Major Description
Configured objects ought to have an owner which should be a Principal. On configured object creation, the owner should become the principal of the creating user.
It should also be possible for the owner of an object to reassign the ownership to to another principal (representing either a user or group). There may be restrictions: for instance, I may only assign my object to a group that I am currently a member.
Queues already have owner which is used for AMQP 0-x queue exclusivity purposes. Care would need to be taken to avoid colliding with this attribute.