Information from KB 2913794
Novell eDirectory 8.8 for All Platforms
WARNING: If all rights are filtered, only objects with an explicit assignment to the filtered object will be able to see the object in the tree, because the ability to Browse the object is filtered. This CAN affect the admin object with all rights.
It is possible that a user could create a container, give himself explicit rights to the container and then hide the container so no one knows it exists.
When the IRF is set with a management tool, it places a value in the ACL attribute called Inheritance Mask. Details on an IRF can be seen with DSBROWSE on a server holding a replica of the partition where the IRF exists.
Note: The possibility of blocking admin's rights only apply to NDS rights. Under file system rights you cannot block the supervisor rights with an inherited rights filter.
For example- to disallow users from viewing the "Phone Number" attribute at an organizational unit:
If "All Attribute Rights" are assigned, only "All Attribute Rights" may blocked. If "All Attribute Rights" is assigned to a user and an IRF for "Phone Number" is later assigned, "Phone Number"WILL NOT be blocked.
Formerly known as TID# 10050172