Best IT Recipes

Group versus role (Any real difference?)

Can someone tell me what is the real difference between a group and a role? I’ve been trying to figure this out for some time, and the more information I read, the more I feel it is being brought up just to embarrass people, and there is no real difference. Both can do other work. I always used the group to manage users and their access rights.

I recently came across administration software where there are tons of users. Each user can assign a module (the entire system is divided into several parts, called modules, that is, the administration module, the Survey module, the Orders module, the Customer module). In addition, each module has a list of functionalities that can be enabled or disabled for each user. So, let's say user John Smith can access the "Orders" module and can edit any order, but he did not give the right to delete any of them.

If there were more users with the same competency, I would use a group to manage this. I would combine such users into one group and assign access rights to the modules and their functions to the group. All users in the same group will have the same access rights.

Why call it a group, not a role? I don’t know, I feel that way. It seems to me that this simply does not matter much:] But I still would like to know the real difference.

Any suggestions, why should this be called a role rather than a group, or vice versa?

+76
roles rights
Oct. 14 2018-11-11T00:
source share
9 answers

Google is your friend :)

In any case, the difference between a role and a group comes from computer security concepts (as opposed to simple resource management). Professor Ravi Sandhu gives semantic coverage of the semantic difference between roles and groups.

http://profsandhu.com/workshop/role-group.pdf

A group is a set of users with a specific set of permissions assigned to a group (and in transit, for users). A role is a set of permissions, and the user effectively inherits these permissions when he acts under this role.

Usually your group membership remains at the time of your entry. On the other hand, the role can be activated in accordance with specific conditions. If your current role is “medical staff,” you may see some medical records for this patient. If, however, your role is also a "doctor", you can see additional medical information, in addition to what a person who has only the role of a "medical staff" can see.

Roles can be activated by time of day, access location. Roles can also be improved / associated with attributes. You can work as a "doctor", but if you do not have the attribute or relationship of a "primary doctor" with me (a user with the role of "patient"), you will not be able to see my entire medical history.

You can do all this with groups, but again, groups tend to focus on identity rather than role or activity. And the security aspects just described above tend to be more consistent with later than with previous ones.

In many cases, to use the classification of things together (and nothing more), groups and roles function identically. However, groups are based on identity, while roles are designed to demarcate activity. Unfortunately, operating systems tend to blur the difference by treating roles as groups.

You see a much clearer distinction with application or system level roles - porting an application or system semantics (for example, as Oracle ) - as opposed to "roles" implemented at the OS level (which are usually synonymous with groups.)

There may be restrictions for roles and role-based access control models (e.g. something like this):

http://www.lhotka.net/weblog/CommentView,guid,9efcafc7-68a2-4f8f-bc64-66174453adfd.aspx

About ten years ago, I saw some attribute and relationship-based access control research that provides much better granularity than role-based access control. Unfortunately, I have not seen much activity in this area for many years.

The most important difference between roles and groups is that roles typically implement a forced access control (MAC) mechanism. You cannot assign yourself (or others) to a role. This makes the administrator role or engineer role.

This looks like UNIX groups, where the user can / can assign himself to the group (via sudo, of course.) When groups are assigned according to the security development process, the difference is a little blurred.

Another important characteristic is that true RBAC models can provide the concept of mutually exclusive roles. In contrast, identity-based groups are additive — the primary identifier is the sum (or mix) of groups.

Another characteristic of a true RBAC-based security model is that elements created for a specific role usually cannot be accessed in transit by those who are not acting under that role.

On the other hand, with the Discrete Access Control (DAC) model (the default model on Unix), you cannot get this type of guarantee only with groups. BTW is not a limitation of groups or Unix, but a limitation of identity-based DAC models (and in transit, with identifier-based groups).

Hope this helps.

=========================

Add some more after seeing Simon's answer with a good answer. Roles help manage permissions. Groups help manage objects and objects. Moreover, roles could be seen as “contexts”. Role “X” can describe a security context that governs how subject Y gains access (or does not gain grip) to object Z.

Another important difference (or ideal) is that there is the role of an engineer, a person who develops roles, contexts that are necessary and / or obvious in an application, system or OS. The engineer role is usually (but not required) also the role administrator (or sysadmin). Moreover, the true role (not intended for a pun) of a security engineer, not administration.

This is a new group, formalized by RBAC (even if it is rarely used), which, as a rule, is not present in systems with group support.

+98
Oct 14 '11 at 17:01
source share

A group is a means of organizing users, while a role is usually a means of organizing rights.

This can be useful in several ways. For example, a set of permissions grouped into a role can be assigned to a set of groups or a set of users, regardless of their group.

For example, the CMS may have some permissions, such as "Read message", "Create message", "Edit message". The role of the editor may be able to read and edit, but not create (I don’t know why!). Mail can create and read, etc. A manager group may have an editor role, while an IT user who is not part of a manager group may also have an editor role, although the rest of his or her group is not.

Thus, although in a simple system, groups and roles are often closely related to each other, this is not always the case.

+17
Oct. 14 '11 at 16:42
source share

Despite the semantic difference between Roles and groups (as described above by other answers), tecnically Roles and groups seem to be the same. Nothing prevents you from assigning permissions directly to users and groups (this can be considered as fine-tuning access control). Equivalently, when a user is assigned a role, he can be considered a member of the role, in the same sense, when the user becomes a member of the group.

