VMS Help  —  DCE  DCE_SECURITY, Admin Intro, rgy_edit
 NAME
   rgy_edit - Edits the registry database

 SYNOPSIS

   rgy_edit [[[-a | -p | -g | -o] [-s name] [-up[date]]
   [-v [-f] [name | -un[ix__number]] [-nq]] | -l]

 OPTIONS
   The following options are supplied when rgy_edit  is invoked. You can
   specify only one of the options -a, -p, -g, and -o.  If you specify
   the -l option, you can specify no other options.

   -a (default)
             Edits or views accounts.

   -p        Edits or views principals.

   -g        Edits or views groups.

   -o        Edits or views organizations.

   -s        Binds to the registry site specified by name.  The name
             variable is either the fully qualified name of the cell
             that contains the registry to which you want access, or
             the fully qualified name of a specific registry server.

   -up[date] Binds to a read-write registry site in the cell specified
             by the -s option.

   -v        Views the registry entry specified by name or unix_number.
             If no entry is specified, all entries are viewed.

   -f        Displays in full the entry (or entries) selected by the -v
             option.  The full entry includes all fields except the
             membership list and organization policy.

   -nq       Specifies that delete operations will not be queried.  The
             default is to prompt the user for verification when a delete
             operation is requested.

   -l        Edits or views entries in local registry.

 NOTES
   With the exception of the following subcommands, this command is
   replaced at Revision 1.1 by the dcecp command.  This command may be
   fully replaced by the dcecp command in a future release of DCE, and
   may no longer be supported at that time.

     +  defaults

     +  domain

     +  scope

     +  help

     +  quit

     +  exit

     +  delete

     +  purge

     +  view

 DESCRIPTION

 The rgy_edit tool views and edits information in the registry database.
 You can invoke rgy_edit from any node.

 You can edit and view principals, groups, organization, accounts, and
 policies in the network registry (the default) or perform a subset of
 those functions on the local registry (using the -l option). Changes
 made by rgy_edit apply only to the registry. They do not apply to the
 local override file or the local password and group files, both of
 which can be edited manually. You can view and change only those
 registry objects to which you are granted the appropriate permissions.

 INVOKING RGY_EDIT

 When you invoke rgy_edit, it displays the following prompt:

      rgy_edit=>

 At this prompt, you can enter any of the rgy_edit subcommands, and
 rgy_edit will prompt you for the required information.  Alternatively,
 you can enter the subcommand followed by all the options required to
 perform a specific operation. The rgy_edit command may prompt you for
 any required information you do not enter.

 SUBCOMMANDS

 In the rgy_edit subcommands that follow, use two double quotation
 marks with nothing in between to indicate a null fullname, password,
 misc, homedir, or shell. Use double quotation marks to embed spaces,
 or hyphens in fullname, misc, and homedir if you specify the argument
 on the command line.

1  –  pgo_commands

   PRINCIPAL, GROUP, AND ORGANIZATION SUBCOMMANDS

   Whether name applies to a principal, group, or organization depends
   on the domain in which you run rgy_edit.  Use the do[main]
   subcommand (described in Miscellaneous Commands) to change domains.

1.1  –  view

 v[iew] [name] [-f] [-m] [-po] Views registry entries.

 The -f option displays entries in full (all fields except the
 membership list and organization policy).

 If you are viewing groups or organizations, -m displays the
 membership list.  For principals, -m lists all groups of which
 the principal is a member, including groups that cannot appear
 in a project list.

 If you are viewing organizations, -po displays policy information.
 If you do not enter the -po option, rgy_edit shows only the
 organization's name and the UNIX number.

1.2  –  add

 a[dd] [principal_name [unix_number] [-f fullname] [-al] [-q quota]]
 a[dd] [group_name  [unix_number] [-f fullname [-nl]]] [-al] ls
 a[dd] [organization_name [unix_number] [-f fullname]]

 Create a new name entry.

