Using edrgy to Add and Maintain Groups and Organizations

Groups and organizations make up the second and third parts, respectively, of the subject identifier that identifies accounts. A group or organization must be in place before it can be used in a subject identifier.

2.7.1 Group Passwords in the SysV Environment

Each group can have a password. The password is relevant in a SysV environment only.

In the SysVenvironment, if a group has been assigned a password, a user who is not a member of the group can acquire its privileges by invoking the newgrp command and entering that password. Many sites opt not to assign passwords to groups. Note that you can also assign passwords to organizations, but the acquisition of privileges does not apply to organization passwords.

2.7.2 Project Lists

As in the BSD environment, the registry allows a person to be associated with not just one group, but a set of groups, called a project list. The project list consists of all the groups in which the person named in the account is a member. The person has the access rights that accrue from membership in every group in the project list. For example, if group A can access file X and group B can access file Y, then persons with groups A and B on their project list can access files X and Y, regardless of which account they log in on.

Access Rights and Aliases

Persons accrue project list access rights only from the groups associated with the name or alias that they log in with. They do not accrue rights from all their names and aliases.

For example, assume a person named gustav is a member of groups A and B. Under the alias gus, gustav is also a member of groups C and D. When the person gustav logs in, he accrues access rights from groups A and B only. He accrues access rights from groups C and D only when he logs in with the alias gus.

Prohibiting Inclusion on Project Lists

When you add groups, using the edrgy command, you can set a project list inclusion property that controls whether individual groups will be included in project lists. (Project lists do not apply to organizations.) You may decide to prohibit some groups from inclusion on the list. In Domain/OS, for example, the reserved group locksmith, which has access rights similar to root, is prohibited from inclusion on any project lists. Or, for example, if you are auditing access to certain files, you may want to prohibit the groups with access to those files from project lists in order to force a login with the audited accounts before users can access the files.

NOTE: To use project lists in Domain/OS, you must set the PROJLIST environment variable to true. (By default, PROJLIST is set to true automatically if your SYSTYPE is bsd4.3. See Using Your Aegis Environment, Using Your BSD Environment, or Using Your SysV Environment for more information about environment variables.)

Creating and Maintaining Accounts 2-11

2.7.3 Adding Groups and Organizations

Use the edrgy command to add groups and organizations. Either invoke the command in the appropriate domain (edrgy -g for groups or edrgy -0 for organizations) or, if the command has been invoked, change to the appropriate domain (by entering do group for groups or do org for organizations). Once the group or organization is added, you can again use the edrgy command to add members as described in Section 2.9.

2.7.4 Example - Adding a Group

The following example shows edrgy used to add a group named symphonists. The example assumes you are in the group domain.

edrgy=> add

add group=> Enter name: symphonists Enter UNIX number: 3332

Enter ~ull name in quote'Sl Full name and password Enter new password: . J t - - - - are skipped with <return>

Include group on PROJLIST [yin]? (y) y

- , <Return> allows ownership to Enter owner [po g. 0]: (%. rgy_admin.%) -.J default to %.rgy.admln. % edrgy=>

2.7.5 Example - Adding an Organization

The following example is a continuation of the previous example. It first changes the domain to organization and then adds the organization named classic.

edrgy=> do org

J

Domain changed to: org ~---Domain changed to organization edrgy=> add

add org=> Enter name: classic Password Is skipped

Enter UNIX number: 3333 with a <return>

Enter full name in quotes: "classic composers"

I

Enter new passwor~t---~·

Enter owner [p.g.o]: (%.rgy_admin.%):J...----<Return> allows ownership to default

edrgy=> to %.rgy.admln. %

2.7.6 Changing Groups

You can change any of the information entered when a group or organization was created (primary name, full name, UNIX ID, and owner). In addition, for groups you can change whether or not the group can appear in project lists, and for organizations you can change policy. (See Chapter 3 for details on setting and changing organization policy.)

The following example shows the use of the edrgy change command to change the project list inclusion property from y (will appear in project lists) to n (will not appear in project lists). The example assumes you are in the group domain.

edrgy=> change

change group=> Enter name: symphonlsts

J---

Enter new UNIX number: (78) <Return> leaves the

Infor-Enter new name: (symphonists) }

Enter new full name in quotes: (classic composers) matlon unchanged (as Enter new owner [p.g.o]: (%.rgy_admin.%) shown In parentheses) Enter new password:

Include group on PROJLIST [yin]? (y) n

J ...

edrgy=> the change command from y to n

2.7.7 Deleting Groups and Organizations

If you delete a group or organization, you will also automatically delete any accounts that use the group or organization. For example, if you delete the group symphonists, you will also automatically delete the accounts composers.symphonists. baroque and

musicians. symphonists. classic. The following example shows the edrgy command used to delete the group symphonists and then the organization classic.

edrgy=> do group ~ Domain changed to group Domain changed to: group1

---edrgy=> delete symphonlsts

Warning: any accounts for this group (%.symphonists.%) will also be deleted.

Please confirm delete of primary name "symphonists" [yin]: (n) ~"" _ _ _

"'I

edrgy=> do org

Domain changed to: o r g l . - -Domain cha':1ged Entering a y edrgy=> delete classic ~ to organization confirms the

deletion Warning: any accounts for this org (%.%.classic) will also be de-

I

leted.

Please confirm delete of primary name "classic" [Yin]: (n)

!J....---'

edrgy=>