Endpoint Administration Guide for UNIX › Scope of Administration Authority › Group Authorization › Group Authorization Attributes › GROUP-ADMIN Attribute

GROUP-ADMIN Attribute

Users with a group administration authorization attribute can create a certain set of records. In order to create a record, the group administrator has to specify the owner of the record.

The owner of the records must be the group in which the user has a group authorization attribute. If that group is the parent of other groups, the owner can also be from one of the sub groups. The whole set of records is called the group scope. The authorization examples provided illustrate the concept of group scope.

Users with the GROUP‑ADMIN attribute have the following access authority for the records within their group scope:

The GROUP‑ADMIN attribute also has limits:

• GROUP‑ADMIN users cannot make resources inaccessible to themselves, so:
  • GROUP‑ADMIN users cannot assign a security level that is higher than their own security level.
  • GROUP‑ADMIN users cannot assign a security category or security label that they do not have.
• GROUP‑ADMIN users cannot delete the user superuser (the root account on UNIX or the Administrator account on Windows) from the database.
• Several limitations concern the global authorization attributes described in Global Authorization Attributes in this chapter:
  • A GROUP‑ADMIN user cannot delete the only ADMIN user record in the database.
  • A GROUP‑ADMIN user cannot remove the ADMIN attribute from the record of the last ADMIN user in the database.
  • GROUP‑ADMIN users without the AUDITOR attribute cannot update the audit mode. Only a GROUP‑ADMIN user with the AUDITOR attribute can update the audit mode.
  • GROUP‑ADMIN users cannot set the global authorization attributes-ADMIN, AUDITOR, OPERATOR, PWMANAGER, and SERVER-for any user.

More information:

Authorization Examples