 If you do not specify principal_name, group_name, or organization
 name, the add subcommand prompts you for each field in the entry.
 If you are adding organizations, the command prompts you for policy
 information as well. If you specify only principal_name, group_name,
 or organization_name and no other arguments, the object's fullname
 defaults to "" (that is, blank), the object's UNIX number is
 assigned automatically, and the object's creation quota defaults to
 unlimited.

 Use the -al option to create an alias for an existing principal or
 group.  No two principals or groups can have the same UNIX number,
 but a principal or group and all its aliases share the same UNIX
 number.  The -al option creates an alias name for a principal or
 group and assigns the alias name the same UNIX number as the
 principal or group.

 The -q option specifies the principal's object creation quota, the
 total number of registry objects that can be created by the
 principal.  If you do not specify this option, the object creation
 quota defaults to unlimited.  For groups, the -nl option indicates
 that the group is not to be included on project lists; omitting
 this option allows the group to appear on project lists.

1.3  –  change

 c[hange] [principal_name [-n name] [-f fullname] [-al | -pr]
          [-q quota]]
 c[hange] [group_name [-n name] [-f fullname] [-nl | -l] ]
          [-al | -pr]
 c[hange] [organization_name [-n name] [-f fullname]]

 Changes a principal, group, or organization.

 Specify the entry to change with principal_name, group_name, or
 organization_name. If you do not specify a principal_name,
 group_name, or organization_name, the change subcommand prompts
 you for a name.  If you do not specify any fields, the subcommand
 prompts you for each field in succession.  To leave a field
 unchanged, press <RETURN> at the prompt.  If you are changing
 organization entries in the interactive mode, the subcommand
 prompts you for policy information as well.

 Use -n name and -f fullname, to specify a new primary name or
 fullname, respectively.

 For principals and groups, the -al option changes a primary name
 into an alias, and the -pr option changes an alias into a primary
 name.  This change can be made only from the command line, not in
 the interactive mode.  The -q option specifies the total number of
 registry objects that can be created by the principal.

 For group entries, the -nl option disallows the group from
 appearing in project lists, while the -l option allows the group
 to appear in project lists.

 For organization entries, you can change policy information only in
 the interactive mode.

 Changes to a principal name are reflected in membership lists that
 contain the principal name. For example, if the principal ludwig is
 a member of the group composers and the principal name is changed
 to louis, the membership list for composers is automatically
 changed to include louis but not ludwig.

 For reserved names, you can change only fullname.

1.4  –  member

 m[ember] [group_name | organization_name [-a member_list]
          [-r member_list] ]

 Edits the membership list for a group or organization.

 If you do not specify a group or organization, the member subcommand
 prompts you for names to add or remove.

 To add names or aliases to a membership list, use the -a option
 followed by the names separated by commas. To delete names from a
 membership list, use the -r option followed by the names separated
 by commas.  If you do not include either the -a or -r option on the
 command line, rgy_edit prompts you for names to add or remove.

 Removing names from the membership list for a group or organization
 has the side effect of deleting the login account for removed member
 (and, of course, eliminating any permissions granted as a result of
 the membership the next time the member's ticket-granting ticket is
 renewed).

1.5  –  delete

 del[ete] name

 Deletes a registry entry.

 If you delete a principal, rgy_edit deletes the principal's
 account.If you delete a group or organization, rgy_edit deletes
 any accounts associated with the group or organization.  You
 cannot delete reserved principals.

1.6  –  adopt

 adopt uuid principal_name [-u unix_number] [ -f fullname] [-q quota]
 adopt uuid group_name [-f fullname] [-nl]
 adopt uuid organization_name [-f fullname]

 Creates a principal, group, or organization for the specified UUID.

 The principal, group, or organization is created to adopt an orphan
 object.  Orphans are registry objects that cannot be accessed
 because 1) they are owned by UUIDs that are not associated with a
 principal or group and 2) no other principal, group, or organiza-
 tion has access rights to the orphaned object.  UUIDs are associ-
 ated with all registry objects when the object is created.  When
 the registry object is deleted, the association between the object
 and the UUID is also deleted.

