To give normal DCE users the ability to create and manage their own groups, an admin id can create a group CDS container and give the user the ability to administer it. For example, from a privileged DCE id, dcecp -c group create users/haeckel/admin This creates a dummy group, whose purpose is to create the users/haeckel container and to keep it around. This users/haeckel container will be the container under which the user will have the ability to create his own groups. We have to create this dummy admin group in order to create the container. CDS doesn't give us an explicit "create a container" command, we have to create some object (admin) under a non-existing container (users/haeckel) in order to create the container. Also, we don't want to give the user the ability to delete the admin group 'cause the container goes away when the last group goes away. To give the user his permissions, the privileged DCE id does dcecp -c acl modify /.:/sec/group/users/haeckel -add user:haeckel:rcidDn dcecp -c acl modify /.:/sec/group/users/haeckel -add user:haeckel:rcidDn -ic and dcecp -c acl modify /.:/sec/group/users/haeckel -add user:haeckel:rctDnfmM -io =================================================================================== From the user's perspective, he now can dcecp -c group create users/haeckel/aix dcecp -c group add users/haeckel/aix -member jasper or -member {jasper dale rsosa jyusem} dcecp -c group list users/haeckel/aix Then dcecp -c acl modify /.:/fs/users/haeckel -add group:users/haeckel/aix:r-x--- or whatever.