group(1m)group(1m)NAMEgroup - A dcecp object that manages a group in the DCE Security Service
SYNOPSISgroup add group_name_list -member member_name_list
group catalog [cell_name] [-simplename]
group create group_name_list {-attribute extended_rgy_attr_list |
-attribute value}
group delete group_name_list
group help [operation | -verbose]
group list group_name_list [-simplename]
group modify group_name_list {-add extended_rgy_attr_list | -remove
extended_rgy_attr_list [-types] | -change extended_rgy_attr_list |
-attribute value}
group operations
group remove group_name_list -member member_name_list
group rename group_name -to new_group_name
group show group_name_list [-all | -xattrs]
ARGUMENTS
The name of a cell to contact when processing the catalog operation.
The name must be a fully qualified cell name, such as /.: or
/.../cell_name. The name of a single group to act on. See
group_name_list for the name format. A list of one or more names of
groups to act on. Supply the names as follows: Fully qualified names
in the form /.../cell_name/group_name, /.:/group_name, or
group_name@cell_name. Cell-relative names in the form group_name.
These names refer to a group in the cell identified in the _s(sec) con‐
venience variable, or if the _s(sec) convenience variable is not set,
in the local host's default cell.
Do not mix fully qualified names and cell-relative names in a list. In
addition, do not use the names of registry database objects that con‐
tain group information; in other words, do not use names that begin
with /.:/sec/group/. The name of the group operation for which to dis‐
play help information.
DESCRIPTION
The group object represents registry groups. Unless otherwise noted,
all of the operations of this object take the names of the groups to
act on as the argument. They must be group names, not the names of the
database objects that contain registry information about groups (that
is, the names must not begin with /.:/sec/group/).
When this command executes, it attempts to bind to the registry server
identified in the _s(sec) variable. If that server cannot process the
request or if the _s(sec) variable is not set, the command binds to
either an available slave server or the master registry server, depend‐
ing on the operation. Upon completion the command sets the _b(sec)
convenience variable to the name of the registry server to which it
bound.
ATTRIBUTES
Used with the create and modify operations, the value of this attribute
is either yes or no. Although each group can have only one primary
name, it can have multiple alias names. All aliases refer to the same
group, and therefore, carry the same Universal Unique Identifier (UUID)
and group identifier (GID). While aliases refer to the same group,
they are separate entries in the registry database. Therefore, the
name supplied to the group command can refer to the group's primary
name or alias name. The value of this attribute determines whether the
name is a primary name (alias no) or an alias name (alias yes). The
default is no. Used with the create operation to specify the Group
Identifier. If this attribute is not present, then an identifier is
assigned to the group automatically. Used with the create operation to
"adopt" an orphaned UUID. Normally the UUID for a new group is gener‐
ated by the registry. In cases where data exists tagged with the UUID
of a group that has been deleted from the registry, this attribute can
be used with the create operation to specify the old UUID for a new
group. The UUID specified must be an orphan, that is, a UUID for which
no name exists in the registry. An error occurs if you specify a UUID
that is already defined in the registry. If this attribute is not
present, a UUID is assigned to the group automatically. Used with the
create and modify operations to specify the full name of the group to
be added to the registry. The value is a string with spaces enclosed
in quotation marks or braces. The fullname attribute defaults to a
null string (that is, blank). Used with the create and modify opera‐
tions to include the group in the principal's project list. The value
for this option is either yes or no. If it is no, then members of this
group do not acquire the access rights of this group. The default is
yes. Indicates whether the group object is reserved or not. The
default is no. This attribute may not be set or modified by the user.
See the OSF DCE Administration Guide for more information about group
attributes.
OPERATIONSgroup add
Adds members to a security group. The syntax is as follows: group add
group_name_list -member member_name_list
Options A list of one or more names of principals to be added to each
group in the argument.
The add operation adds members to groups identified by group_name_list.
The required member_name_list is a list of principal names to be added.
If the principals named in group_name_list do not exist, the command
returns an error. This operation returns an empty string on success.
Privileges Required
You must have r (read) and M (Member_list) permissions on the target
group and r (read) and g (groups) permissions on the principal being
added.
Examples
dcecp> group add users -member chopin dcecp>
group catalog
Returns a list of the names of all groups in the registry. The syntax
is as follows: group catalog [cell_name] [-simplename]
Options Returns a list of group names in the registry without prepend‐
ing the cell name.
The catalog operation returns a list of the names of all groups in the
local registry database. Use the cell_name argument to return a list of
groups in another cell's registry. By default, fully qualified names
are returned in the form cell_name/group_name. Use the -simplename
option to return the names without the cell name in the form
group_name.
Privileges Required
You must have r (read) permission to the /.:/sec/group directory.
