Access control in NDS is very powerful and flexible, and it can also be very easy to implement.
You can use the default security provided during the installation of the Directory tree and then add additional security as needed.
You can further control access to objects within the tree in various ways, as explained in the following list:
Grant trustee assignments to objects for other objects and their properties.
Rights can be granted at a container level. This allows you to exploit the hierarchal structure of the Directory tree.
By granting rights at the container, those rights are automatically available for every object in that container unless masked by an Inherited Rights Filter (see ``Object and property rights'' for details).
Create Group objects to give groups of users limited or unlimited access to particular objects or their properties in the Directory tree.
The Inherited Rights Filter is a list of rights that can be assigned for any object. It controls the rights that a trustee can inherit from parent container objects.
Use the Security Equal To property to give a user access to the same information or rights that another user has access to.
When a user is added to the membership list of a Group object or the occupant list of an Organizational Role object, the Group or Organizational Role is listed in that user's Security Equal To list.
By using a security equivalency, you avoid having to review the whole Directory tree structure and determine which rights need to be assigned to which directories, files, and objects.
If an object in a User object's Security Equal To list is deleted from the Directory tree, the user no longer has the rights granted through that object.
User objects that manage other User objects should be granted the Write right to the Security Equal To property. This allows User object managers to make users security equivalent to other users that they manage.
User object managers also need the Write right to the ACL property of the objects so that they can add to a User object's Security Equal To property.
Every object inherits rights from the container objects that are part of its Distinguished Name. This means, you can make a container a trustee and objects in or below that container receive the trustee assignment as if you individually granted such an assignment to each of them.
Every object in a container object has the rights that are granted to that container through the Security Equal To property. However, container objects are not listed in a User object's Security Equal To list.
The Security Equal To property is not transitive; that is, if Tom is security equivalent to Jill, and Jill is security equivalent to Bob, Tom is not security equivalent to Bob through Jill. The Security Equal To property grants Tom only those rights that Jill is explicitly granted.
In networks containing confidential data, take care that you don't inadvertently give a user access to restricted information.