Object ownership

This topic describes object ownership and its functions in the system.

Each object is assigned to an owner when it is created. The owner is either the user who creates the object or the group profile if the member user profile has specified that the group profile should be the owner of the object. When the object is created, the owner is given all the object and data authorities to the object. Assigning authority and ownership to new objects shows examples of how the system assigns ownership to new objects.

The owner of an object always has all the authorities for the object unless any or all authorities is removed specifically. As an object owner, you might choose to remove some specific authority as a precautionary measure provided you do not have *ALLOBJ special authority. For example, if a file exists that contains critical information, you might remove your object existence authority to prevent yourself from accidentally deleting the file. However, as object owner, you can grant any object authority to yourself at any time. The owner of a newly created integrated file system object has the same object authorities for that integrated file system object as the owner of the parent directory has to the parent directory. Check the Planning and setting up system security topic to see whether the rules for object authorities apply to all file systems or only to certain ones.

Ownership of an object can be transferred from one user to another. Ownership can be transferred to an individual user profile or a group profile. A group profile can own objects, whether the group has members.

Note: Group ownership is a security risk as all members of the group obtain all authority and ownership rights to objects created by this user profile.

The following paragraphs apply to both library- and directory-based objects.

When changing an object’s owner, you have the option to keep or revoke the former owner’s authority.

You cannot delete a profile that owns objects. Ownership of objects must be transferred to a new owner or the objects must be deleted before the profile can be deleted. The Delete User Profile (DLTUSRPRF) command allows you to handle owned objects when you delete the profile.

Object ownership is used as a management tool by the system. The owner profile for an object contains a list of all users who have private authority to the object. This information is used to build displays for editing or viewing object authority.

Profiles that own many objects with many private authorities can become very large. The size of a profile that owns many objects affects performance when displaying and working with the authority to objects it owns and when saving or restoring profiles. System operations can also be impacted. To prevent impacts on either performance or system operations, do not assign objects to only one owner profile for your entire IBM® i environment. Each application and the application objects should be owned by a separate profile. Also, IBM-supplied user profiles should not own user data or objects.

The owner of an object also needs sufficient storage for the object. See Maximum storage for more information.