organization - A dcecp object that manages an organization in the DCE Security Service
organization add organization_name_list -member member_name_list
organization catalog [-simplename]
organization create organization_name_list
{-attribute attribute_list | attribute options}
organization delete organization_name_list
organization help [operation | -verbose]
organization list organization_name_list [-simplename]
organization modify organization_name_list
{[-change attribute_list | attribute options]
[-add extended_registry_attribute_list]
[-remove extended_registry_attribute_list] [-types]}
organization operations
organization remove organization_name_list -member member_name_list
organization rename organization_name -to new_organization_name
organization show organization_name_list [[-policies] | [-all] | [-xattrs]]
The organization object represents registry organizations. Organizations are collections of principal names. Unless otherwise stated, all of the operations of this object take one argument which is the name of the organization to act on. It must be an organization name, not the name of the registry database object that contains the registry information about the organization (that is, it should not begin with /.:/sec/org/).
After this command executes, the _b(sec) convenience variable is set to the name of the server that was bound to for the command. The value of the variable _s(sec) before the command is treated as a hint; the server specified will be contacted if it can service the request. A case where it can't service the request is if a read-only registry was bound to, and the next command is a create command. In this case, the master registry will be bound to automatically and the _b(sec) variable updated appropriately. The value of the variable is the name of the registry bound to in one of the formats specified as valid for the argument to the registry object.
/.../cellname/organization_name
Alternatively, they can all be cell-relative organization names as in:
organization_name
Cell-relative names refer to an organization in the cell named in the _s(sec) convenience variable or in the default cell of the local host if the _s(sec) convenience variable is not set.
Do not mix fully-qualified names and cell-relative names in a list. Also, don't accidentally use names of registry database objects that contain registry information about organizations (organization names must not begin with /.:/sec/org/).
The organization object supports two kinds of attributes. Organization attributes may or may not have default values. They assume a default value or a value set by administrators. Policy attributes regulate such things as account and password lifetimes for all accounts associated with a particular organization. Policy attributes have registrywide default values. Policy attributes always assume the most restrictive value whether it is the registrywide default value or a value set by administrators.
The organization attributes are:
The policy attributes are:
See the Transarc DCE Administration Guide for more information about attributes.
Adds members to a security organization. The syntax is:
organization add organization_name_list -member member_name_list
Option
The organization add operation is used to add a members to an organization. The argument is a list of names of organizations to be have members added to. The value of the required -member option is a list of names of principals to be added to each organization in the argument. The principals must exist or the command will return an error. Returns an empty string on success.
Privilege Required
You must have rM permission on the target organization and rg permissions on the principal being added.
Examples
dcecp> organization add managers -member W_Ward dcecp>
Returns a list of the names of all organizations in the registry. The syntax is:
organization catalog [-simplename]
Option
The organization catalog operation returns a list of the names of all organizations in the registry database. By default, fully qualified names are returned in the form cellname/organization_name. If the -simplename option is given, then the cellname is not prepended to the front of the organization names. Names are returned in lexical order.
Privilege Required
You must have r permission to /.:/sec/org and any subdirectories.
Examples
dcecp> organization catalog /.../my_cell.goodcompany.com/none /.../my_cell.goodcompany.com/users /.../my_cell.goodcompany.com/managers dcecp> dcecp> organization catalog -simplename none users managers dcecp>
Creates a new organization in the registry database. The syntax is:
organization create organization_name_list {-attribute attribute_list | attribute options}
Options
-attribute {{orgid value} {uuid hex number} \
{acctlife value} {pwdalpha string}}
The -attributes option is intended for use in scripts when you can paste in lengthy attribute lists output by previous commands. The individual attribute options might be easier to use for interactive commands.
The alternative attribute options are:
The create operation creates a new organization. The argument is a list of names of organizations to be created. Returns an empty string on success. Options are used to specify the attributes of the newly created organization. All options are applied to all organizations in the argument list.
Do not use the -orgid option when creating two or more organizations with the same command, the second create operation will fail since the orgid is already in use after the first is created.
The create operation supports both attribute lists (with a -attribute option) and attribute options named after each attribute and policy. If an orgid is not entered, then one will be assigned to the organization automatically. A UUID should only be specified to "adopt" an orphaned UUID. Normally the UUID for a new organization is generated by the registry. In cases where data exists tagged with a UUID of an organization that has been deleted from the registry, it can be entered on the create command line to specify the old UUID for a new organization. The UUID specified must be an orphan, i.e., a UUID for which no name exists in the registry. An error occurs if you specify a name that is already defined in the registry. The orgid attribute may not be specified if the uuid is, but the fullname attribute may be.
Privilege Required
You must have i permission to the directory in which the organization is to be created.
Examples
dcecp> organization create temps -fullname "Temporary Employees"
dcecp>
dcecp> organization create temps -attribute {fullname "Temporary Employees"}
dcecp>
dcecp> org create dce -fullname {Dist Comp Env} -orgid 101
dcecp>
dcecp> org create dce -fullname {Dist Comp Env} \
> -uuid c2aac790-dc6c-11cc-a6f8-080009251352
dcecp>
Deletes organizations from the registry. The syntax is:
organization delete organization_name_list
The organization delete operation deletes organizations from the registry. The argument is a list of names of organizations to be deleted. If a named organization does not exist an error is generated. Returns an empty string on success.
