When the process's group matches the group of the object owner,
the GRPPRV privilege gives a process the access rights provided
by the object's system protection field. GRPPRV also lets a process
change the protection or the ownership of any object whose owner
group matches the process's group by using the DCL commands SET
SECURITY.
Grant this privilege only to users who function as group managers.
If this privilege is given to unqualified users who have no need
for it, they can modify group UAF records to values equal to those
of the group manager. They can increase resource allocations and
grant privileges for which they are authorized.
The GRPPRV privilege lets a process perform the following
tasks:
Task
Interface
Modify object
ownership
SET SECURITY/OWNER, $QIO
request to F11BXQP
Read or modify
a user authorization record
$GETUAI, $SETUAI
File system
operations:
$QIO request to F11BXQP
Override
the creation of an owner ACE on a newly created file
Clear the directory bit in a directory's file header
Acquire or release a volume lock
Force mount verification on a volume
Create a file access window with the no access lock
bit set
HP OpenVMS Guide to System Security
Security for the System Administrator
