Protected objects and the owner-user and owner-group principals
An effective ACL (EACL) can reference an indirect principal: the owner-group or owner-user.
When a protected object (VOB object, policy, rolemap, or element) is accessed and the EACL grants owner-group certain permissions, those permissions are granted to the process if the protected object's owning group matches one of the process's groups. An object's owning group must be one of the VOB's groups.
Similarly if the EACL grants owner-user certain permissions, those permissions are granted to the process if the object's owning user is also the owning user of the process.