Examples
dcecp> group cat /.../my_cell.goodcompany.com/nogroup
/.../my_cell.goodcompany.com/system /.../my_cell.goodcompany.com/daemon
/.../my_cell.goodcompany.com/uucp /.../my_cell.goodcompany.com/bin
/.../my_cell.goodcompany.com/kmem /.../my_cell.goodcompany.com/mail
/.../my_cell.goodcompany.com/tty /.../my_cell.goodcompany.com/none
/.../my_cell.goodcompany.com/tcb /.../my_cell.goodcompany.com/acct-
admin /.../my_cell.goodcompany.com/subsys/dce/sec-admin
/.../my_cell.goodcompany.com/subsys/dce/cds-admin /.../my_cell.goodcom‐
pany.com/subsys/dce/dts-admin /.../my_cell.goodcompany.com/sub‐
sys/dce/cds-server /.../my_cell.goodcompany.com/subsys/dce/dts-servers
/.../my_cell.goodcompany.com/users dcecp>
dcecp> group cat -simplename nogroup system daemon uucp bin kmem mail
tty none tcb acct-admin subsys/dce/sec-admin subsys/dce/cds-admin sub‐
sys/dce/dts-admin subsys/dce/cds-server subsys/dce/dts-servers sub‐
sys/dce/audit-admin subsys/dce/dced-admin dcecp>
group create
Creates a new group in the registry database. The syntax is as fol‐
lows: group create group_name_list {-attribute extended_rgy_attr_list |
-attribute value}
Options As an alternative to using the -attribute option with an
attribute list, you can specify individual attribute options by
prepending a hyphen (-) to any attributes listed in the ATTRIBUTES sec‐
tion of this reference page. You cannot use this format to specify
ERAs; it is only for the standard attributes described in ATTRIBUTES.
Allows you to specify attributes, including ERAs, by using an attribute
list rather than individual attribute options. The format of an
attribute list is as follows: {{extended_rgy_attr_list
value}...{extended_rgy_attr_list value}}
See the OSF DCE Administration Guide for more information on ERAs.
The create operation creates a new group in the registry database. The
argument is a list of names of groups to be created. Options are used
to specify the attributes of the newly created group. All options are
applied to all groups in the argument. This operation returns an empty
string on success.
Privileges Required
You must have i (insert) permission to the directory in which the group
is to be created.
Examples
dcecp> group create users4 -attribute {fullname "temporary users"}
dcecp>
dcecp> group create jimbo@gumby_cell dcecp>
group delete
Deletes groups from the registry. The syntax is as follows: group
delete group_name_list
The delete operation deletes groups from the registry. When a group is
deleted, any accounts associated with the group are deleted as well.
The argument is a list of names of groups to be deleted. If a named
group does not exist, an error is generated. This operation returns an
empty string on success.
This operation also deletes any accounts associated with groups that
are deleted. To preserve accounts, add the desired principals to a
different group by using the group add -member command. Modify the
principals' accounts to point to the new group by using the account
modify command. Then you can delete the group by using the group
delete command.
Privileges Required
You must have d (delete) permission to the directory in which the tar‐
get group exists. You must have r (read) and D (Delete_object) permis‐
sion on the group to be deleted.
Examples
dcecp> group delete users4 dcecp>
group help
Returns help information about the group object and its operations.
The syntax is as follows: group help [operation | -verbose]
Options Displays information about the group object.
Used without an argument or option, the group help command returns
brief information about each group operation. The optional operation
argument is the name of an operation about which you want detailed
information. Alternatively, you can use the -verbose option for more
detailed information about the group object itself.
Privileges Required
No special privileges are needed to use the group help command.
Examples
dcecp> group help add Adds a member to the named group.
catalog Returns a list of all the names of groups in the
registry. create Creates a group. delete
Deletes a group. list Returns all of the members of a
group. modify Changes the information about a group.
remove Removes a specified member from the named group.
rename Renames the specified group. show
Returns the attributes of a group. help Prints a sum‐
mary of command-line options. operations Returns a list of
the valid operations for this command. dcecp>
group list
Returns a list of the names of all members of a group. The syntax is
as follows: group list group_name_list [-simplename]
Options Returns the list of group names in the registry without
prepending the cell name.
The list operation returns a list of the names of all members of a
group. The argument is a list of names of groups to be operated on.
If more than one group is listed, the names are concatenated on output.
By default, fully qualified names are returned in the form cell‐
name/membername. Use the -simplename option to return them without
prepending the cell name to the member name. The members of each group
are listed in lexical order.
Privileges Required
You must have r (read) permission to the /.:/sec/group directory.
