group(8dce) — Maintenance
NAME
group — A dcecp object that manages a group in the DCE Security Service
SYNOPSIS
group add group_name_list member member_name_list
group catalog [cell_name] [simplename ]
group create group_name_list {attribute extended_rgy_attr_list | attribute value }
group delete group_name_list
group help [operation | verbose ]
group list group_name_list [simplename ]
group modify group_name_list {add extended_rgy_attr_list | remove extended_rgy_attr_list | types | change extended_rgy_attr_list | attribute value }
group operations
group remove group_name_list member member_name_list
group rename group_name to new_group_name
group show group_name_list [all | xattrs ]
ARGUMENTS
cell_nameThe name of a cell to contact when processing the catalog operation. The name must be a fully qualified cell name, such as /.: or /.../cell_name.
group_name
The name of a group to act on. See group_name_list for the name format.
group_name_list
A list of one or more names of groups to act on. Supply the names as either of the following:
•Fully qualified names in the form /.../cell_name/group_name or /.:/group_name.
•Cell-relative names in the form group_name. These names refer to a group in the cell identified in the _s(sec) convenience variable, or if the _s(sec) convenience variable is not set, in the local host’s default cell.
Do not mix fully qualified names and cell-relative names in a list. In addition, do not use the names of registry database objects that contain group information; in other words, do not use names that begin with /.:/sec/group/.
operationThe name of the group operation for which to display help information.
DESCRIPTION
The group object represents registry groups. Unless otherwise noted, all of the operations of this object take the names of the groups to act on as the argument. They must be group names, not the names of the database objects that contain registry information about groups (that is, the names must not begin with /.:/sec/group/).
When this command executes, it attempts to bind to the registry server identified in the _s(sec) variable. If that server cannot process the request or if the _s(sec) variable is not set, the command binds to either an available slave server or the master registry server, depending on the operation. Upon completion the command sets the _b(sec) convenience variable to the name of the registry server to which it bound.
Attributes
alias {yes | no}
Used with the create and modify operations, the value of this attribute is either yes or no. Although each group can have only one primary name, it can have one or more alias names. All aliases refer to the same group, and therefore, carry the same Universal Unique Identifier (UUID) and group identifier (GID). While aliases refer to the same group, they are separate entries in the registry database. Therefore, the name supplied to the group command can refer to the group’s primary name or alias name. The value of this attribute determines whether the name is a primary name (alias no) or an alias name (alias yes). The default is no.
gid integerUsed with the create operation to specify the Group Identifier. If this attribute is not present, then an identifier is assigned to the group automatically.
uuid hexadecimal number
Used with the create operation to adopt an orphaned UUID. Normally the UUID for a new group is generated by the registry. In cases where data exists tagged with the UUID of a group that has been deleted from the registry, this attribute can be used with the create operation to specify the old UUID for a new group. The UUID specified must be an orphan, that is, a UUID for which no name exists in the registry. An error occurs if you specify a name that is already defined in the registry. If this attribute is not present, a UUID is assigned to the group automatically.
fullname string
Used with the create and modify operations to specify the full name of the group to be added to the registry. The value is a string with spaces enclosed in quotation marks or braces. The fullname attribute defaults to a null string (that is, blank).
inprojlist {yes | no}
Used with the create and modify operations to include the group in the principal’s project list. The value for this option is either yes or no. If it is no, then members of this group do not acquire the access rights of this group. The default is yes.
See the OSF DCE Administration Guide for more information about group attributes.
Errors
A representative list of errors that might be returned is not shown here. Refer to the OSF DCE Problem Determination Guide for complete descriptions of all error messages.
Operations
group add
Adds members to a security group. The syntax is as follows:
group add group_name_list member member_name_list
Options
member member_name_list
A list of one or more names of principals to be added to each group in the argument.
The add operation adds members to groups identified by group_name_list. The required member_name_list is a list of principal names to be added. The member_name_list can contain both local and fully qualified names. Use fully qualified names to add principals from foreign cells as members. If you are adding principals from a foreign cell, the Security Server (secd ) must be running in the foreign cell.
If the principals named in group_name_list do not exist, the command returns an error. This operation returns an empty string on success.
Privileges Required
You must have r (read) and M (Member_list) permissions on the target group and r (read) and g (groups) permissions on the principal being added.
Examples
dcecp> principal create chopin
dcecp>
dcecp> group add users -member chopin
dcecp>
group catalog
Returns a list of the names of all groups in the registry. The syntax is as follows:
group catalog [cell_name] [simplename ]
Options
simplename
Returns a list of group names in the registry without prepending the cell name.
The catalog operation returns a list of the names of all groups in the local registry database. Use the cell_name argument to return a list of groups in another cell’s registry. By default, fully qualified names are returned in the form cell_name/group_name. Use the simplename option to return the names without the cell name in the form group_name.
Privileges Required
You must have r (read) permission to the /.:/sec/group directory.
