organization(1m)organization(1m)NAME
organization - A dcecp object that manages an organization in the DCE
Security Service
SYNOPSIS
organization add organization_name_list -member member_name_list
organization catalog [cell_name] [-simplename]
organization create organization_name_list {-attribute
extended_rgy_attr_list | -attribute value}
organization delete organization_name_list
organization help [operation | -verbose]
organization list organization_name_list [-simplename]
organization modify organization_name_list {-add extended_rgy_attr_list
| -remove extended_rgy_attr_list [-types] | -change
extended_rgy_attr_list | -attribute value}
organization operations
organization remove organization_name_list -member member_name_list
organization rename organization_name -to new_organization_name
organization show organization_name_list [-all | [-policies] [-xattrs]]
ARGUMENTS
The name of a cell to contact when processing the catalog operation.
The name must be a fully qualified cell name, such as /.: or
/.../cell_name The name of the organization operation for which to dis‐
play help information. The name of a single organization to act on.
See organization_name_list for the name format. A list of one or more
names of organizations to act on. Supply the names as follows: Fully
qualified names in the form: /.../cell_name/organization_name,
/.:/organization_name, or organization_name@cell_name. Cell-relative
names in the form organization_name. These names refer to an organiza‐
tion in the cell identified in the _s(sec) convenience variable, or if
the _s(sec) convenience variable is not set, in the local host's
default cell.
Do not mix fully qualified names and cell-relative names in a list. In
addition, do not use the names of registry database objects that con‐
tain organization information; in other words, do not use names that
begin with /.:/sec/org/.
DESCRIPTION
The organization object represents registry organizations. Unless oth‐
erwise noted, all organization operations take the names of the organi‐
zations to act on as an argument.
When this command executes, it attempts to bind to the registry server
identified in the _s(sec) variable. If that server cannot process the
request or if the _s(sec) variable is not set, the command binds to
either an available slave server or the master registry server, depend‐
ing on the operation. Upon completion the command sets the _b(sec)
convenience variable to the name of the registry server to which it
bound.
ATTRIBUTES
The organization object supports two kinds of attributes: organization
and policy. Organization attributes consist of the organization's
name, Universal Unique Identifier (UUID), and organization identifier.
Organization attributes may or may not have default values. They
assume a default value or a value set by administrators. Policy
attributes regulate such things as account and password lifetimes for
all accounts associated with a particular organization. If you do not
set these attributes, they default to the value set for the registry as
a whole with the registry modify command. Note that if a policy
attribute value set for the registry as a whole is stricter than the
value you set for an organization, the registry wide value is used.
Organization Attributes
Used with the create operation to specify the organization identifier
for the organization. If this attribute is not set when an organiza‐
tion is created, an organization identifier is assigned automatically.
Do not specify the -orgid attribute when creating two or more organiza‐
tions with the same command. If you do, the second create operation
will fail, since the organization identifier is already in use after
the first is created. However, the alias and orgid attributes can be
specified to create several aliases for an existing organization with
one command.
Used with the create operation to specify the organization's UUID, a
unique internal identifier. Use the UUID attribute only to adopt an
orphaned UUID. Normally the UUID for a new organization is generated
by the registry. In cases where data exists tagged with a UUID of an
organization that has been deleted from the registry, use the create
operation to specify the old UUID for a new organization. The UUID
specified must be an orphan, that is, a UUID for which no name exists
in the registry. An error occurs if you specify a UUID that is already
defined in the registry. Used with the create and modify operations to
specify the organization's full name, a name used for information pur‐
poses only. The full name typically describes or expands a primary
name to allow easy recognition by users. For example, an organization
could have a primary name of abc and a full name of Advanced Binary
Corporation. The value is a string. If it contains spaces, it is dis‐
played in quotation marks, on entry, must be enclosed in quotation
marks or braces. The fullname attribute defaults to the null string
(that is, blank). Indicates whether the organization object is
reserved or not. The default is no. This attribute may not be set or
modified by the user.
Policy Attributes
Since organization policy attributes do not exist on an organization
unless explicitly defined, they have no default values. The organiza‐
tion policy attributes are as follows: Defines the lifespan of
accounts. Specify the time by using the Distributed Time Service (DTS)
relative time format ([-]dd-hh:mm:ss) or the string unlimited. Defines
whether passwords can consist entirely of alphanumeric characters. Its
value is either yes or no. Defines a date on which a password expires.
Specify the date by using an ISO-compliant time format such as CC-MM-
DD-hh:mm:ss or the string none, which specifies that the password not
expire. Defines the lifespan of passwords. Specify the time by using
the DTS-relative time format ([-]DD-hh:mm:ss) or the string unlimited.
