ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvdetermineobjowner.htm

67 lines
8.4 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Determine object ownership" />
<meta name="abstract" content="Every object on the system has an owner. The owner has *ALL authority to the object by default." />
<meta name="description" content="Every object on the system has an owner. The owner has *ALL authority to the object by default." />
<meta name="DC.Relation" scheme="URI" content="rzamvplanappsec.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvgrpownobj.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="determineobjowner" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Determine object ownership</title>
</head>
<body id="determineobjowner"><a name="determineobjowner"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Determine object ownership</h1>
<div><p>Every object on the system has an owner. The owner has *ALL authority to the object by default.</p>
<p><span class="uicontrol">Object Ownership</span></p>
<p>Each object is assigned an owner when it is created. The owner is either the user who creates the object or the group profile if the member user profile has specified that the group profile should be the owner of the object. When the object is created, the owner is given all the object and data authorities to the object.</p>
<p>The owner of an object always has all the authority for the object unless any or all authority is removed specifically. As an object owner, you may choose to remove some specific authority as a precautionary measure. For example, if a file exists that contains critical information, you may remove your object existence authority to prevent yourself from accidentally deleting the file. However, as object owner, you can grant any object authority to yourself at any time.</p>
<p>Ownership of an object can be transferred from one user to another. Ownership can be transferred to an individual user profile or a group profile. A group profile can own objects whether or not the group has members.</p>
<div class="p">When changing an objects owner, you have the option to keep or revoke the former owners authority. A user with *ALLOBJ authority can transfer ownership, as can any user who has the following:<ul><li>Object existence authority for the object, except for an authorization list</li>
<li>Ownership of the object, if the object is an authorization list</li>
<li>Add authority for the new owners user profile</li>
<li>Delete authority for the present owners user profile</li>
</ul>
You cannot delete a profile that owns objects. Ownership of objects must be transferred to a new owner or the objects must be deleted before the profile can be deleted. The <span class="cmdname">Delete User Profile (DLTUSRPRF)</span> command allows you to handle owned objects when you delete the profile.</div>
<p>Object ownership is used as a management tool by the system. The owner profile for an object contains a list of all users who have private authority to the object. This information is used to build displays for editing or viewing object authority.</p>
<p>Profiles that own many objects with many private authorities can become very large. The size of a profile that owns many objects affects performance when displaying and working with the authority to objects it owns, and when saving or restoring profiles. System operations can also be impacted. To prevent impacts to either performance or system operations, do not assign objects to only one owner profile for your entire system. Each application and the application objects should be owned by a separate profile. Also, IBM-supplied user profiles should not own user data or objects. The owner of an object also needs sufficient storage for the object.</p>
<div class="p"><span class="uicontrol">Default Owner (QDFTOWN) User Profile:</span> The Default Owner (QDFTOWN) user profile is an IBM-supplied user profile that is used when an object has no owner or when object ownership might pose a security exposure. There are several situations that cause ownership of an object to be assigned to the QDFTOWN profile:<ul><li>If an owning profile becomes damaged and is deleted, its objects no longer have an owner. Using the <span class="cmdname">Reclaim Storage (RCLSTG)</span> command assigns ownership of these objects to the default owner (QDFTOWN) user profile.</li>
<li>If an object is restored and the owner profile does not exist.</li>
<li>If a program that needs to be created again is restored, but the program creation is not successful.</li>
<li>If the maximum storage limit is exceeded for the user profile that owns an authority holder that has the same name as a file being moved, renamed, or whose library is being renamed.</li>
</ul>
The system supplies the QDFTOWN user profile because all objects must have an owner. When the system is shipped, only a user with *ALLOBJ special authority can display and access this user profile and transfer ownership of objects associated with the QDFTOWN user profile. You can grant other users authority to the QDFTOWN profile. The QDFTOWN user profile is intended for system use only. You should not design your security such that QDFTOWN normally owns object.</div>
<p><span class="uicontrol">Changing application ownership</span></p>
<p>If your programmer or application provider has created a special profile to own the application libraries and objects, consider using that profile, even if it does not match your naming conventions. Transferring ownership of objects can take a long time and should be avoided. If one of the IBM-supplied group profiles, such as QSECOFR or QPGMR, owns the application, you should transfer ownership to another profile after you install the application. Sometimes programmers design applications to prevent changes in object ownership. Try to work within the restrictions and still meet your own requirements for managing security. However, if an IBM-supplied profile, such as QSECOFR, owns the application, you and your programmer or application provider need to develop a plan to change ownership. Ideally, you should change ownership before you install the application.</p>
<p><span class="uicontrol">Changing public authority</span></p>
<p>When you save objects, you also save their public authority with them. When you restore an application library to your system, the library and all its objects will have the same public authorities they had when they were saved. This is true even if you saved the library on another system. The CRTAUT value for a library does not affect objects that are restored. They are restored with their saved public authority, regardless of the CRTAUT for the library. You should change the public authority of libraries and objects to match your plan on the Library description form.</p>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzamvgrpownobj.htm">Group ownership of objects</a></strong><br />
This topic discusses security differences when an object is owned by a group, not an individual.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplanappsec.htm" title="This topic provides on overview for creating an application security plan for your company.">Plan application security</a></div>
</div>
</div>
</body>
</html>