Endpoint Administration Guide for Windows › Scope of Administration Authority › Ownership

Ownership

Every record in the database-including both accessor records and resource records-has an owner. When you add a record to the database, you can either explicitly assign its owner by using the owner parameter or let CA ControlMinder assign the user who defines the record as the owner of the record.

Accessors own a record if any of the following are true:

• They are defined as the owner of the record.
• They are members of a group that is defined as the owner of the record and they have joined the group with the GROUP-ADMIN property.
• They are owners of a resource group record that the resource is a member of.

If you remove a user or group that owns records from the database, the records no longer have an owner.

Users who own records have the following access authority for the records they own:

If you do not want a user or group to have ownership authority over a particular record, assign the owner nobody to the record and to any resource group record that the record is a member of.

The limits of the ownership privileges are as follows:

• The owner of the last ADMIN user in the database cannot delete that user record.
• Owners who do not have the AUDITOR attribute cannot update the audit mode. Only an owner with the AUDITOR attribute can update the audit mode.
• The owner of a superuser (the root account on UNIX or the Administrator account on Windows) cannot delete root from the database.
• Owners cannot set the global authorization attributes-ADMIN, AUDITOR, OPERATOR, and PWMANAGER-for the users they own.
• Owners cannot make resources inaccessible to themselves, so:
  • Owners cannot assign a security level that is higher than their own security level.
  • Owners cannot assign a security category or security label that they do not have.