 The principal_name, group_name, or organization_name you specify
 must be unique in the registry as it must be when you create a
 principal, group, or organization using the add subcommand. Except
 for the manner in which it is created, the principal, group, or
 organization created by the adopt subcommand is no different from
 any other principal, group, or organization.  The uuid option
 specifies the UUID number to be assigned to the principal, group,or
 organization. The UUID supplied must be the one that owns the
 orphaned object. Specify the uuid in RPC print string format as 8
 hexadecimal digits, a hyphen; 4 hexadecimal digits, a hyphen; 4
 hexadecimal digits, a hyphen; 4 hexadecimal digits, a hyphen;
 and 12 hexadecimal digits.  The format follows:

               nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn

 For cell principals only, the -u option specifies the UNIX number to
 be associated with the cell name.  If you do not enter this option,
 the next sequential UNIX number is supplied as a default. For all
 principals other than cells, the UNIX number is extracted from
 information embedded in the principal's UUID and cannot be
 specified here.

 For principals, the -q option specifies the principal's object
 creation quota.  If you do not enter the option, the object
 creation quota is set to "unlimited."

 For groups, the -nl option turns off the project list inclusion
 property so that groups are not included in project lists.  If you
 do not enter this option, the group is included in project lists.

 For principals, groups, and organizations, the -f option supplies
 the object's fullname.  If you do not enter the -f option, fullname
 defaults to blank.

 An error occurs if you specify a name or UNIX number that is
 already  defined within the same domain of the database.

 Note that in the current implementation of the DCE, UNIX numbers
 are embedded in UUID numbers. If you try to create a group or
 organization to adopt an orphaned object and fail, it could be
 because the embedded UNIX number is invalid because it does not
 fall within the range of valid UNIX numbers set for the cell as
 a registry property.  If this is the case, you must reset the
 range of valid UNIX numbers to include the UNIX number embedded
 in the UUID and then try again to adopt the object.

2  –  account_commands

   ACCOUNT SUBCOMMANDS

2.1  –  view

 v[iew] [pname [gname [oname]]] [-f]

   Displays login accounts.

   Without the -f option, view displays only the user fields in each
   account entry. These fields include each account's

     +  Principal, group, and organization name

     +  Encrypted password

     +  Miscellaneous information

     +  Home directory

     +  Login shell

   With -f, view displays the full entry, including the adminis-
   trative fields as well as the user fields.  Administrative
   information includes:

     +  Who created the account

     +  When the account was created

     +  Who last changed the account

     +  When the account was last changed

     +  When the account expires

     +  Whether the account is valid

     +  Whether the account principal's password is valid

     +  When the account principal's password was last changed

2.2  –  add

 a[dd] [pname [-g gname -o oname -mp password {-rp | -pw password}
       [-m misc] [-h homedir] [-s shell]
       [-pnv | -pv] [-x account_exp | none] [-anv | -av]
       [ [-ena[ble] option | -dis[able] option]...]
       [-gs date_and_time] [-mcr lifespan] [-mcl lifespan]]]

 Creates a login account.

 If you enter the subcommand only or the subcommand and the optional
 pname argument (principal name), rgy_edit prompts you for all
 information.  If you enter the subcommand, the pname argument, and
 the gname (group name) argument or the the pname, gname and oname
 (organization name) arguments, you must also enter the -mp, and -pw
 or -rp options.  All other options are optional.

 The pname argument specifies the principal for whom the account
 should be created. The -g and -o options specify the account's group
 and organization.  If the principal specified in pname is not
 already a member of the specified group and organization, rgy_edit
 automatically attempts to add the principal to the membership lists.
 If you do not have the appropriate permissions for the group and
 organization, the attempt will fail and the account will not be
 created.

 The -rp option generates a random password for the account. The
 primary use of this option is to create passwords for accounts that
 will not be logged into (since the random password can never be
 supplied.) The -pw option is used to supply a password for the
 account on the command line.

