Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ group(8dce) — DCE 3.1

Media Vault

Software Library

Restoration Projects

Artifacts Sought

group(8dce)  —  Maintenance

NAME

group  — A dcecp object that manages a group in the DCE Security Service

SYNOPSIS

group add group_name_list member member_name_list

group catalog  [cell_name]  [simplename ]

group create group_name_list  {attribute extended_rgy_attr_list | attribute value }

group delete group_name_list

group help  [operation | verbose  ]

group list group_name_list  [simplename ]

group modify group_name_list  {add extended_rgy_attr_list | remove extended_rgy_attr_list | types  | change extended_rgy_attr_list | attribute value }

group operations

group remove group_name_list member member_name_list

group rename group_name to new_group_name

group show group_name_list  [all  | xattrs  ]

ARGUMENTS

cell_nameThe name of a cell to contact when processing the catalog  operation.  The name must be a fully qualified cell name, such as /.: or /.../cell_name. 

group_name
The name of a group to act on. See group_name_list for the name format. 

group_name_list
A list of one or more names of groups to act on.  Supply the names as either of the following:

   •Fully qualified names in the form /.../cell_name/group_name or /.:/group_name. 

   •Cell-relative names in the form group_name.  These names refer to a group in the cell identified in the _s(sec) convenience variable, or if the _s(sec) convenience variable is not set, in the local host’s default cell. 

Do not mix fully qualified names and cell-relative names in a list.  In addition, do not use the names of registry database objects that contain group information; in other words, do not use names that begin with /.:/sec/group/. 

operationThe name of the group  operation for which to display help information. 

DESCRIPTION

The group  object represents registry groups.  Unless otherwise noted, all of the operations of this object take the names of the groups to act on as the argument. They must be group names, not the names of the database objects that contain registry information about groups (that is, the names must not begin with /.:/sec/group/). 

When this command executes, it attempts to bind to the registry server identified in the _s(sec) variable.  If that server cannot process the request or if the _s(sec) variable is not set, the command binds to either an available slave server or the master registry server, depending on the operation.  Upon completion the command sets the _b(sec) convenience variable to the name of the registry server to which it bound. 

Attributes

alias {yes | no}
Used with the create  and modify operations, the value of this attribute is either yes or no.  Although each group can have only one primary name, it can have one or more alias names.  All aliases refer to the same group, and therefore, carry the same Universal Unique Identifier (UUID) and group identifier (GID).  While aliases refer to the same group, they are separate entries in the registry database.  Therefore, the name supplied to the group command can refer to the group’s primary name or alias name.  The value of this attribute determines whether the name is a primary name (alias no) or an alias name (alias yes).  The default is no. 

gid integerUsed with the create  operation to specify the Group Identifier.  If this attribute is not present, then an identifier is assigned to the group automatically. 

uuid hexadecimal number
Used with the create  operation to adopt an orphaned UUID. Normally the UUID for a new group is generated by the registry.  In cases where data exists tagged with the UUID of a group that has been deleted from the registry, this attribute can be used with the create  operation to specify the old UUID for a new group.  The UUID specified must be an orphan, that is, a UUID for which no name exists in the registry.  An error occurs if you specify a name that is already defined in the registry.  If this attribute is not present, a UUID is assigned to the group automatically. 

fullname string
Used with the create  and modify operations to specify the full name of the group to be added to the registry.  The value is a string with spaces enclosed in quotation marks or braces.  The fullname attribute defaults to a null string (that is, blank). 

inprojlist {yes | no}
Used with the create  and modify operations to include the group in the principal’s project list.  The value for this option is either yes or no.  If it is no, then members of this group do not acquire the access rights of this group. The default is yes. 

See the OSF DCE Administration Guide for more information about group attributes. 

Errors

A representative list of errors that might be returned is not shown here.  Refer to the OSF DCE Problem Determination Guide for complete descriptions of all error messages. 