Examples
dcecp> group cat
/.../my_cell.goodcompany.com/nogroup
/.../my_cell.goodcompany.com/system
/.../my_cell.goodcompany.com/daemon
/.../my_cell.goodcompany.com/uucp
/.../my_cell.goodcompany.com/bin
/.../my_cell.goodcompany.com/kmem
/.../my_cell.goodcompany.com/mail
/.../my_cell.goodcompany.com/tty
/.../my_cell.goodcompany.com/none
/.../my_cell.goodcompany.com/tcb
/.../my_cell.goodcompany.com/acct-admin
/.../my_cell.goodcompany.com/subsys/dce/sec-admin
/.../my_cell.goodcompany.com/subsys/dce/cds-admin
/.../my_cell.goodcompany.com/subsys/dce/dts-admin
/.../my_cell.goodcompany.com/subsys/dce/cds-server
/.../my_cell.goodcompany.com/subsys/dce/dts-servers
/.../my_cell.goodcompany.com/users
dcecp>
dcecp> group cat -simplename
nogroup
system
daemon
uucp
bin
kmem
mail
tty
none
tcb
acct-admin
subsys/dce/sec-admin
subsys/dce/cds-admin
subsys/dce/dts-admin
subsys/dce/cds-server
subsys/dce/dts-servers
subsys/dce/audit-admin
subsys/dce/dced-admin
dcecp>
group create
Creates a new group in the registry database. The syntax is as follows:
group create group_name_list {attribute extended_rgy_attr_list | -attribute value}
Options
-attribute value
As an alternative to using the attribute option with an attribute list, you can change individual attribute options by prepending a - (hyphen) to any attributes listed in Attributes in this reference page. You cannot use this option to specify ERAs; it is only for the standard attributes described in Attributes.
attribute extended_rgy_attr_list
Allows you to specify attributes, including ERAs, by using an attribute list rather than using the -attribute value option. The format of an attribute list is as follows:
{{extended_rgy_attr_list value}...{extended_rgy_attr_list value}}
See the OSF DCE Administration Guide for more information on ERAs.
The create operation creates a new group in the registry database. The argument is a list of names of groups to be created. Options are used to specify the attributes of the newly created group. All options are applied to all groups in the argument. This operation returns an empty string on success.
Privileges Required
You must have i (insert) permission to the directory in which the group is to be created.
Examples
dcecp> group create users4 -attribute {fullname "temporary users"}
dcecp>
group delete
Deletes groups from the registry. The syntax is as follows:
group delete group_name_list
The delete operation deletes groups from the registry. When a group is deleted, any accounts associated with the group are deleted as well. The argument is a list of names of groups to be deleted. If a named group does not exist, an error is generated. This operation returns an empty string on success.
This operation also deletes any accounts associated with groups that are deleted. To preserve accounts, add the desired principals to a different group by using the group add -member command. Modify the principals’ accounts to point to the new group by using the account modify command. Then you can delete the group by using the group delete command.
Privileges Required
You must have d (delete ) permission to the directory in which the target group exists. You must have r (read) and D (Delete_object) permission on the group to be deleted.
Examples
dcecp> group delete users4
dcecp>
group help
Returns help information about the group object and its operations. The syntax is as follows:
group help [operation | verbose ]
Options
verboseDisplays information about the group object.
Used without an argument or option, the group help command returns brief information about each group operation. The optional operation argument is the name of an operation about which you want detailed information. Alternatively, you can use the verbose option for more detailed information about the group object itself.
Privileges Required
No special privileges are needed to use the group help command.
Examples
dcecp> group help add Adds a member to the named group.
catalog Returns a list of all the names of groups in the registry.
create Creates a group.
delete Deletes a group.
list Returns all of the members of a group.
modify Changes the information about a group.
remove Removes a specified member from the named group.
rename Renames the specified group.
show Returns the attributes of a group.
help Prints a summary of command-line options.
operations Returns a list of the valid operations for this command.
dcecp>
group list
Returns a list of the names of all members of a group. The syntax is as follows:
group list group_name_list [simplename ]
Options
simplename
Returns the list of group names in the registry without prepending the cell name.
The list operation returns a list of the names of all members of a group. The argument is a list of names of groups to be operated on. If more than one group is listed, the names are concatenated on output. By default, fully qualified names are returned in the form cellname/membername. Use the simplename option to return them without prepending the cell name to the member name. The members of each group are listed in lexical order.
Privileges Required
You must have r (read) permission to the /.:/sec/group directory.