 If you use the -rp option or the -pw option, you must also use the
 -mp option to supply your password so your identity can be
 validated.

 If you do  not specify the -rp option or the -pw option, rgy_edit
 prompts for the account's password twice to ensure you did not make
 a typing mistake. Then it prompts for your password to verify your
 identity.

 If the user's password management policy allows the selection of
 generated passwords, specifying "*" as the argument to the -pw
 option or at the account's password prompt automatically generates
 a plaintext password.

 If the user's password management policy requires the selection of
 generated passwords, specifying the -pw option is an error.
 rgy_edit displays a generated password and then prompts for the
 password for confirmation.  The format of password must adhere to
 the policy of the associated organization or the policy of the
 registry as a whole, whichever is more restrictive.

 The information supplied with the -m option is used to create the
 GECOS field for the account in the /etc/passwd file [on UNIX].

 The -h option specifies the pathname of the principal's home
 directory.  The default homedir is /. The -s option specifies the
 pathname of the principal's login shell.  The default shell is a
 null string.

 The -pnv (password not valid) option specifies that the password
 has expired. Generally, users must change their passwords when the
 passwords expire. However, the policy to handle expired passwords
 and the mechanism by which users change their passwords are defined
 for each platform, usually through the login facility.  The -pv
 option indicates the password is not expired (the default).

 The -x option sets an expiration date for the account in
 yy/mm/dd/hh/mm/ss format. The default is "none," meaning that
 the password will never expire.

 The -anv (account not valid) option specifies that the account is
 not currently valid for login. The -av option indicates the account
 is currently valid (the default).

 The -enable and -disable options set or clear the following options:

  +  The c[lient] option, if enabled, allows the principal to act as
     a client and log in, acquire tickets, and be authenticated.  If
     you disable client, the principal cannot act as a client.  The
     default is enabled.

  +  The s[erver] option, if enabled, allows the principal to act as
     a server and engage in authenticated communication.  If you
     disable server, the principal cannot act as a server that
     engages in authenticated communication. The default is enabled.

  +  The po[stdated] option, if enabled, allows tickets with a start
     time some time in the future to be issued to the account's
     principal. The default is disabled.

  +  The f[orwardable] option, if enabled, allows a new ticket-
     granting ticket with a network address that differs from the
     present ticket-granting ticket address to be issued to the
     account's principal.  The default is enabled.

  +  The pr[oxiable] option, if enabled, allows a new ticket with a
     different network address than the present ticket to be issued
     to the account's principal.   The default is disabled.

  +  The T[GT_authentication] option, if enabled, specifies that
     tickets issued to the account's principal can use the ticket-
     granting-ticket authentication mechanism.  The default is
     enabled.

  +  The r[enewable] option turns on the Kerberos V5 renewable
     ticket feature. This feature is not currently used by the DCE;
     any use of this option is unsupported at the present time.

  +  The dup[_session_key] option allows tickets issued to the
     account's principal to have duplicate keys.  The default is
     disabled.

 The -gs (good since date) is the date and time the account was last
 known to be valid. When accounts are created, this date is set to
 the account creation time.  If you change the good since date, any
 tickets issued before the changed date are invalid.  Enter the date
 in yy/mm/dd.hh:mm format.

 The -mcr (maximum certificate renewable) option is the number of
 hours before a session with the principal's identity expires and
 the principal must log in again to reauthenticate. The default
 is 4 weeks.

 The -mcl (maximum certificate lifetime) option is the number of
 hours before the Authentication Service must renew a principal's
 service certificates.  This is handled automatically and requires
 no action on the part of the principal. The default is 1 day.

2.3  –  change

 c[hange] [-p pname] [-g gname] [-o oname]
          [-np pname] [-ng gname] [-no oname]
          [{-rp | -pw password} -mp password]
          [-m misc] [-h homedir] [-s shell]
          [-pnv | -pv] [-x account_exp | none] [-anv | -av]
          [[-ena[ble] option | -dis[able] option]...]
          [-gs date_and_time] [-mcr lifespan] [-mcl lifespan]

 Changes an account.

