Monday, November 14, 2005
IT Security: Distinction between Roles and Groups
Several architects assembled at work this week to discuss our notion of creating a common security realm. One of the questions that always arises in these types of discussions is what is the difference between roles and groups. Many product vendors actually get this wrong. Figured I would blog out the differences once and for all time...
Groups are a established concept in operating systems (i.e. Unix, GNU Linux, Windows, etc) with a generally well-understood meaning. The problem emerges when folks attempt to treat groups and extend them to support the same functionality as roles. A group in this situation is a named collection of users and can optionally contain other groups. A group should have at least two members (not necessarily true of roles). Usually groups are created in context of some notion of access control.
Roles unlike groups have their roots in organizational theory which predates computers and are a convenient method for articulating policy. Roles can be thought of as a collection of permission where as groups are a collection of users.
| | View blog reactionsGroups are a established concept in operating systems (i.e. Unix, GNU Linux, Windows, etc) with a generally well-understood meaning. The problem emerges when folks attempt to treat groups and extend them to support the same functionality as roles. A group in this situation is a named collection of users and can optionally contain other groups. A group should have at least two members (not necessarily true of roles). Usually groups are created in context of some notion of access control.
Roles unlike groups have their roots in organizational theory which predates computers and are a convenient method for articulating policy. Roles can be thought of as a collection of permission where as groups are a collection of users.
