Group ownership of objects

This topic discusses security differences when an object is owned by a group, not an individual.

Group Ownership of Objects: When an object is created, the system looks at the profile of the user creating the object to determine object ownership. If the user is a member of a group profile, the OWNER field in the user profile specifies whether the user or the group should own the new object.

If the group owns the object, OWNER is *GRPPRF, the user creating the object is not automatically given any specific authority to the object. The user gets authority to the object through the group. If the user owns the object, OWNER is *USRPRF, the group’s authority to the object is determined by the GRPAUT field in the user profile.

The group authority type, GRPAUTTYP field in the user profile determines whether or not the group becomes the primary group for the object, or is given private authority to the object. If the user who owns the object changes to a different user group, the original group profile still retains authority to any objects created.

Even if the Owner field in a user profile is *GRPPRF, the user must still have sufficient storage to hold a new object while it is being created. After it is created, ownership is transferred to the group profile. The MAXSTG parameter in the user profile determines how much auxiliary storage a user is allowed.

Evaluate the objects a user might create, such as query programs, when choosing between group and individual user ownership:

If the user moves to a different department and a different user group, should the user still own the objects?
Is it important to know who creates objects? The object authority displays show the object owner, not the user who created the object.

Note: The Display Object Description display shows the object creator.

If the audit journal function is active, a Create Object (CO) entry is written to the QAUDJRN audit journal at the time an object is created. This entry identifies the creating user profile. The entry is written only if the QAUDLVL system value specifies *CREATE and the QAUDCTL system value includes *AUDLVL.

Primary Group for an Object: You can specify a primary group for an object. The name of the primary group profile and the primary group’s authority to the object are stored with the object. Using primary group authority may provide better performance than private group authority when checking authority to an object.

A profile must be a group profile (have a gid) to be assigned as the primary group for an object. The same profile cannot be the owner of the object and its primary group. When a user creates a new object, parameters in the user profile control whether the user’s group is given authority to the object and the type of authority given. The Group Authority Type (GRPAUTTYP) parameter in a user profile can be used to make the user’s group the primary group for the object.

Use the Change Object Primary Group (CHGOBJPGP) command or the Work with Objects by Primary Group (WRKOBJPGP) command to specify the primary group for an object. You can change the authority the primary group has using the Edit Object Authority display or the grant and revoke authority commands.

Working with Primary Group Authority

To change the primary group or primary group’s authority to an object, use one of the following commands:

Change Object Primary Group (CHGOBJPGP)
Work with Objects by Primary Group (WRKOBJPGP)
Change Primary Group (CHGPGP)

When you change an object’s primary group, you specify what authority the new primary group has. You can also revoke the old primary group’s authority. If you do not revoke the old primary group’s authority, it becomes a private authority. The new primary group cannot be the owner of the object. To change an object’s primary group, you must have all of the following:

*OBJEXIST authority for the object.
If the object is a file, library, or subsystem description, *OBJOPR and *OBJEXIST authority.
If the object is an authorization list, *ALLOBJ special authority or be the owner of the authorization list.
If revoking authority for the old primary group, *OBJMGT authority.
If a value other than *PRIVATE is specified, *OBJMGT authority and all the authorities being given.

Using a Referenced Object

Both the Edit Object Authority display and the GRTOBJAUT command allow you to give authority to an object (or group of objects) based on the authority of a referenced object. This is a useful tool in some situations, but you should also evaluate the use of an authorization list to meet your requirements.