Defines the minimum number of characters in a password. Its value is a
positive integer or the integer 0, which means there is no minimum
length. Defines whether or not passwords can consist entirely of spa‐
ces. Its value is either yes or no.
See the OSF DCE Administration Guide for more information about organi‐
zation and policy attributes.
OPERATIONS
organization add
Adds members to a security organization. The syntax is as follows:
organization add organization_name_list -member member_name_list
Options Specifies a list of one or more names of principals to be added
to each organization in the argument.
The add operation adds members to an organization. The argument is a
list of names of organizations to be added to. The member_name_list
argument of the required -member option is a list of names of princi‐
pals to be added to each organization in the argument. If the princi‐
pals do not exist, the command returns an error. This operation
returns an empty string on success.
Privileges Required
You must have r (read) and M (Member_list) permissions on the target
organization and r (read) permission on the principal being added.
Examples
dcecp> organization add managers -member W_White dcecp>
organization catalog
Returns a list of the names of all organizations in the registry. The
syntax is as follows: organization catalog [cell_name] [-simplename]
Options Returns a list of organization names in the registry without
prepending the cell name.
The catalog operation returns a list of the names of all organizations
in the local registry in lexical order. Use the cell_name argument to
return a list of organizations in another cell's registry. By default,
fully qualified names are returned in the form cellname/organiza‐
tion_name. Use the -simplename option to return them in the form
organization_name.
Privileges Required
You must have r (read) permission to the /.:/sec/org directory.
Examples
dcecp> organization catalog /.../my_cell.goodcompany.com/none
/.../my_cell.goodcompany.com/users /.../my_cell.goodcompany.com/man‐
agers dcecp>
dcecp> organization catalog -simplename none users managers dcecp>
organization create
Creates a new organization in the registry database. The syntax is as
follows: organization create organization_name_list {-attribute
extended_rgy_attr_list | -attribute value}
Options As an alternative to using the -attribute option with an
attribute list, you can specify individual attribute options by
prepending a hyphen (-) to any attributes listed in the ATTRIBUTES sec‐
tion of this reference page. You cannot use this format to specify
ERAs; it is only for the standard attributes described in ATTRIBUTES.
Allows you to specify attributes, including ERAs, by using an attribute
list rather than individual attribute options. The format of an
attribute list is as follows: {{extended_rgy_attr_list
value}...{extended_rgy_attr_list value}}
See the OSF DCE Administration Guide for more information on ERAs.
The create operation creates a new organization. The argument is a
list of names of organizations to be created. Options specify the
attributes of the newly created organization. All options are applied
to all organizations in the argument list. This operation returns an
empty string on success.
Privileges Required
You must have i (insert) permission to the directory in which the orga‐
nization is to be created.
Examples
dcecp> organization create temps -fullname "Temporary Employees" dcecp>
dcecp> organization create temps -attribute {fullname "Temporary
Employees"} dcecp>
dcecp> organization create temps@gumby_cell dcecp>
organization delete
Deletes organizations from the registry. The syntax is as follows:
organization delete organization_name_list
The delete operation deletes organizations from the registry. The
argument is a list of names of organizations to be deleted. If a named
organization does not exist, an error is generated. This operation
returns an empty string on success.
This operation also deletes any accounts associated with organizations
that are deleted. To preserve accounts, add desired principals to a
different organization by using the organization add -member command.
Modify the principals' accounts to point to the new organization by
using the account modify command. Then you can delete the organization
by using the organization delete command.
Privileges Required
You must have d (delete) permission to the directory in which the tar‐
get organization exists. You must have r (read) and D (Delete_object)
permissions on the organization to be deleted.
Examples
dcecp> organization delete temps dcecp>
organization help
Returns help information about the organization object and its opera‐
tions. The syntax is as follows: organization help [operation | -ver‐
bose]
Options Displays information about the organization object.
Used without an argument or option, the organization help command
returns brief information about each organization operation. The
optional operation argument is the name of an operation about which you
want detailed information. Alternatively, you can use the -verbose
option for more detailed information about the organization object
itself.
Privileges Required
No special privileges are needed to use the organization help command.
Examples
dcecp> organization help add Adds a member to the named
organization. catalog Returns a list of all the names of
organizations. create Creates an organization in the reg‐
istry. delete Deletes an organization from the registry.
list Returns a list of all the members of an organiza‐
tion. modify Changes the information about an organiza‐
tion. remove Removes a member from the named organiza‐
tion. rename Renames the specified organization. show
Returns the attributes of an organization. help Prints
a summary of command-line options. operations Returns a list
of the valid operations for this command. dcecp>
organization list
Returns a list of the names of all members of an organization. The
syntax is as follows: organization list organization_name_list [-sim‐
plename]
Options Returns a list of member names in the organization without
prepending the cell name.