This operation also deletes any accounts associated with organizations that are deleted. To preserve accounts, add desired principals to a different organization using the organization add -member command. Modify the principals' accounts to point to the new organization using the account modify command. Now you can delete the organization using the organization delete command.
Privilege Required
You must have d permission to the directory in which the target organization exists. You must have rD permission on the organization to be deleted.
Examples
dcecp> organization delete temps dcecp>
Returns help information about the organization object and its operations. The syntax is:
organization help [operation | -verbose]
Option
Used without an argument or option, the organization help command returns brief information about each organization operation. The optional operation argument is the name of an operation (add, catalog, create, delete, list, modify, remove, rename, or show) about which you want detailed information. Alternatively, you can use the -verbose option for more detailed information about the organization object itself.
Privilege Required
No special privileges are needed to use the organization help command.
Examples
dcecp> organization help add Adds a member to the named organization. catalog Returns a list of all the names of organizations. create Creates an organization in the registry. delete Deletes a organization from the registry. list Returns a list of all of the members of an organization. modify Changes the information about an organization. rename Renames the specified organization. remove Removes a member from the named organization. show Returns the attributes of an organization. help Print summary of command-line options and abort. operations Returns the valid operations for command. dcecp>
Returns a list of the names of all members of an organization. The syntax is:
organization list organization_name_list [-simplename]
Option
The organization list operation returns a list of the names of all members of an organization. The list operation takes no arguments. By default, fully qualified names are returned in the form cellname/organizationname. If the -simplename option is given, then the cellname is not prepended to the front of the organization names. Names are returned in lexical order.
Privilege Required
You must have r permission to the organization.
Examples
dcecp> organization list managers
/.../my_cell.goodcompany.com/W_Ward
/.../my_cell.goodcompany.com/L_Jones
/.../my_cell.goodcompany.com/S_Preska
/.../my_cell.goodcompany.com/S_Rohrer
/.../my_cell.goodcompany.com/J_Wanders
/.../my_cell.goodcompany.com/K_Parsons
dcecp>
dcecp> organization list {managers users}
/.../my_cell.goodcompany.com/W_Ward
/.../my_cell.goodcompany.com/L_Jones
/.../my_cell.goodcompany.com/S_Preska
/.../my_cell.goodcompany.com/S_Rohrer
/.../my_cell.goodcompany.com/J_Wanders
/.../my_cell.goodcompany.com/W_Rosenberry
/.../my_cell.goodcompany.com/J_Severance
/.../my_cell.goodcompany.com/J_Hunter
/.../my_cell.goodcompany.com/B_Carr
/.../my_cell.goodcompany.com/E_Vliet
/.../my_cell.goodcompany.com/J_Egan
/.../my_cell.goodcompany.com/F_Willison
dcecp>
Changes attributes and policies of organizations. The syntax is:
organization modify organization_name_list
{[-change attribute_list | attribute options]
[-add extended_registry_attribute_list]
[-remove extended_registry_attribute_list] [-types]}
Options
-change {{fullname string} {{acctlife relative_time} {pwdalpha string}
{pwdexpdate date}}
The -change option is intended for use in scripts when you can paste in lengthy attribute lists output by previous commands. The alternative attribute options might be easier to use for interactive commands.
Alternative attribute options you can modify are:
The organization modify operation changes attributes and policies of organizations. (To change registry-wide policies, use the registry command.)
The argument is a list of names of organizations to be operated on. All modifications are applied to all organizations named in the argument. Organizations are modified in the order they are listed and all modifications to an individual organization are atomic. Modifications to multiple organizations are not atomic. A failure for any one organization in a list causes an error to be generated and the rest of the operation to be aborted. Returns an empty string on success.
The -change option can be used to modify the value of any one of the attribute except for orgid and uuid or any extended registry attribute. The value of the -change option is an attribute list describing the new values for the specified attributes. Alternatively, you can use attribute options of the form -acctlife {relative_time | unlimited}.
Privilege Required
The permissions required depend on exactly what you are modifying. For more detailed information about permissions for registry objects, see the chapter named "Accessing Registry Objects" in the Transarc DCE Administration Guide--Core Components.
Examples
dcecp> organization modify temps -acctlife 180-00:00:00 \ > -pwdlife 30-00:00:00 -pwdexpdate 1995-12-31-23:59:59 dcecp>
Returns a list of the operations supported by the organization object. The syntax is:
organization operations
The operations operation takes no arguments, and returns a list of the available operations for the organization object. The order of the elements is alphabetical with the exception that help and operations are listed last.
Privilege Required
No special privileges are needed to use the organization operations command.
Examples
dcecp> organization operations add catalog create delete list modify rename remove show help operations dcecp>
Removes a member from an organization. The syntax is:
organization remove organization_name_list -member member_name_list
Option
The organization remove operation removes a member from an organization. The argument is a list of names of organizations to have members removed from. The value of the required -member option is a list of names of principals which will be removed from the organizations listed in the argument. Returns an empty string on success.