 The -p, -g, and -o options identify the account to change. The -np,
 -ng, and -no options change the account's, principal, group, and
 organization, respectively.

 If you do not specify all three -p, -g, and -o options, wildcard
 updates can occur.  For example, if you specify only the -g option,
 the changes affect all accounts that are associated with the named
 group.  Note that you cannot use wildcarding to change passwords.
 To change a password, you must enter the -p, -g, and -o options.

 All other options have the same meaning as described in the add
 command for accounts.  Note that the -rp option can be used to
 change the random passwords of the reserved accounts created by
 sec_create_db when the registry database is created.

2.4  –  delete

 del[ete] -p pname [-g gname] [-o oname]

 Deletes the specified account.

 Enter the -p option to delete the specified principal's account.
 Enter the -g or -o option to delete accounts associated with the
 specified group or organization.  If you enter the -g or -o option,
 rgy_edit prompts individually for whether to delete each account
 associated with the group or organization.

2.5  –  cell

 ce[ll] cellname [-ul unix_num] [-uf unix_num] [-gl gname]
                 [-ol oname] [-gf gname] [-of oname] [-mp passwd]
                 [-fa name] [-fp passwd] [-q quota]
                 [-x account_expiration_date | none]

 Creates a cross-cell authentication account in the local and
 foreign cells.

 This account allows local principals to access objects in the
 foreign cell as authenticated users and vice versa. The admin-
 istrator in the foreign cell must have also set up a standard
 account, whose ID and password the administrator of the foreign
 cell must supply to you.

 The cellname variable specifies the full pathname of the foreign
 cell with which you will establish the cross-cell authentication
 account. This name is stripped of the path qualifier and prefixed
 with "krbtgt." The resulting name is used as the primary name for
 the cross-cell authentication account.  For example, if you enter
  /.../dresden.com, the principal name is krbtgt/dresden.com.

 The -ul option specifies the UNIX number for the local cell's
 principal.  The -uf option specifies the UNIX number for the
 foreign cell's principal.  If you do not specify these UNIX
 numbers, they are generated automatically.

 The -gl and -ol options specify the local account's group and
 organization.  The -gf and -of options specify the foreign
 account's group and organization.

 The -mp option specifies the password of the person who invoked
 rgy_edit.

 The -fa option specifies the name identifying the account in the
 foreign cell, and the -fp option specifies the account's password.

 The -q option specifies the total number of objects that can be
 created in your cell's registry by all foreign users who use the
 cross-cell authentication account to access your cell.  The object
 creation quota defaults to 0 (zero), meaning that principals in the
 foreign cell cannot create objects in the local cell. The object
 creation quota set for your cell's account in the foreign cell
 places the same restriction on the number of objects that your
 cell's principals can create in the foreign cell's registry.

 The -x option specifies the account expiration date for both the
 local and foreign accounts. The default for this option is "none."

 Note that the object creation quota for the local account defaults
 to 0 (zero), meaning that principals in the foreign cell cannot
 create objects in the local cell. You can change this with the
 rgy_edit change subcommand.

3  –  key_management_commands

 KEY MANAGEMENT SUBCOMMANDS

 The key management subcommands must be run in command-line mode.

3.1  –  ktadd

 kta[dd] -p principal_name [-pw password] [-a[uto]] [-r[egistry]]
                           [-f key-file]

 Creates a password for a server or machine in the keytab file on
 the local node.

 The -p option specifies the name of the server or machine principal
 for which you are creating a password.

 The -pw option lets you supply the password on the command line. If
 you do not enter this option or the -auto option, ktadd prompts for
 the password.

 The -a option generates the password randomly.  If you use this
 option, you must also use the -r option.  If you do not specify
 the -auto or the -pw option, you are prompted for a password.