Operations

group add

Adds members to a security group.  The syntax is as follows:

group add group_name_list member  member_name_list

Options

member  member_name_list
A list of one or more names of principals to be added to each group in the argument.

The add operation adds members to groups identified by group_name_list. The required member_name_list is a list of principal names to be added. The member_name_list can contain both local and fully qualified names.  Use fully qualified names to add principals from foreign cells as members. If you are adding principals from a foreign cell, the Security Server (secd ) must be running in the foreign cell. 

If the principals named in group_name_list do not exist, the command returns an error.  This operation returns an empty string on success. 

Privileges Required

You must have r (read) and M (Member_list) permissions on the target group and r (read) and g (groups) permissions on the principal being added. 

Examples

dcecp> principal create chopin
dcecp>
 dcecp> group add users -member chopin
dcecp>

group catalog

Returns a list of the names of all groups in the registry.  The syntax is as follows:

group catalog [cell_name] [simplename ]

Options

simplename
Returns a list of group names in the registry without prepending the cell name.

The catalog  operation returns a list of the names of all groups in the local registry database. Use the cell_name argument to return a list of groups in another cell’s registry.  By default, fully qualified names are returned in the form cell_name/group_name.  Use the simplename  option to return the names without the cell name in the form group_name. 

Privileges Required

You must have r (read) permission to the /.:/sec/group directory. 

Examples

dcecp> group cat
/.../my_cell.goodcompany.com/nogroup
/.../my_cell.goodcompany.com/system
/.../my_cell.goodcompany.com/daemon
/.../my_cell.goodcompany.com/uucp
/.../my_cell.goodcompany.com/bin
/.../my_cell.goodcompany.com/kmem
/.../my_cell.goodcompany.com/mail
/.../my_cell.goodcompany.com/tty
/.../my_cell.goodcompany.com/none
/.../my_cell.goodcompany.com/tcb
/.../my_cell.goodcompany.com/acct-admin
/.../my_cell.goodcompany.com/subsys/dce/sec-admin
/.../my_cell.goodcompany.com/subsys/dce/cds-admin
/.../my_cell.goodcompany.com/subsys/dce/dts-admin
/.../my_cell.goodcompany.com/subsys/dce/cds-server
/.../my_cell.goodcompany.com/subsys/dce/dts-servers
/.../my_cell.goodcompany.com/users
dcecp>
 dcecp> group cat -simplename
nogroup
system
daemon
uucp
bin
kmem
mail
tty
none
tcb
acct-admin
subsys/dce/sec-admin
subsys/dce/cds-admin
subsys/dce/dts-admin
subsys/dce/cds-server
subsys/dce/dts-servers
subsys/dce/audit-admin
subsys/dce/dced-admin
dcecp>

group create

Creates a new group in the registry database.  The syntax is as follows:

group create group_name_list {attribute  extended_rgy_attr_list | -attribute value}

Options

-attribute value
As an alternative to using the attribute  option with an attribute list, you can change individual attribute options by prepending a - (hyphen) to any attributes listed in Attributes in this reference page.  You cannot use this option to specify ERAs; it is only for the standard attributes described in Attributes. 

attribute  extended_rgy_attr_list
Allows you to specify attributes, including ERAs, by using an attribute list rather than using the -attribute value option. The format of an attribute list is as follows:

{{extended_rgy_attr_list value}...{extended_rgy_attr_list value}}

See the OSF DCE Administration Guide for more information on ERAs. 

The create  operation creates a new group in the registry database.  The argument is a list of names of groups to be created.  Options are used to specify the attributes of the newly created group.  All options are applied to all groups in the argument. This operation returns an empty string on success. 

Privileges Required

You must have i (insert) permission to the directory in which the group is to be created. 

Examples

dcecp> group create users4 -attribute {fullname "temporary users"}
dcecp> 

group delete

Deletes groups from the registry.  The syntax is as follows:

group delete group_name_list

The delete  operation deletes groups from the registry.  When a group is deleted, any accounts associated with the group are deleted as well.  The argument is a list of names of groups to be deleted.  If a named group does not exist, an error is generated.  This operation returns an empty string on success. 

