write, create, delete, and change attributes) permissions, for example, in the Edit File Permissions dialog box.
Managing User-Level Security
8
8-11
Spooled Printer Queue Permissions
A spooled printer queue is a resource that accepts spooled requests. A spooled request is a collection of data, such as a file, that you send to a queue. You have no further interaction with the queue. Spooled printer queues are commonly associated with LPT ports on servers.
Yes (Y) permission allows a user to use a particular spooled printer queue; No (N) pennission prevents a user from using the printer queue.
Communication Device Queue Permissions
A communication device queue is a resource that accepts non-spooled requests. A non-spooled request is an active process that requires interaction (input/output) with the resource. Users would need to use a communication device queue to connect to a modem, for instance. Communication device queues are commonly associated with COM ports on servers.
Yes (Y) permission allows a user to use a particular communication device queue;
No (N) permission prevents a user from using the queue.
IPC Resource Permissions
An IPC (interprocess communication) resource is a mailslot or named pipe.
Yes (Y) permission allows a user to use the IPC resource; No (N) permission prevents a user from using the resource.