This operation also deletes accounts associated with the principals being removed. To preserve any accounts, first add desired principles to a different organization using the organization add -member command. Modify the principals' accounts to point to the new organization using the account modify command. Now you can remove the members from the organization using the organization remove command.
Privilege Required
You must have rM permission on the target organizations and r permission on the member to be removed.
Examples
dcecp> organization remove managers -member J_Wanders
dcecp>
dcecp> organization add rigel -member W_Rosenberry
dcecp> account modify W_Rosenberry -organization rigel
dcecp> account show W_Rosenberry
{acctvalid yes}
{client yes}
{created /.../my_cell.goodcompany.com/cell_admin 1994-06-30-12:39:48.000+00:00I-----}
{description {}}
{dupkey no}
{expdate none}
{forwardabletkt yes}
{goodsince 1994-06-30-12:39:48.000+00:00I-----}
{group users}
{home /}
{lastchange /.../my_cell.goodcompany.com/cell_admin 1994-06-30-12:39:48.000+00:00I-----}
{organization rigel}
{postdatedtkt no}
{proxiabletkt no}
{pwdvalid yes}
{renewabletkt yes}
{server yes}
{shell {}}
{stdtgtauth yes}
dcecp> organization remove gemini -member W_Rosenberry
dcecp>
This operation changes the name of a specified organization. The syntax is:
organization rename organization_name -to new_organization_name
Option
The organization rename operation changes the name of a specified organization. The argument is a single name of an organization to be renamed. Takes a required -to option with a value of the new name. The value may not be a list. Returns an empty string on success.
Privilege Required
You must have rf permission to the specified organizations.
Examples
dcecp> organization list rigel /.../my_cell.goodcompany.com/H_Lichtin /.../my_cell.goodcompany.com/R_Mathews /.../my_cell.goodcompany.com/S_Teto /.../my_cell.goodcompany.com/J_Shirley /.../my_cell.goodcompany.com/K_Digan /.../my_cell.goodcompany.com/W_Rosenberry /.../my_cell.goodcompany.com/W_Williams /.../my_cell.goodcompany.com/D_Weir /.../my_cell.goodcompany.com/L_Zahn /.../my_cell.goodcompany.com/P_Neilson dcecp> organization rename rigel -to sirus dcecp> organization list rigel Error: Registry object not found dcecp> organization list sirus /.../my_cell.goodcompany.com/H_Lichtin /.../my_cell.goodcompany.com/R_Mathews /.../my_cell.goodcompany.com/S_Teto /.../my_cell.goodcompany.com/J_Shirley /.../my_cell.goodcompany.com/K_Digan /.../my_cell.goodcompany.com/W_Rosenberry /.../my_cell.goodcompany.com/W_Williams /.../my_cell.goodcompany.com/D_Weir /.../my_cell.goodcompany.com/L_Zahn /.../my_cell.goodcompany.com/P_Neilson dcecp>
Shows registry information for the specified organizations. The syntax is:
organization show organization_name_list [[-policies] | [-all] | [-xattrs]]
Options
The organization show operation returns an attribute list describing the specified organizations. The argument is a list of names of organizations to be operated on. If more than one organization is given, then the attributes are concatenated together.
Attributes are returned in the following order: fullname, orgid, uuid. Policies are returned in the following order: acctlife, pwdalpha, pwdexpdate, pwdlife, pwdminlen, and pwdspaces. If the organization does not have any policies, then nopolicies is returned.
The policies that are actually in effect can be different from the organization policies due to conflicts with registry wide policies. If this is the case, the show command will alter the attribute structure on output to include an effective tag and the effective value, much in the same way that ACLs handle masks. For example:
dcecp> org show foo -policies
{acctlife 30 days}
{pwdalpha no}
{pwdexpdate none}
{pwdlife unlimited effective 5 days}
{pwdminlen 6}
{pwdspaces no}
dcecp>
Privilege Required
You must have r permission to the specified organizations.
Examples
dcecp> organization show temps
{fullname {Temporary Employees}}
{orgid 103}
{uuid 00000067-9402-21cd-a602-0000c08adf56}
dcecp>
dcecp> organization show temps -policies
{acctlife +180-00:00:00.000I-----}
{pwdalpha yes}
{pwdexpdate 1995-12-31-23:59:59.000+00:00I-----}
{pwdlife +30-00:00:00.000I-----}
{pwdminlen 0}
{pwdspaces yes}
dcecp>
dcecp> organization show temps -all
{fullname {Temporary Employees}}
{orgid 103}
{uuid 00000067-9402-21cd-a602-0000c08adf56}
{acctlife +180-00:00:00.000I-----}
{pwdalpha yes}
{pwdexpdate 1995-12-31-23:59:59.000+00:00I-----}
{pwdlife +30-00:00:00.000I-----}
{pwdminlen 0}
{pwdspaces yes}
dcecp>
Commands: account(8dce), dcecp(8dce), group(8dce), principal(8dce), registry(8dce), rgy_edit(8sec)