friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvgrpownobj.htm

65 lines
7.3 KiB
HTML
Raw Normal View History

Add readme and dist folders
2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Group ownership of objects" />
<meta name="abstract" content="This topic discusses security differences when an object is owned by a group, not an individual." />
<meta name="description" content="This topic discusses security differences when an object is owned by a group, not an individual." />
<meta name="DC.Relation" scheme="URI" content="rzamvdetermineobjowner.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="grpownobj" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Group ownership of objects</title>
</head>
<body id="grpownobj"><a name="grpownobj"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Group ownership of objects</h1>
<div><p>This topic discusses security differences when an object is owned by a group, not an individual.</p>
<p><span class="uicontrol">Group Ownership of Objects:</span> When an object is created, the system looks at the profile of the user creating the object to determine object ownership. If the user is a member of a group profile, the OWNER field in the user profile specifies whether the user or the group should own the new object.</p>
<p>If the group owns the object, OWNER is *GRPPRF, the user creating the object is not automatically given any specific authority to the object. The user gets authority to the object through the group. If the user owns the object, OWNER is *USRPRF, the groups authority to the object is determined by the GRPAUT field in the user profile.</p>
<p>The group authority type, GRPAUTTYP field in the user profile determines whether or not the group becomes the primary group for the object, or is given private authority to the object. If the user who owns the object changes to a different user group, the original group profile still retains authority to any objects created.</p>
<p>Even if the Owner field in a user profile is *GRPPRF, the user must still have sufficient storage to hold a new object while it is being created. After it is created, ownership is transferred to the group profile. The MAXSTG parameter in the user profile determines how much auxiliary storage a user is allowed.</p>
<div class="p">Evaluate the objects a user might create, such as query programs, when choosing between group and individual user ownership:<ul><li>If the user moves to a different department and a different user group, should the user still own the objects?</li>
<li>Is it important to know who creates objects? The object authority displays show the object owner, not the user who created the object.</li>
</ul>
<div class="note"><span class="notetitle">Note:</span> The Display Object Description display shows the object creator.</div>
If the audit journal function is active, a Create Object (CO) entry is written to the QAUDJRN audit journal at the time an object is created. This entry identifies the creating user profile. The entry is written only if the QAUDLVL system value specifies *CREATE and the QAUDCTL system value includes *AUDLVL.</div>
<p><span class="uicontrol">Primary Group for an Object:</span> You can specify a primary group for an object. The name of the primary group profile and the primary groups authority to the object are stored with the object. Using primary group authority may provide better performance than private group authority when checking authority to an object.</p>
<p>A profile must be a group profile (have a <em>gid</em>) to be assigned as the primary group for an object. The same profile cannot be the owner of the object and its primary group. When a user creates a new object, parameters in the user profile control whether the users group is given authority to the object and the type of authority given. The Group Authority Type (GRPAUTTYP) parameter in a user profile can be used to make the users group the primary group for the object.</p>
<p>Use the <span class="cmdname">Change Object Primary Group (CHGOBJPGP)</span> command or the <span class="cmdname">Work with Objects by Primary Group (WRKOBJPGP)</span> command to specify the primary group for an object. You can change the authority the primary group has using the Edit Object Authority display or the grant and revoke authority commands.</p>
<p><span class="uicontrol">Working with Primary Group Authority</span></p>
<div class="p">To change the primary group or primary groups authority to an object, use one of the following commands: <ul><li><span class="cmdname">Change Object Primary Group (CHGOBJPGP)</span></li>
<li><span class="cmdname">Work with Objects by Primary Group (WRKOBJPGP)</span></li>
<li><span class="cmdname">Change Primary Group (CHGPGP)</span></li>
</ul>
When you change an objects primary group, you specify what authority the new primary group has. You can also revoke the old primary groups authority. If you do not revoke the old primary groups authority, it becomes a private authority. The new primary group cannot be the owner of the object. To change an objects primary group, you must have all of the following:<ul><li>*OBJEXIST authority for the object.</li>
<li>If the object is a file, library, or subsystem description, *OBJOPR and *OBJEXIST authority.</li>
<li>If the object is an authorization list, *ALLOBJ special authority or be the owner of the authorization list.</li>
<li>If revoking authority for the old primary group, *OBJMGT authority.</li>
<li>If a value other than *PRIVATE is specified, *OBJMGT authority and all the authorities being given.</li>
</ul>
</div>
<p><span class="uicontrol">Using a Referenced Object</span></p>
<p>Both the Edit Object Authority display and the <span class="cmdname">GRTOBJAUT</span> command allow you to give authority to an object (or group of objects) based on the authority of a referenced object. This is a useful tool in some situations, but you should also evaluate the use of an authorization list to meet your requirements.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvdetermineobjowner.htm" title="Every object on the system has an owner. The owner has *ALL authority to the object by default.">Determine object ownership</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue Copy Permalink