NTFS failiõiguste seadistamine Windows 7 operatsioonisüsteemis: Difference between revisions

From ICO wiki
Jump to navigationJump to search
No edit summary
No edit summary
Line 17: Line 17:
Näiteks Kui kasutaja on kahes grupis korraga milles 1. ta tohib faili avada ja 2. ei tohi, siis tegelikkuses ta faili avada ei saa.
Näiteks Kui kasutaja on kahes grupis korraga milles 1. ta tohib faili avada ja 2. ei tohi, siis tegelikkuses ta faili avada ei saa.


Spetsiaalõigused
There are 14 default special permissions, shown in Table3-2. The table also shows how these default special permissions correlate to the standard permissions discussed earlier.
There are 14 default special permissions, shown in Table3-2. The table also shows how these default special permissions correlate to the standard permissions discussed earlier.
On olemas 14 vaikimisi tulevat spetsiaalõigust
Traverse Folder/Execute File
Traverse Folder/Execute File


Line 69: Line 71:


     Allows you to take ownership of a file or folder, which inherently allows the ability to change permissions on an object. This is granted to administrator-level users by default.
     Allows you to take ownership of a file or folder, which inherently allows the ability to change permissions on an object. This is granted to administrator-level users by default.
<table border="1" cellspacing="0" width="100%"> <caption> <h5 class="docTableTitle">Table 3-2. Windows Server 2008 special  permissions</h5></caption> <colgroup span="7"> <col> <col> <col> <col> <col> <col> <col></colgroup> <thead> <tr> <th class="docTableCell thead" style="text-align: left;" scope="col" align="left" valign="bottom">Special permission</th> <th class="docTableCell thead" style="text-align: left;" scope="col" align="left" valign="bottom">R</th> <th class="docTableCell thead" style="text-align: left;" scope="col" align="left" valign="bottom">W</th> <th class="docTableCell thead" style="text-align: left;" scope="col" align="left" valign="bottom">RX</th> <th class="docTableCell thead" style="text-align: left;" scope="col" align="left" valign="bottom">L</th> <th class="docTableCell thead" style="text-align: left;" scope="col" align="left" valign="bottom">M</th> <th class="docTableCell thead" style="text-align: left;" scope="col" align="left" valign="bottom">FC</th></tr></thead> <tbody> <tr> <td class="docTableCell" align="left" valign="top">Traverse Folder/Execute File</td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td></tr> <tr> <td class="docTableCell" align="left" valign="top">List Folder/Read Data</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td></tr> <tr> <td class="docTableCell" align="left" valign="top">Read Attributes</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td></tr> <tr> <td class="docTableCell" align="left" valign="top">Read Extended Attributes</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td></tr> <tr> <td class="docTableCell" align="left" valign="top">Create Files/Write Data</td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td></tr> <tr> <td class="docTableCell" align="left" valign="top">Create Folders/Append Data</td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td></tr> <tr> <td class="docTableCell" align="left" valign="top">Write Attributes</td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td></tr> <tr> <td class="docTableCell" align="left" valign="top">Write Extended Attributes</td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td></tr> <tr> <td class="docTableCell" align="left" valign="top">Delete Subfolders and Files</td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td></tr> <tr> <td class="docTableCell" align="left" valign="top">Delete</td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td></tr> <tr> <td class="docTableCell" align="left" valign="top">Read Permissions</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td></tr> <tr> <td class="docTableCell" align="left" valign="top">Change Permissions</td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td></tr> <tr> <td class="docTableCell" align="left" valign="top">Take Ownership</td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td style="" class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell"><br></td> <td class="docTableCell" align="left" valign="top">X</td></tr> <tr> <td class="docTableCell" align="left" valign="top">Full Control</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td> <td class="docTableCell" align="left" valign="top">X</td></tr></tbody></table>


Vaatleme näitena kahte faili millest üks on salajane fail bosside kaustas ning üks avalik, üldises kaustas.
Vaatleme näitena kahte faili millest üks on salajane fail bosside kaustas ning üks avalik, üldises kaustas.

Revision as of 22:15, 14 October 2010

Sel teemal kirjutas Kristjan Vask - pooleli-

NTFS failisüsteemis on kasutajatele võimalik määrata erineva tasemega failiõigusi.

Iga kord kui failiõigustega tegeletakse tasub alati meeles pidada järgnevaid põhipunkte:

-Lugemisõigus on ainukene õigus mis on tarvis skriptide jooksutamiseks. Jooksutamisõigust pole tarvis eraldi sätestada.

-Lugemisõigus on tarvilik otseteede kasutamiseks.

-Kasutajale faili kirjutamisõiguste andmine aga kustutamisõiguste keelamine ei takista teda faili sisu tühjaks kustutamast.

-Kui kasutajal on "täielik kontroll (full control)" kausta üle, siis kasutaja saab kustutada seal olevaid faile olenemata keelamisõigustest seal sees olevate failide suhtes.

-Keelamisõigused on alati eespool lubamisõigustest. Näiteks Kui kasutaja on kahes grupis korraga milles 1. ta tohib faili avada ja 2. ei tohi, siis tegelikkuses ta faili avada ei saa.

Spetsiaalõigused There are 14 default special permissions, shown in Table3-2. The table also shows how these default special permissions correlate to the standard permissions discussed earlier. On olemas 14 vaikimisi tulevat spetsiaalõigust Traverse Folder/Execute File 

   Traverse Folder allows you to access a folder nested within a tree even if parent folders in that tree deny a user access to the contents of those folders. Execute File allows you to run a program.

