tags:

views:

32

answers:

2
+2  Q: 

What's the difference between groups and roles?

A lot of identity management implementations use roles in addition to groups. How are they different? So far I haven't found a compelling use case for separating the two. All the explanations I've read are vague and hand-wavey.

Can you give a good example where having roles and groups are necessary?

+3  A: 

Roles are groups of rights

Groups are groups of people

Imagine you have 2 groups of people (G1, G2) using an application (A1) for which you have two types of users: administrators and read only users.

You can create a role of admin on A1, define its rights and give G1 this role If G2 also needs these rights, you don't have to grant them one by one, you can simply give G2 the same role you created for G1

vc 74  2010-09-24 07:35:21
Addition to @vc 74 Roles are functional terms. As vc 74 said, Groups are groups of people but roles are functions that groups of people can eligible to do.
bahadir arslan  2010-09-24 07:38:13
So roles = users and admins, then what would be G1 and G2?
Alex B  2010-09-24 07:45:41
Roles could be users and admins but G1 and G2 represent groups of people, for instance G1 contains John Smith and Agatha Christie, G2 contains Bod Green, Mike Patton and Alicia Keys. Then the admin role can be defined as: can add users to the application, can remove users from the application, can change the main page colors. Once this role has been created, you can give it to G1 and John Smith and Agatha Christie will have these rights
vc 74  2010-09-24 07:52:01
@vc So why not just conflate groups and roles? admin group/role = {John Smith, Agatha Christie}, users group/role = {Bod Green, Mike Patton, Alicia Keys}. So it's redundant *in this example*.
Alex B  2010-09-24 07:55:24
@Alex, it's not. Imagine the situation when another group of users (G2) needs to be admin of the application. You don't have to define the rights set once again. Additionally and more importantly, the same users groups can be reused for different applications
vc 74  2010-09-24 08:08:25
+1  A: 

Person - Group - Roles

  • A person is a member of one or more groups.
  • A group is assigned multiple roles.

Example:

  • Two roles exist in a system stock_purchaser, timecard_supervisor.
  • Two groups exist in a system shift_supervisor, regional_manager.
  • regional_manager has the stock_purchaser and timecard_supervisor role.
  • shift_supervisor has the timecard_supervisor role.

In the event a new role (e.g. review_leave_requests) is created - this can be added to all those groups who require this role. In a system only having roles it may be a laborious task adding the role to all people that require it.

gridzbi  2010-09-24 07:48:46
A good concrete example.
Alex B  2010-09-26 23:36:07

related questions

In source-control terminology what is a spike?
When did the term "second-party developer" stop being used to refer to the user?
What is Type-safe?
relational terminology: foreign key source, destination?
What's the best example of a "naive implementation"?
What does "beta" mean for an evolving web application?
Capturing system command output as a string
Computer Science for the elderly
What is the difference between currying and partial application.
What is spaghetti code?
What is the name of this data structure or technique of using relative difference between sequence members
What does WISC (stack) mean?
Using "Foo" and "Bar" in examples
What is the correct term for the documentation that we put just above a method declaration?
What's the difference between an argument and a parameter?
Interrupts and exceptions
What is Cloud computing?
When is a language considered a scripting language?
What's the difference between a "script" and an "application"?
How do you pronounce the following computer/programming terms:
Where does the term "escaping" originate from?
What is a monad?
Is "performant" a valid word? What's the alternative?
'method' vs. 'message' vs. 'function' vs. '???'
What is the difference between Project Leader and Project Manager?