PreviousNext

Creating a New User

Each user in a DCE environment is a person with a unique identity (principal name). Each principal is a member of at least one security group and organization and has an account in the DCE Security Service registry database. Although it's not required, each principal can also have a directory in CDS.

When you create a user with the user task object, you perform several lower-level operations:

1. The user create operation creates a new principal name and adds the principal to a security group and organization. If the security group or organization does not exist when you invoke the operation, you can force their creation using the -force option. The principal attributes assume default values, but you can specify other attributes if necessary. All of the attributes are listed in the user task object reference page.

Typically, a security group's name is included in ACLs (access control lists) that regulate user access to various server and data objects in the DCE environment. A security organization maintains policies that are applied to all the principals that are members of that organization. Policies control things like the lifespan of accounts, whether or when account passwords expire, or whether passwords can contain non-alphanumeric characters. You can read more about administering principals, groups, and organizations in the topic entitled Creating and Maintaining Principals, Groups, and Organizations.

2. The user create operation creates an account for the principal and creates the user's password. The account attributes assume default values but you can specify other attributes if necessary. All of the attributes are listed in the user task object reference page.

A principal's account contains information about the principal such as group and organization names, account creation and expiration information, and information about tickets (which identify principals to resources in a DCE environment). You can read more about administering accounts in the topic entitled Creating and Maintaining Accounts.

3. Finally, the user create operation adds a directory called /.:/users/principalname to CDS. This directory can store user-specific application location information. The operation also adds an ACL entry to the default ACL which gives the user rwtci permissions on the directory. These permissions allow users to insert objects and links, but they cannot delete the directory or administer replication on the directory. Furthermore, users cannot create additional directories unless you give them w (write) access to the clearinghouse. You can read more about the purpose and use of CDS directories in the OSF DCE Administration Guide - Core Components, Managing CDS Directories. You can read more about ACLs and CDS directories in the OSF DCE Administration Guide - Core Components, Controlling Access to CDS Names.

You generally need numerous permissions to create new users in your DCE cell, so you should log into the cell administrator's account (or a similar privileged account). The user reference page lists the required permissions.

To create a new user in a DCE cell, invoke a user create operation. The following example creates a principal name P_Pestana and an account with the same name. The create operation requires your password to prevent someone else from using an unattended session to create an unauthorized account. You must also provide the \-password option to specify a password for the user. The required \-group and \-organization options add principal P_Pestana to the named group and organization. The optional \-fullname option creates a fullname to help other human users recognize the principal.

dcecp> user create P_Pestana -fullname {Patricia Pestana} -mypwd mxyzptlk \

> -password change.me -group users -organization managers
dcecp>

You can create multiple users by specifying a list of user names as an argument to the user create operation. This method poses some limitations, however. All created users will have the same initial password, group name, and organization name. Furthermore, you cannot specify the uid attribute since this is unique for each user. The following example creates several users with a password change.me, a group name of users, and an organization named staff:

dcecp> user create {R_Lee B_Joy N_Lynn D_Dee} -mypwd mxyzptlk \

> -password change.me -group users -organization staff
dcecp>