Guess the one question I would continually be posed with whenever I interact with folks involved in Identity Management
, is the usage of groups vs roles and the best practices
for choosing one or the other. Well, hopefully the folks who keep searching for answers on this stumble on this blog
and not ask me this over and over...
SO explanation: Once upon a time GROUPS was a convenient way to aggregate users. GROUPS were used to simplify the process of managing access permissions and generic attributes with a subset of users. To make management simpler, GROUPS could be made a subset of another GROUP and thus inherit permissions etc from it's parent. The ability to make GROUPS a subset of another facilitated a hierarchical structure.
GROUPS is a simple aggregate.
and then.. along came ROLES.
So: A ROLE is a special type of GROUP. the properties of ROLES and GROUPS are extremely similar. But when GROUPS are used to OBJECT permissions, ROLES are used for APPLICATION permissions. ROLES provide a scemantic grouping of policies/permissions with a common subject which pertains to the users role(noun) - capacity, function, position, duty in an organization. A ROLE can enable one to associate policies with an automated component (ie: application). A ROLE is thus a SPECIAL GROUp where all the policies/permissions have the same subject.
Roles and further be categorized as FLAT ROLES, DYNAMIC ROLES etc... Flat ROLES are exactly the same as GROUPS in usage and behaviour.
Someday soon, when i get a moment to spare a thought again I shall try to blog on ROLES and their flavors in more detail..
Cheers for now.