PreviousNext

Using Task Objects to Simplify DCE Administration

Individual DCE control program objects operate on very specific pieces of information in DCE. For example, the group object operates solely on security groups in the DCE Security Service registry database. The group object enables administrators to create and delete security groups, add and remove members from security groups, rename the groups, and so on. Such precise control is necessary because it allows you to custom tailor DCE to meet very specific needs or circumstances.

While such control might be necessary when configuring a new cell or fixing some access control problem, it can overwhelm routine DCE administration tasks. As an example, let's look at the minimum steps needed to add a new user to a DCE cell:

1. Use the principal object to create a principal name for the user.

2. Use the group object to add the principal to a security group.

3. Use the organization object to add the principal to a security organization.

4. Use the account object to create an account for the principal.

5. Use the directory object to create a directory for the principal in CDS.

6. Use the acl object to give the principal access to the CDS directory.

Performing these six steps probably wouldn't pose any problems in a small cell with 15 or 20 users. But consider a cell with more, perhaps a hundred or maybe even a thousand or more users, and the need to automate this and other administration tasks becomes evident.

To meet this administration need, the DCE control program includes several administration task objects for performing some routine DCE administration tasks. Here, we are using the term task to mean doing something that requires multiple steps, such as when adding a user consists of performing six lower-level operations.

One of the task objects is the user object that you can use to add and remove user information in your DCE environment. For instance, a single invocation of the user object can perform all six of the previously mentioned steps needed to correctly add a new user to your DCE environment. You can also use this same task object to delete the user from your environment.

The task objects are implemented as dcecp scripts by using the DCE control program language, which means that you can extend the scripts or change their behavior according to your needs. For instance, the default implementation of the user task object does not operate on any GDS or DFS information. If your DCE environment includes these extended services, you might want to add some GDS or DFS operations to the script. Part 1 of this guide explains how to use the DCE control program language to write and modify a dcecp task object.