How does an Inherited Rights Filter (IRF) work in NDS?

  • 7007292
  • 02-Dec-2010
  • 26-Apr-2012


Novell Directory Services
Information from KB 2913794
Novell eDirectory 8.8 for All Platforms


How does an Inherited Rights Filter (IRF) work in NDS?


When an IRF is set, rights that are unchecked are blocked. This means no inherited rights will flow down from higher levels in the tree.

WARNING: If all rights are filtered, only objects with an explicit assignment to the filtered object will be able to see the object in the tree, because the ability to Browse the object is filtered. This CAN affect the admin object with all rights.

It is possible that a user could create a container, give himself explicit rights to the container and then hide the container so no one knows it exists.

When the IRF is set with a management tool, it places a value in the ACL attribute called Inheritance Mask.  Details on an IRF can be seen with DSBROWSE on a server holding a replica of the partition where the IRF exists.

Note: The possibility of blocking admin's rights only apply to NDS rights. Under file system rights you cannot block the supervisor rights with an inherited rights filter.

Additional Information

To set an IRF, you must assign the desired attribute at some (higher) level in the directory tree as an inheritable right, then block the desired actions at a lower point in the directory tree.

For example- to disallow users from viewing the "Phone Number" attribute at an organizational unit:
1.  Explicitly assign "Phone Number" to [Public] at the organization.
2.  At the organizational unit, add an IRF for "Phone Number"

If "All Attribute Rights" are assigned, only "All Attribute Rights" may blocked.  If "All Attribute Rights" is assigned to a user and an IRF for "Phone Number" is later assigned, "Phone Number"WILL NOT be blocked.
Formerly known as TID# 10050172