This operation also deletes any accounts associated with groups that are deleted.  To preserve accounts, add the desired principals to a different group by using the group add -member  command.  Modify the principals’ accounts to point to the new group by using the account modify  command.  Then you can delete the group by using the group delete  command. 

Privileges Required

You must have d (delete ) permission to the directory in which the target group exists.  You must have r (read) and D (Delete_object) permission on the group to be deleted. 

Examples

dcecp> group delete users4
dcecp> 

group help

Returns help information about the group  object and its operations.  The syntax is as follows:

group help [operation | verbose ]

Options

verboseDisplays information about the group  object. 

Used without an argument or option, the group help  command returns brief information about each group  operation.  The optional operation argument is the name of an operation about which you want detailed information.  Alternatively, you can use the verbose  option for more detailed information about the group  object itself. 

Privileges Required

No special privileges are needed to use the group help command. 

Examples

dcecp> group help add                 Adds a member to the named group.
catalog             Returns a list of all the names of groups in the registry.
create              Creates a group.
delete              Deletes a group.
list                Returns all of the members of a group.
modify              Changes the information about a group.
remove              Removes a specified member from the named group.
rename              Renames the specified group.
show                Returns the attributes of a group.
help                Prints a summary of command-line options.
operations          Returns a list of the valid operations for this command.
dcecp>

group list

Returns a list of the names of all members of a group.  The syntax is as follows:

group list group_name_list [simplename ]

Options

simplename
Returns the list of group names in the registry without prepending the cell name.

The list  operation returns a list of the names of all members of a group.  The argument is a list of names of groups to be operated on.  If more than one group is listed, the names are concatenated on output.  By default, fully qualified names are returned in the form cellname/membername.  Use the simplename option to return them without prepending the cell name to the member name.  The members of each group are listed in lexical order. 

Privileges Required

You must have r (read) permission to the /.:/sec/group directory. 

Examples

dcecp> group list none
/.../my_cell.goodcompany.com/dce-ptgt
/.../my_cell.goodcompany.com/dce-rgy
/.../my_cell.goodcompany.com/krbtgt/my_cell.goodcompany.com
/.../my_cell.goodcompany.com/cell_admin
/.../my_cell.goodcompany.com/hosts/pmin17/self
dcecp> 

group modify

Changes attributes of groups.  The syntax is as follows:

group modify group_name_list
{add  extended_rgy_attr_list | remove  extended_rgy_attr_list [types ] |
change  extended_rgy_attr_list | -attribute value}

Options

-attribute value
As an alternative to using options with an attribute list, you can change individual attribute options by prepending a - (hyphen) to any attributes listed in the Attributes section of this reference page.  You cannot use this option to specify ERAs; it is only for standard group attributes described in Attributes. 

add  extended_rgy_attr_list
Allows you to modify attributes, including ERAs, by using an attribute list rather than using individual attribute options.  The format of an attribute list is as follows:

{{extended_rgy_attr_list value}...{extended_rgy_attr_list value}}

change  extended_rgy_attr_list
Allows you to modify attributes, including ERAs, by using an attribute list rather than using individual attribute options. See the add  option for the attribute list format. 

remove  extended_rgy_attr_list
Allows you to modify attributes, including ERAs, by using an attribute list rather than using individual attribute options such as alias , inprojlist , and so on. See the add  option for the attribute list format. 

Without the types  option, remove  deletes individual attribute instances attached to the group.  In this case, extended_rgy_attr_list is a list of attribute-value pairs.  With the types  option, remove  deletes attribute types (and all instances of that type) attached to the group.  In this case, extended_rgy_attr_list is a list of attribute types. 

typesUsed with the remove  option to remove attribute types (and all instances of that type) attached to the group. 