 The -r option updates the principal's password in the registry to
 match the string you enter (or automatically generate) for the
 password in the keytab file.  Use it to ensure that the principal's
 password in the registry and the keytab file are in synch when you
 change a principal's password in the keytab file.  To use this
 option, a password for the principal must exist in the default
 keytab file or the keytab file named by the -f option.

 The -f option specifies the name of the server keytab file on the
 local node to which you are adding the password. If you do not
 specify a keytab file name, dce$local:[krb5]v5srvtab.; is used.
 Note that you must be privileged to add entries in the default
 keytab file.

3.2  –  ktlist

 ktl[ist] [-p principal_name] [-f keyfile]

 Displays principal names and password version numbers in the local
 keytab file.

 The -p option specifies the name of the server or machine principal
 for which you are displaying passwords.

 The -f option specifies the name of the server keytab file on the
 local node for which you want to display entries. If you do not
 specify a keytab file name, dce$local:[krb5]v5srvtab.; is used.

3.3  –  ktdelete

 ktd[elete] -p principal_name -v version_number [-f keyfile]

 Deletes a sever or machine principal's password entry from a keytab
 file.

 The -p option specifies the name of the server or machine principal
 for whom you are deleting a password entry.

 The -v option specifies the version number of the password you want
 to delete.  Version numbers are assigned to a principal's password
 whenever the principal's password is changed.  This allows any
 servers or machines still using tickets granted under the old pass-
 word to run without interruption until the ticket expires naturally.

 The -f option specifies the name of the server keytab file on the
 local node from which you want to delete passwords. If you do not
 specify a keytab file name, dce$local:[krb5]v5srvtab.; is used.
 Note that you must be privileged to delete entries in the default
 keytab file.  You must have the appropriate access rights to
 delete entries in other keytab files.

4  –  miscellaneous_commands

 Miscellaneous Commands

4.1  –  domain

 do[main] [p | g | o | a]

 Changes or displays the type of registry information being viewed
 or edited.

 You can specify p for principals, g for groups, o for
 organizations, or a for accounts. If you supply no argument,
 rgy_edit displays the current domain.

4.2  –  site

 si[te] [[name]] [-u[pdate]]

 Changes or displays the registry site being viewed or edited.

 The name variable is the fully qualified name of the cell that
 contains the registry to which you want access. If you supply no
 argument, rgy_edit displays the current site.

 The -update option indicates you want to talk to an update site in
 the specified cell.

4.3  –  properties

 prop[erties] Changes or displays registry properties.

 This command prompts you for changes. Press <Return> to leave
 information unchanged.

4.4  –  policy

 po[licy] [organization_name] [-al lifespan | forever]
          [-pl passwd_lifespan | forever]
          [-px passwd_exp_date | none] [-pm passwd_min_length]
          [-pa | -pna] [-ps | -pns]

 Changes or displays registry standard policy or the policy for an
 organization.

 Enter organization_name to display or change policy for that
 specific organization.  If you do not enter organization_name the
 subcommand affects standard policy for the entire registry.

 The -al option determines the account's lifespan, the period during
 which accounts are valid.  After this period of time passes, the
 accounts become invalid and must be recreated.   An account's
 lifespan is also controlled by the add and change subcommands -x
 option.  If the two lifespans conflict, the shorter one is used.
 Enter the lifespan in the following in the following format:

       weekswdaysdhourshminutesm

 For example, 4 weeks and 5 days is entered as 4w5d.

 If you enter only a number and no weeks, days, or hours designation,
 the designation defaults to hours.  If you end the lifepan with a
 number and no weeks, days, or hours designation, the number with no
 designation defaults to seconds.  For example, 12w30 is assumed to
 be 12 weeks thirty seconds.

 The -pl option determines the password lifespan, the period of time
 before account's password expires. Generally, users must change
 their passwords when the passwords expire. However, the policy to
 handle expired passwords and the mechanism by which users change
 their passwords are defined for each platform, usually through the
 login facility.

