Vedrin Jeliazkov wrote on 06/23/2010 11:20 AM:
> In fact, I'm not sure whether we have the notion of group-owner
> currently? If we don't have it (e.g. we only have group permissions,

We don't. Only single users can own a policy.

> Last but not least, you mentioned that permissions and ownership are
> handled separately. Does it make sens to hold ownership information a
> bit longer and delete it only when the resource is effectively
> removed? I mean, something like this:
>
> 1) user requests resource deletion;
> 2) AA checks that user is entitled for this operation;
> 3) permissions for the resource are removed;
> 4) resource is removed;
> 5) ownership information is removed.
>
> The rationale is that in a situation when the resource takes a while
> to disappear, the system would know who was the owner of this stale
> resource and could disallow other users to create policies with
> different permissions for this resource, thus probably solving the
> issue under discussion.

Holding back ownership sounds like a good idea. I will think about how 
this could be implemented best.

Best regards
Andreas