The list operation returns a list of the names of all members of an
organization. The argument is a list of names of organizations. By
default, fully qualified names are returned in the form cellname/mem‐
ber_name. If the -simplename option is given, the cell name is not
prepended to the member names. Names are returned in lexical order.
Privileges Required
You must have r (read) permission to the organization.
Examples
dcecp> organization list managers /.../my_cell.goodcompany.com/W_Ward
/.../my_cell.goodcompany.com/L_Jones /.../my_cell.goodcom‐
pany.com/S_Preska /.../my_cell.goodcompany.com/S_Rohrer
/.../my_cell.goodcompany.com/J_Wanders dcecp>
dcecp> organization list {managers users} /.../my_cell.goodcom‐
pany.com/W_Ward /.../my_cell.goodcompany.com/L_Jones /.../my_cell.good‐
company.com/S_Preska /.../my_cell.goodcompany.com/S_Rohrer
/.../my_cell.goodcompany.com/J_Wanders /.../my_cell.goodcom‐
pany.com/W_Ross /.../my_cell.goodcompany.com/J_Severance
/.../my_cell.goodcompany.com/J_Hunter /.../my_cell.goodcom‐
pany.com/B_Carr /.../my_cell.goodcompany.com/E_Vliet /.../my_cell.good‐
company.com/J_Egan /.../my_cell.goodcompany.com/F_Willis dcecp>
organization modify
Changes attributes and policies of organizations. The syntax is as
follows: organization modify organization_name_list {-add
extended_rgy_attr_list | -remove extended_rgy_attr_list [-types] |
-change extended_rgy_attr_list | -attribute value}
Options As an alternative to using the -add, -change, or -remove
options with attribute lists, you can specify individual attribute
options by prepending a hyphen (-) to any attributes listed in the
ATTRIBUTES section of this reference page. You cannot use this format
to specify ERAs; it is only for the standard attributes described in
ATTRIBUTES. Allows you to modify attributes, including ERAs, by using
an attribute list rather than individual attribute options. The format
of an attribute list is as follows: {{extended_rgy_attr_list
value}...{extended_rgy_attr_list value}}
Allows you to modify attributes, including ERAs, by using an attribute
list rather than individual attribute options. See the -add option for
the attribute list format. Allows you to modify attributes, including
ERAs, by using an attribute list rather than individual attribute
options. See the -add option for the attribute list format.
Without the -types option, -remove deletes individual attribute
instances attached to the group. In this case, extended_rgy_attr_list
is a list of attribute-value pairs. With the -types option, -remove
deletes attribute types (and all instances of that type) attached to
the group. In this case, extended_rgy_attr_list is a list of attribute
types. Used with the -remove option to remove attribute types (and all
instances of that type) attached to the group. See the OSF DCE Admin‐
istration Guide for more information about ERAs.
The modify operation changes attributes and policies of organizations.
(To change registrywide policies, use the registry command.)
The argument is a list of names of organizations to be operated on.
All modifications are applied to all organizations named in the argu‐
ment. Organizations are modified in the order they are listed and all
modifications to an individual organization are atomic. Modifications
to multiple organizations are not atomic. A failure for any one orga‐
nization generates an error and cancels the rest of the operation.
This operation returns an empty string on success.
The -change option can modify the value of any standard attribute
except for orgid and uuid.
Privileges Required
You must have r (read) permission on the organization to be modified
and f (full_name) permission to change the organization's fullname
and/or m (mgmt_info) permission to change the organization's managment
information.
Examples
dcecp> organization modify temps -acctlife 180-00:00:00 \ > -pwdalpha
yes -pwdlife 30-00:00:00 \ > -pwdexpdate 1995-12-31-23:59:59 -pwdspaces
yes dcecp>
dcecp> organization modify temps -add {test_era 101} dcecp>
dcecp> organization show temps -all {name temps} {fullname {}} {orgid
12} {uuid 0000000c-03d5-21cf-9802-08000985b5a6} {reserved no} {test_era
101} {acctlife +180-00:00:00.000I-----} {pwdalpha yes} {pwdexpdate
1995-12-31-23:59:59.000+00:00I-----} {pwdlife +30-00:00:00.000I-----}
{pwdminlen 0} {pwdspaces yes} dcecp>
organization operations
Returns a list of the operations supported by the organization object.
The syntax is as follows: organization operations
The list of available operations is in alphabetical order except for
help and operations, which are listed last.
Privileges Required
No special privileges are needed to use the organization operations
command.