 Enter passwd_lifespan as a number indicating the number of days.
 If you define a password lifespan as forever, the password has an
 unlimited lifespan.

 The -px option specifies the password expiration date in
 yy/mm/dd/hh.mm:ss format. Generally, users must change their
 passwords when the passwords expire. However, the policy to
 handle expired passwords and the mechanism by which users change
 their passwords are defined for each platform, usually through
 the login facility.

 If you define a password expiration date as none, the password has
 an unlimited lifespan.

 The -pm, -ps, -pns, -pa, and -pna options all control the format of
 passwords as follows:

   +  -pm - Specifies the minimum length of passwords in characters.
      If you enter 0, no password minimum length is in effect.

   +  -ps and -pns - Specify whether passwords can contain all spaces
      (-ps) or can not be all spaces (-pns).

   +  -pa and -pna - Specify whether passwords can consist of all
      alphanumeric characters (-pn) or must include some non-
      alphanumeric characters (-pna).

4.5  –  auth_policy

 au[th_policy]

 Changes and/or displays registry authentication policies.

 This command prompts you for changes. Press <Return> to leave
 information unchanged.

4.6  –  defaults

 def[aults]

 Changes or displays the home directory, login shell, password valid
 option, account expiration date, and account valid option default
 values that rgy_edit uses.

 This command first displays the current defaults.  It then prompts
 you for whether or not you want to make changes. If you make
 changes, defaults immediately changes the defaults for the current
 session,  and it saves the new defaults in sys$login:.rgy_editrc.
 The newly saved defaults are used until you change them.

4.7  –  help

 h[elp] [command

 Displays usage information for rgy_edit.

 If you do not specify a particular command, rgy_edit lists the
 available commands.

4.8  –  quit

 q[uit]

 Exit rgy_edit.

4.9  –  exit

 e[xit]

 Exit rgy_edit.

4.10  –  login

 l[ogin]

 Lets you establish a new network identity for use during the
 rgy_edit session.

 The rgy_edit login command prompts for a principal name and
 password.

4.11  –  scope

 sc[ope] [name]

 Limits the scope of the information displayed by the view
 subcommand to the directory (specified by name) in the registry
 database.

5  –  local_registry_commands

 Commands for the Local Registry

 To edit or view the local registry, invoke rgy_edit with the -l option
 while you are logged into the machine whose local registry you want to
 maintain.  This section lists the commands that are valid for editing
 or viewing the local registry.  When you invoke rgy_edit with the -l
 option, only the subcommands and options listed here can be used.

5.1  –  view

 v[iew]

 Displays local registry entries.

5.2  –  delete

 del[ete] principal_name

 Deletes the account and credential information for principal_name
 from the local registry.

5.3  –  purge

 pu[rge]

 Purges expired local registry entries.

 This command has no options or arguments.

 The time limit, or lifespan, for which an entry in the local
 registry is valid is set as a property of the local registry
 with the properties subcommand.  When the purge subcommand is
 run, it deletes all expired entries.  The lifespan begins when
 an entry for the principal is added to the local registry (that
 is, the beginning of the lifespan is the last time the principal
 logged in to the local machine.) The lifespan ends after the time
 limit set as a local registry property.

5.4  –  properties

 pr[operties]

 Changes and/or displays local registry properties and policies.

 This command displays the current properties and then prompts for
 whether you want to make changes to them.  You can change the local
 registry's:

  +  Capacity - A number representing the total number of entries
     the local registry can contain at any one time. When the
     capacity is reached, subsequent new entries overwrite the
     oldest entries.

  +  Account lifespan - The time in which an account in the local
     registry is valid in the following format:

         weekswdaysdhourshminutesm

     For example, 4 weeks and 5 days is entered as 4w5d.  If you
     enter only a number and no weeks, days, or hours designation,
     the designation defaults to hours.  If you end the lifepan
     with a number and no weeks, days, or hours designation, the
     number with no designation defaults to seconds.  For example,
     12w30 is assumed to be 12 weeks thirty seconds.
Close Help