When the process's group matches the group
of the object owner, the GRPPRV privilege gives a process the access
rights provided by the object's system protection field. GRPPRV
also lets a process change the protection or the ownership of any
object whose owner group matches the process's group by using
the DCL commands SET SECURITY.
Grant this privilege only to users who function
as group managers. If this privilege is given to unqualified users
who have no need for it, they can modify group UAF records to values
equal to those of the group manager. They can increase resource allocations
and grant privileges for which they are authorized.
The GRPPRV privilege lets a process perform the
following tasks:
Task
Interface
Modify
object ownership
SET SECURITY/OWNER, $QIO request to F11BXQP
Read
or modify a user authorization record
$GETUAI, $SETUAI
File
system operations:
$QIO request to F11BXQP
Override the creation of an owner ACE on a newly created
file
Clear the directory bit in a directory's file
header
Acquire or release a volume lock
Force mount verification on a volume
Create a file access window with the no access lock
bit set