Examples
dcecp> group list none /.../my_cell.goodcompany.com/dce-ptgt
/.../my_cell.goodcompany.com/dce-rgy /.../my_cell.goodcom‐
pany.com/krbtgt/my_cell.goodcompany.com /.../my_cell.goodcom‐
pany.com/cell_admin /.../my_cell.goodcompany.com/hosts/pmin17/self
dcecp>
group modify
Changes attributes of groups. The syntax is as follows: group modify
group_name_list {-add extended_rgy_attr_list | -remove
extended_rgy_attr_list [-types] | -change extended_rgy_attr_list |
-attribute value}
Options As an alternative to using the -add, -change, or -remove
options with attribute lists, you can specify individual attribute
options by prepending a hyphen (-) to any attributes listed in the
ATTRIBUTES section of this reference page. You cannot use this format
to specify ERAs; it is only for the standard attributes described in
ATTRIBUTES. Allows you to modify attributes, including ERAs, by using
an attribute list rather than individual attribute options. The format
of an attribute list is as follows: {{extended_rgy_attr_list
value}...{extended_rgy_attr_list value}}
Allows you to modify attributes, including ERAs, by using an attribute
list rather than individual attribute options. See the -add option for
the attribute list format. Allows you to modify attributes, including
ERAs, by using an attribute list rather than individual attribute
options. See the -add option for the attribute list format.
Without the -types option, -remove deletes individual attribute
instances attached to the group. In this case, extended_rgy_attr_list
is a list of attribute-value pairs. With the -types option, -remove
deletes attribute types (and all instances of that type) attached to
the group. In this case, extended_rgy_attr_list is a list of attribute
types. Used with the -remove option to remove attribute types (and all
instances of that type) attached to the group. See the OSF DCE Admin‐
istration Guide for more information about ERAs.
The modify operation changes attributes of groups. The argument is a
list of names of groups to be operated on. All modifications are
applied to all groups named in the argument. Groups are modified in
the order they are listed, and all modifications to an individual group
are atomic. Modifications to multiple groups are not atomic. A fail‐
ure for any one group in a list generates an error and cancels the rest
of the operation. This operation returns an empty string on success.
The -change option can modify the value of any standard attribute
except for gid and uuid.
Privileges Required
You must have r (read) permission to the group to be modified and f
(full_name) permission to modify the group's full name and/or m
(mgmt_info) permission to modify the group's management information.
Examples
dcecp> group modify users3 -change {fullname "General Nursing Staff"}
dcecp>
dcecp> group show users3 {name users3} {fullname {General Nursing
Staff}} {gid 5212} {uuid 0000145c-9363-21cd-a601-0000c08adf56} {alias
no} {reserved no} {inprojlist no} dcecp>
dcecp> group modify users3 -add {test_era 101} dcecp>
dcecp> group show users3 -all {name users3} {fullname {General Nursing
Staff}} {gid 5212} {uuid 0000145c-9363-21cd-a601-0000c08adf56} {alias
no} {reserved no} {inprojlist no} {test_era 101} dcecp>
group operations
Returns a list of the operations supported by the group object. The
syntax is as follows: group operations
The list of available operations is in alphabetical order except for
help and operations, which are listed last.
Privileges Required
No special privileges are needed to use the group operations command.
Examples
dcecp> group operations add catalog create delete list modify remove
rename show help operations dcecp>
group remove
Removes a member from a group. The syntax is as follows: group remove
group_name_list -member member_name_list
Options A list of one or more names of principals to be removed from
each group in the argument.
The remove operation removes members from the groups identified by
group_name_list. The required member_name_list is a list of principals
to remove from the groups named in group_name_list.
When a member is removed from a group, any accounts associated with
that principal and group are deleted. Remember that accounts are asso‐
ciated with a principal, a group, and an organization; therefore, any
accounts whose principal name and group name match those given to this
command are removed, but accounts for which only one name matches are
untouched. This operation returns an empty string on success.
Privileges Required
You must have r (read) and M (Member_list) permissions on the target
groups and r (read) permission on the member to be removed.
Examples
dcecp> group remove users -member chopin dcecp>
group rename
This operation changes the name of a specified group. The syntax is as
follows: group rename group_name -to new_group_name
Options Specifies the new name of the group.
See ARGUMENTS for a description of group names.
The rename operation changes the name of a specified group. The argu‐
ment is a single name of a group to be renamed. The operation takes a
required -to option with the value of the new name. The value may not
be a list. This operation returns an empty string on success.
Privileges Required
You must have r (read) and n (name) permissions to the specified
groups.
Examples
dcecp> group rename users4 -to users_temporary dcecp>
group show
Returns registry information for the specified groups. The syntax is
as follows: group show group_name_list [-all | -xattrs]
Options Returns ERAs instead of the default attributes. Returns ERAs
in addition to the default attributes.
The show operation returns an attribute list for the specified groups.
The argument is a list of names of groups to be operated on. If more
than one group is given, the attributes are concatenated. Use the
-xattrs option to return ERAs instead of the standard attributes. Use
-all to return both types of attributes.
Privileges Required
You must have r (read) permission to the specified groups.
Examples
dcecp> group show users_temporary {name users_temporary} {fullname
{temporary users}} {gid 5211} {uuid 0000145b-9362-21cd-
a601-0000c08adf56} {alias no} {reserved no} {inprojlist no} dcecp>
RELATED INFORMATION
Commands: dcecp(1m), dcecp_account(1m), dcecp_organization(1m),
dcecp_principal(1m), dcecp_registry(1m), dcecp_xattrschema(1m).
group(1m)
