Using the Owner and Folder Owner roles
By default, each security policy contains an Owner and a Folder Owner role with all permissions granted. These roles are created by default when you create a security policy. You can remove these roles from any custom-designed security policy, modify the permissions, or use the default permissions. You can modify the permissions for these roles in the global security policy, but you cannot delete them.
The Owner and Folder Owner roles apply to all users; you do not need to assign users to them. The Owner role applies to single objects that a user created. The Folder Owner role applies to all objects in a folder that a user owns.
These roles are useful for restricting users' access to objects that they do not own. For example, you could create a Read-Only role that grants only read permissions on all objects within the security policy. Assign all users to the Read-Only role. As long as no other role explicitly denies permissions (for example, edit or delete), each user is allowed to edit or delete their own objects (under the Owner role) and objects in their own folders (under the Folder Owner role), but only view objects and folders owned by others (under the Read-Only role).
Copyright IBM Corporation 2012. All Rights Reserved.