Examples
dcecp> organization operations add catalog create delete list modify
remove rename show help operations dcecp>
organization remove
Removes a member from an organization. The syntax is as follows: orga‐
nization remove organization_name_list -member member_name_list
Options Specifies a list of one or more names of principals to be
removed from each organization in the argument.
The remove operation removes members from an organization. The argu‐
ment is a list of names of organizations from which to remove members.
The value of the required -member option is a list of names of princi‐
pals to remove from the organizations listed in the argument. When a
member is removed from an organization, any accounts associated with
that principal and group are deleted. Remember that accounts are asso‐
ciated with a principal, a group, and an organization; therefore, any
accounts whose principal name and organization name match those given
to this command are removed, but accounts for which only one name
matches are untouched. This operation returns an empty string on suc‐
cess.
Privileges Required
You must have r (read) and M (Member_list) permissions on the target
organizations and r (read) permission on the member to be removed.
Examples
dcecp> organization remove managers -member J_Wanders dcecp>
organization rename
This operation changes the name of a specified organization. The syn‐
tax is as follows: organization rename organization_name -to new_orga‐
nization_name
Options Specifies the new name of the organization.
See ARGUMENTS for a description of organization names.
The rename operation changes the name of a specified organization. The
argument is a single name of an organization to be renamed. The
required -to option specifies the new name, which cannot be a list.
This operation returns an empty string on success.
Privileges Required
You must have r (read) and n (name) permission to the specified organi‐
zations.
Examples
dcecp> organization list rigel /.../my_cell.goodcompany.com/H_Lewis
/.../my_cell.goodcompany.com/R_Mathews /.../my_cell.goodcom‐
pany.com/K_Doe /.../my_cell.goodcompany.com/W_Ross /.../my_cell.good‐
company.com/W_Williams /.../my_cell.goodcompany.com/D_White dcecp>
dcecp> organization rename rigel -to sirus dcecp>
dcecp> organization list rigel Error: Registry object not found dcecp>
dcecp> organization list sirus /.../my_cell.goodcompany.com/H_Lewis
/.../my_cell.goodcompany.com/R_Mathews /.../my_cell.goodcom‐
pany.com/K_Doe /.../my_cell.goodcompany.com/W_Ross /.../my_cell.good‐
company.com/W_Williams /.../my_cell.goodcompany.com/D_White dcecp>
organization show
Returns registry information for the specified organizations. The syn‐
tax is as follows: organization show organization_name_list [-all |
[-policies] [-xattrs]]
Options Returns only the polices of the organization, with no other
attributes. Returns only the ERAs of the organization, with no other
attributes. Return the attributes followed by the policies and ERAs.
The show operation returns an attribute list describing the specified
organizations. The argument is a list of names of organizations to be
operated on. If more than one organization is given, the attributes
are concatenated together.
Attributes are returned in the following order: fullname, orgid, uuid.
Policies are returned in the following order: acctlife, pwdalpha, pwd‐
expdate, pwdlife, pwdminlen, and pwdspaces. If the organization does
not have any policies, then nopolicy is returned.
The policy set for an organization and the policy set for the registry
as a whole may differ. If this is the case, show displays both poli‐
cies and tags the registry policy with the label ``effective.'' The
actual policy in effect is the stricter of the two displayed policies,
regardless of the effective label.
Privileges Required
You must have r (read) permission on the specified organizations.
Examples
dcecp> organization show temps {name temps} {fullname {Temporary
Employees}} {orgid 103} {uuid 00000067-9402-21cd-a602-0000c08adf56}
{reserved no} dcecp>
dcecp> organization show temps -policies {acctlife
+180-00:00:00.000I-----} {pwdalpha yes} {pwdexpdate
1995-12-31-23:59:59.000+00:00I-----} {pwdlife +30-00:00:00.000I-----}
{pwdminlen 0} {pwdspaces yes} dcecp>
dcecp> organization show planets -policies {acctlife 30 days} {pwdalpha
no} {pwdexpdate none} {pwdlife 4 effective 5 days} {pwdminlen 6}
{pwdspaces no} dcecp>
dcecp> organization show temps -all {name temps} {fullname {Temporary
Employees}} {orgid 103} {uuid 00000067-9402-21cd-a602-0000c08adf56}
{reserved no} {acctlife +180-00:00:00.000I-----} {pwdalpha yes} {pwdex‐
pdate 1995-12-31-23:59:59.000+00:00I-----} {pwdlife
+30-00:00:00.000I-----} {pwdminlen 0} {pwdspaces yes} dcecp>
RELATED INFORMATION
Commands: dcecp(1m), dcecp_account(1m), dcecp_group(1m), dcecp_princi‐
pal(1m), dcecp_registry(1m), dcecp_xattrschema(1m).
organization(1m)