See the OSF DCE Administration Guide for more information about ERAs. 

The modify operation changes attributes of groups.  The argument is a list of names of groups to be operated on.  All modifications are applied to all groups named in the argument.  Groups are modified in the order they are listed, and all modifications to an individual group are atomic.  Modifications to multiple groups are not atomic.  A failure for any one group in a list generates an and aborts the rest of the operation.  This operation returns an empty string on success. 

The change  option can be used to modify the value of any standard attribute except for gid and uuid . 

Privileges Required

You must have r (read) permission to the group to be modified and f (full_name) permission to modify the group’s full name and/or m (mgmt_info) permission to modify the group’s management information. 

Examples

dcecp> group modify users3 -change {fullname "General Nursing Staff"}
 dcecp>
dcecp> group show users3
{alias no}
{gid 5212}
{uuid 0000145c-9363-21cd-a601-0000c08adf56}
{inprojlist no}
{fullname {General Nursing Staff}}
dcecp>
 dcecp> group modify users3 -add {test_era 101}
dcecp>
 dcecp>group show users3 -all
{alias no}
{gid 5212}
{uuid 0000145c-9363-21cd-a601-0000c08adf56}
{inprojlist no}
{fullname {General Nursing Staff}
{test_era 101}}
dcecp>

group operations

Returns a list of the operations supported by the group object.  The syntax is as follows:

group operations

The list of available operations is in alphabetical order except for help  and operations, which are listed last. 

Privileges Required

No special privileges are needed to use the group operations  command. 

Examples

dcecp> group operations
add catalog create delete list modify remove rename show
> help operations
dcecp>

group remove

Removes a member from a group.  The syntax is as follows:

group remove group_name_list member  member_name_list

Options

member  member_name_list
A list of one or more names of principals to be removed from each group in the argument.

The remove operation removes members from the groups identified by group_name_list.  The required member_name_list is a list of principals to remove from the groups named in group_name_list. The member_name_list can contain both local and fully qualified names.  Use fully qualified names to remove principals in foreign cells from the group. 

When a member is removed from a group, any accounts associated with that principal and group are deleted.  Remember that accounts are associated with a principal, a group, and an organization; therefore, any accounts whose principal name and group name match those given to this command are removed, but accounts for which only one name matches are untouched.  This operation returns an empty string on success. 

Privileges Required

You must have r (read) and M (Member_list) permissions on the target groups and r (read) permission on the member to be removed. 

Examples

dcecp> group remove users -member chopin
dcecp>

group rename

This operation changes the name of a specified group.  The syntax is as follows:

group rename group_name to  new_group_name 

Options

to  new_group_name
Specifies the new name of the group.

See Arguments for a description of group names. 

The rename operation changes the name of a specified group.  The argument is a single name of a group to be renamed.  The operation takes a required to  option with the value of the new name.  The value may not be a list.  This operation returns an empty string on success. 

Privileges Required

You must have r (read) and n (name ) permissions to the specified groups. 

Examples

dcecp> group rename users4 -to users_temporary
dcecp> 

group show

Returns registry information for the specified groups.  The syntax is as follows:

group show group_name_list [all  | xattrs ]

Options

xattrsReturns ERAs instead of the default attributes. 

allReturns ERAs in addition to the default attributes. 

The show  operation returns an attribute list for the specified groups.  The argument is a list of names of groups to be operated on.  If more than one group is given, the attributes are concatenated.  Use the xattrs  option to return ERAs instead of the standard attributes. Use all  to return both types of attributes. 

Privileges Required

You must have r (read) permission to the specified groups. 

Examples

dcecp> group show users_temporary
{alias no}
{gid 5211}
{uuid 0000145b-9362-21cd-a601-0000c08adf56}
{inprojlist no}
{fullname {temporary users}}
dcecp>  

Related Information

Commands: dcecp(8dce),   account(8dce), organization(8dce), principal(8dce), registry(8dce), xattrshcema(8dce).

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026