Examples
dcecp> group list none
/.../my_cell.goodcompany.com/dce-ptgt
/.../my_cell.goodcompany.com/dce-rgy
/.../my_cell.goodcompany.com/krbtgt/my_cell.goodcompany.com
/.../my_cell.goodcompany.com/cell_admin
/.../my_cell.goodcompany.com/hosts/pmin17/self
dcecp>
group modify
Changes attributes of groups. The syntax is as follows:
group modify group_name_list
{add extended_rgy_attr_list | remove extended_rgy_attr_list [types ] |
change extended_rgy_attr_list | -attribute value}
Options
-attribute value
As an alternative to using options with an attribute list, you can change individual attribute options by prepending a - (hyphen) to any attributes listed in the Attributes section of this reference page. You cannot use this option to specify ERAs; it is only for standard group attributes described in Attributes.
add extended_rgy_attr_list
Allows you to modify attributes, including ERAs, by using an attribute list rather than using individual attribute options. The format of an attribute list is as follows:
{{extended_rgy_attr_list value}...{extended_rgy_attr_list value}}
change extended_rgy_attr_list
Allows you to modify attributes, including ERAs, by using an attribute list rather than using individual attribute options. See the add option for the attribute list format.
remove extended_rgy_attr_list
Allows you to modify attributes, including ERAs, by using an attribute list rather than using individual attribute options such as alias , inprojlist , and so on. See the add option for the attribute list format.
Without the types option, remove deletes individual attribute instances attached to the group. In this case, extended_rgy_attr_list is a list of attribute-value pairs. With the types option, remove deletes attribute types (and all instances of that type) attached to the group. In this case, extended_rgy_attr_list is a list of attribute types.
typesUsed with the remove option to remove attribute types (and all instances of that type) attached to the group.
See the OSF DCE Administration Guide for more information about ERAs.
The modify operation changes attributes of groups. The argument is a list of names of groups to be operated on. All modifications are applied to all groups named in the argument. Groups are modified in the order they are listed, and all modifications to an individual group are atomic. Modifications to multiple groups are not atomic. A failure for any one group in a list generates an and aborts the rest of the operation. This operation returns an empty string on success.
The change option can be used to modify the value of any standard attribute except for gid and uuid .
Privileges Required
You must have r (read) permission to the group to be modified and f (full_name) permission to modify the group’s full name and/or m (mgmt_info) permission to modify the group’s management information.
Examples
dcecp> group modify users3 -change {fullname "General Nursing Staff"}
dcecp>
dcecp> group show users3
{alias no}
{gid 5212}
{uuid 0000145c-9363-21cd-a601-0000c08adf56}
{inprojlist no}
{fullname {General Nursing Staff}}
dcecp>
dcecp> group modify users3 -add {test_era 101}
dcecp>
dcecp>group show users3 -all
{alias no}
{gid 5212}
{uuid 0000145c-9363-21cd-a601-0000c08adf56}
{inprojlist no}
{fullname {General Nursing Staff}
{test_era 101}}
dcecp>
group operations
Returns a list of the operations supported by the group object. The syntax is as follows:
group operations
The list of available operations is in alphabetical order except for help and operations, which are listed last.
Privileges Required
No special privileges are needed to use the group operations command.
Examples
dcecp> group operations
add catalog create delete list modify remove rename show
> help operations
dcecp>
group remove
Removes a member from a group. The syntax is as follows:
group remove group_name_list member member_name_list
Options
member member_name_list
A list of one or more names of principals to be removed from each group in the argument.
The remove operation removes members from the groups identified by group_name_list. The required member_name_list is a list of principals to remove from the groups named in group_name_list. The member_name_list can contain both local and fully qualified names. Use fully qualified names to remove principals in foreign cells from the group.
When a member is removed from a group, any accounts associated with that principal and group are deleted. Remember that accounts are associated with a principal, a group, and an organization; therefore, any accounts whose principal name and group name match those given to this command are removed, but accounts for which only one name matches are untouched. This operation returns an empty string on success.
Privileges Required
You must have r (read) and M (Member_list) permissions on the target groups and r (read) permission on the member to be removed.
Examples
dcecp> group remove users -member chopin
dcecp>
group rename
This operation changes the name of a specified group. The syntax is as follows:
group rename group_name to new_group_name
Options
to new_group_name
Specifies the new name of the group.
See Arguments for a description of group names.
The rename operation changes the name of a specified group. The argument is a single name of a group to be renamed. The operation takes a required to option with the value of the new name. The value may not be a list. This operation returns an empty string on success.
Privileges Required
You must have r (read) and n (name ) permissions to the specified groups.
Examples
dcecp> group rename users4 -to users_temporary
dcecp>
group show
Returns registry information for the specified groups. The syntax is as follows:
group show group_name_list [all | xattrs ]
Options
xattrsReturns ERAs instead of the default attributes.
allReturns ERAs in addition to the default attributes.
The show operation returns an attribute list for the specified groups. The argument is a list of names of groups to be operated on. If more than one group is given, the attributes are concatenated. Use the xattrs option to return ERAs instead of the standard attributes. Use all to return both types of attributes.
Privileges Required
You must have r (read) permission to the specified groups.
Examples
dcecp> group show users_temporary
{alias no}
{gid 5211}
{uuid 0000145b-9362-21cd-a601-0000c08adf56}
{inprojlist no}
{fullname {temporary users}}
dcecp>
Related Information
Commands: dcecp(8dce), account(8dce), organization(8dce), principal(8dce), registry(8dce), xattrshcema(8dce).