List Folder/Read Data 

   List Folder allows you to see file and folder names within a folder. Read Data allows you to open and view a file.

Read Attributes 

   Allows you to view basic attributes of an object (read-only, system, archive, and hidden).

Read Extended Attributes 

   Allows you to view the extended attributes of an object—for example, summary, author, title, and so on for a Word document. These attributes will vary from program to program.

Create Files/Write Data 

   Create Files allows you to create new objects within a folder; Write Data allows you to overwrite an existing file (this does not allow you to add data to existing objects in the folder).

Create Folders/Append Data 

   Create Folders allows you to nest folders. Append Data allows you to add data to an existing file, but not delete data within that file (a function based on file size), or delete the file itself.

Write Attributes 

   Allows you to change the basic attributes of a file.

Write Extended Attributes 

   Allows you to change the extended attributes of a file.

Delete Subfolders and Files 

   Allows you to delete the contents of a folder regardless of whether any individual file or folder within the folder in question explicitly grants or denies the Delete permission.

Delete 

   Allows you to delete a single file or folder, but not other files or folders within it.

Read Permissions 

   Allows you to view NTFS permissions on an object, but not to change them.

Change Permissions 

   Allows you to both view and change NTFS permissions on an object.

Take Ownership 

   Allows you to take ownership of a file or folder, which inherently allows the ability to change permissions on an object. This is granted to administrator-level users by default.
<colgroup span="7"> <col> <col> <col> <col> <col> <col> <col></colgroup> <thead> </thead> <tbody> </tbody>
Table 3-2. Windows Server 2008 special permissions
Special permission R W RX L M FC
Traverse Folder/Execute File

X X X X
List Folder/Read Data X
X X X X
Read Attributes X
X X X X
Read Extended Attributes X
X X X X
Create Files/Write Data
X

X X
Create Folders/Append Data
X

X X
Write Attributes
X

X X
Write Extended Attributes
X

X X
Delete Subfolders and Files




X
Delete



X X
Read Permissions X
X X X X
Change Permissions




X
Take Ownership




X
Full Control X X X X X X

Vaatleme näitena kahte faili millest üks on salajane fail bosside kaustas ning üks avalik, üldises kaustas. Meil on 2 kasutajategruppi: töötajad ning bossid. Töötajatel on õigused ainult kausta sisu nägemiseks ning sealt failide lugemiseks. Muutmisõigust neil pole. Igaks juhuks on kasutajatel õigused antud salajasse folderisse minemiseks kui neile on antud otselink, siis nad saavad lingitud faili avada ja lugeda. Ise nad folderisse ringi vaatama ehl kausta sisu uudistama ei pääse. Bossid saavad teha kõike.


Bossidele kõikide õiguste andmiseks ning asja lihtsustamiseks oleme eemaldanud esialgu kõikide teiste kasutajate õigused 1. taseme kaustast "paberid" ning jätnud vaid bossid. Selle jaoks oleme tühistanud õiguste pärimise siin ning jätnud vaid bossid. Õiguste pärimise eemaldamist tasub rakendada alati kohe alguses igal pool kui on soov et 1 kasutajagrupp oleks täpselt piiritletud kasutajaõigustega, et vältida hilisemaid segadusi :

Järgmiseks hakkame jagama õigusi töötajatele.Õigusi saab kõige paremini muuta: kausta properties->security tab->advanced->edit juurest. Antud juhul anname töötajatele õigused kausta sisu nägemiseks ning sealt failide lugemiseks, samuti igaks juhuks failiatribuutide lugemiseks kuna võib juhtuda et nad ei tea mis tüübi fail see on.

Salajaste paberite kohta kausta tasandil ei anna me töötajatele ühetgi õigust sinna sisse uurima minna. Õigusi saab mugavalt kontrollida ka tabi Effective permissions alt, mis näitab hetkel aktiivseid õiguste seadeid.

Kuna salajaste paberite kaustas on 1 fail mida me aegajalt tahame töötajatega jagada siis tuleb see fail seadistada eraldi ka töötajatele kättesaadavaks. Samas peame silmas, et sinna faili juurde pääsevad nad ainult otselingiga või siis kui nad teavad selle faili nime. Loomulikult on reaalses elus võimalik ka vastav fail salasõnaga kaitsta et vältida proovimismeetodil ligipääsemist suvaliste kasutajate poolt kes juhtuvad failinime ära arvama.

Kui kasutaja üritab niisama salajasse folderisse luurama minna siis saab ta sellise teate:

Samas on kasutajal võimalik lugeda faili kui ta teab et see seal on, trükkides sisse failiaadressi:

Kokkuvõtteks tasub ka meeles pidada, et ei pea logima erinevate kasutajate vahel asja töötamiseks ringi. Kõike saab kontrollida "effective permissions" tabi alt kus näidatakse faili või kausta kohta kenasti ära mis õigused parasjagu aktiivsed on. Samuti võiks ära mainida et on võimalik määrata õigusi läbi mitme tasandi:


Allikad: http://technet.microsoft.com/en-us/library/bb727008.aspx http://support.microsoft.com/kb/308419 http://computingtech.blogspot.com/2008/05/windows-server-2008-ntfs-file-and.html

Retrieved from "https://wiki.itcollege.ee/index.php?title=NTFS_failiõiguste_seadistamine_Windows_7_operatsioonisüsteemis&oldid=14422"