All objects have an owner property. Ownership of an object confers special privileges on that object, including the right to load the object and the right to read and modify the Permissions collection on the object and modify the owner. (As explained below, markings can be used to override the special privileges implicitly granted to owners.)
An object store administrator might need to take or change ownership of an object. For example, if a user has left documents in an exclusive checkout state but is no longer available, the administrator could take ownership of the document and cancel the checkout.
You can take ownership of an object if you have the object's Modify owner permission. You can assign ownership of an object to another authenticated user or group if you have the object store Set Owner of any object permission.
Related topics
Each class that allows instances of itself to be created has a Default Instance Security Descriptor associated with it, exposed as the Default Instance Security tab in Administration Console for Content Platform Engine. The Default Instance Security defines the default Permissions for new objects of that class. Default Instance Security includes a default Owner. The behavior of the Default Owner is as follows:
The default value for Default Instance Security Descriptors is established at object store creation time. The default value for Default Owner is always set to #CREATOR-OWNER.
Objects can have NULL Owners. When the Owner is NULL, it means that the special access rights implicitly granted to the Owner are not granted to anyone. Access checking behavior is otherwise unaffected.
The owner of an object can only be changed to the caller's security identity (assuming the caller has the Modify owner access right) if the caller has the Set owner of any object right granted by the object store. The purpose for this special capability is to provide a "back door" for allowing certain privileged users to recover access to any object (since once ownership is acquired, the Permissions collection can be modified and additional access rights can be granted to any user, including the owner).
Exception 2 is the case when the object has one or more Markings applied that either prevent a user who has otherwise been granted Set owner of any object from even connecting to the object at all, or mask the Modify Owner access right even if the right to connect is granted.
#CREATOR-OWNER is a special grantee that is a place holder for the future owner of an object. This grantee appears in Default Instance Security permissions lists, Default Instance Owner, Security Templates permissions lists, and permissions lists on objects that can have security children - Folders for instance.