Using the Owner and Folder Owner roles
By default, each security policy contains an Owner and a Folder Owner role with all permissions granted. These roles are created by default when you create a security policy. You can modify the permissions of these roles or use the default permissions. You can also modify the permissions for these roles in the global security policy, but you cannot delete them.
The Owner and Folder Owner roles apply to all users; you do not need to assign users to them. The Owner role applies to single objects that a user created. The Folder Owner role applies to all objects in a folder that a user owns.
These roles are useful for restricting users' access to objects that they do not own. For example, you could create a Read-Only role that grants only read permissions on all objects within the security policy. Assign all users to the Read-Only role. As long as no other role explicitly denies permissions (for example, edit or delete), each user is allowed to edit or delete their own objects (under the Owner role) and objects in their own folders (under the Folder Owner role), but only view objects and folders that are owned by others (under the Read-Only role).
Copyright IBM Corporation 2015. All Rights Reserved.