Group ownership of objects

This topic provides detailed information about the group ownership of objects.

When an object is created, the system looks at the profile of the user creating the object to determine object ownership. If the user is a member of a group profile, the OWNER field in the user profile specifies whether the user or the group should own the new object.

If the group owns the object (OWNER is *GRPPRF), the user creating the object is not automatically given any specific authority to the object. The user gets authority to the object through the group. If the user owns the object (OWNER is *USRPRF), the group's authority to the object is determined by the GRPAUT field in the user profile. Objects created into directories do not use the OWNER and GRPAUT values to determine ownership or group authority.

Note: Group ownership (OWNER=*GRPPRF) is a security risk as all members of the group obtain all authority and ownership rights to objects created by this user profile.
Note: Using the GRPAUT parameter with a value other than *NONE gives all other users who are members of the group profile that is specified on the GRPPRF parameter authority to objects created by this user. This may be a security risk.

The group authority type (GRPAUTTYP) field in the user profile determines whether the group 1) becomes the primary group for the object or 2) is given private authority to the object. Assigning authority and ownership to new objects shows several examples.

If the user who owns the object changes to a different user group, the original group profile still retains authority to any objects created.

Even if the Owner field in a user profile is *GRPPRF, the user must still have sufficient storage to hold a new object while it is being created. After it is created, ownership is transferred to the group profile. The MAXSTG parameter in the user profile determines how much auxiliary storage a user is allowed.

Evaluate the objects a user might create, such as query programs, when choosing between group and individual user ownership:
  • If the user moves to a different department and a different user group, should the user still own the objects?
  • Is it important to know who creates objects? The object authority displays show the object owner, not the user who created the object.
    Note: The Display Object Description display shows the object creator.

    If the audit journal function is active, a Create Object (CO) entry is written to the QAUDJRN audit journal at the time an object is created. This entry identifies the creating user profile. The entry is written only if the QAUDLVL system value includes *CREATE and the QAUDCTL system value includes *AUDLVL.