Monday, November 14, 2005
IT Security: Distinction between Roles and Groups
Groups are a established concept in operating systems (i.e. Unix, GNU Linux, Windows, etc) with a generally well-understood meaning. The problem emerges when folks attempt to treat groups and extend them to support the same functionality as roles. A group in this situation is a named collection of users and can optionally contain other groups. A group should have at least two members (not necessarily true of roles). Usually groups are created in context of some notion of access control.
Roles unlike groups have their roots in organizational theory which predates computers and are a convenient method for articulating policy. Roles can be thought of as a collection of permission where as groups are a collection of users.
Links to this post: