Friday, September 26, 2008

Role vs Group

We've been discussing the difference between roles vs groups. And I found the answer here[1]

So let me quote from[1]

A frequently asked question is, What is the differerence between roles and groups? "Groups of users as the unit of access control are commonly provided in many access control systems. A major difference between most implementations of groups and the concept of roles is that groups are typically treated as a collection of users and not as a collection of permissions. A role is both a collection of users on one side and a collection of permissions on the other. The role serves as an intermediary to bring these two collections together."

In some applications roles are a collection of permissions. Groups are a collection of users. A group of users can get multiple roles assigned to it. There is a clear separation of concerns. If the user group keep changing then one has to create user groups. If permission list keep changing, then keep creating roles.

In some applications there is no concept of groups at all. The role will contain both users and a list of permissions. This type is clear but has the draw back of having to create a role each time either the user group membership changes or the permission list changes.

From the industry the observation is the permission list rarely changes. Hence Ravi S. Sandu's way of defining roles will fit most application domains.

[1]http://csrc.nist.gov/rbac/sandhu96.pdf

2 comments:

Anonymous said...

is there something like roleGroup or role type or role set etc.?

Dimuthu Leelarathne said...

Sorry! I don't get the question.