Thus, we cannot make any real difference between Roles and groups. Both can be considered to group user and / or access rights. Thus, the difference is only semantic: - if it is the semantics used to group permissions, then this is the role - if it is semantically used to group users, then this is the Tecnicaly group, there is no difference.

+17
Sep 08 '12 at 15:35
source share

A “group” is a collection of users. A "role" is a set of permissions. This means that when an alpha group includes a beta group , alpha receives all users from the beta, and beta receives all permissions from alpha. Conversely, you can say that the beta role includes the alpha role , and the same conclusions will apply.

A concrete example makes things more clear. Consider "customer support" and "senior customer support." If you think of these collections as groups, it’s clear that customer support users “include” senior customer support users. However, if you look at them as roles, then it’s clear that customer support permissions “include” customer support permissions.

In theory, you can just have one type of collection. However, it would be ambiguous if you said that "the alpha collection includes beta collection . " In this case, you cannot determine whether users in alpha are in beta (for example, a role) or users in beta are in alpha (for example, in a group). In order for terminology such as "to include" and visual elements such as tree views to be unambiguous, most rbac systems require you to indicate whether the collection in question is a "group" or a "role", at least for discussion.

Some analogies may help. In the framework of set theory , when the group alpha is a subset of the beta group, then the alpha permissions are a superset of the beta permissions. Compared to genealogy , if groups are like a descendant tree, then roles are like an ancestor tree.

+7
Jun 03 '16 at 15:52
source share

NOTE. The following touches make sense only if you are trying to impose security within the organization, that is, you are trying to restrict access to information ...

Groups are empirical - they answer the question "what." They are "eat" in the sense that they reflect the existing reality of access. IT people love groups — they are very literal and easy to define. In the end, all access control ultimately divides (as we all learned in high school ...) to answer the question "Which group do you belong to?"

Roles, however, are more normative - they determine what "should be." Good managers and HR love "roles" - they do not answer - they ask the question "Why?". Unfortunately, roles can also be uncertain and that “fuzziness” can drive (IT) people with nuts.

To use the above medical example, if the role of the “primary care physician” has more rights (ie access to more groups) than the role of the “x-ray technician”, this is because people (managers and HR) decided why this should happen. In this sense, they are the "collective wisdom" of the organization.

Let's say a doctor gains access (membership in a group with access) to patient financial reports. Usually this is outside the physician's “role” and should be discussed. Thus, no one (no matter how qualified) should have full access to all groups - he offers abuses of power. That’s why “role-based engineering” is so important - without it, you just get access to the group as many sweets. People gather (and sometimes horde) access to a group without discussing the dangers of too much power.

In conclusion, the wisdom of well-defined roles helps mitigate the dangers of access by runaway groups. Anyone in the organization can argue about access to a particular group. But once this access is granted, it is rarely refused. Role-based engineering (along with best practices such as well-defined group descriptions and authorized group access managers) can limit conflicts of interest within the organization, decentralize decision-making, and contribute to more rational security management.

+2
Jun 14 '13 at 1:52
source share

Users are assigned Roles based on the responsibility they play in any system. For example, users in the Sales Manager role can perform certain actions, such as providing an additional discount for a product.

Groups are used to “group” users or roles in the system to simplify security management. For example, a group called the Leadership Group may have members from the roles Managers, Directors, and Architects and individual users who also do not fulfill these roles. You should now be able to assign specific privileges to this group.

+1
Feb 09 '13 at 16:48
source share

The assignment of groups and roles varies in applications, but basically what I understood is that Groups (set of users) are static, while roles (set of permissions) are dynamic with policies, for example, based on time from (9 to 6) a group or user may have this role, but not this.

+1
Mar 24 '13 at 11:18
source share

The previous answers are all wonderful. As already mentioned, the concept of a group versus a role is more conceptual than a technical one. We realized that Groups are used to host users (a user can be in several groups: Joe is a member of the managers group, as well as an IT group (he is an IT manager)) and for assigning wide privileges (i.e. our system of magnetic card allows all users in the IT group to access the server room). Roles were used to add privileges for specific users (i.e., people in the IT group can use RDP on the servers, but cannot assign users or change permissions, people from the IT group with the administrator role can assign users and change permissions). Roles can be composed of other roles (Joe has an administrator role to add users / privileges, and also has a DBA role to change the database in the DBMS on the server). Roles can be very specific, as we can create separate user roles (i.e. JoesRole) that can be very user-specific. So, to repeat, we use groups to manage users and assign common roles and roles to manage privileges. It is also cumulative. In the group in which the user is located, roles (or a list of available roles) can be assigned that will give very general privileges (that is, users of the IT group have the ServerRDP role, which allows them to register on servers), so it is assigned to the user. Then any Roles to which the user belongs will be added in the order in which they are defined with the last role that has the last word (Roles can allow, deny or not apply privileges, so that when each role is applied, it will either override the previous settings for the privilege or do not change it). After all Group Level Roles and User Level Roles have been applied, a user model that can be used in all of our systems is created with a certain security model to determine access and capabilities.

+1
Oct 23 '15 at 12:14
source share

You can assign a role to a group. You can assign a user to group, and you can assign a role to an individual user in any user role. Meaning. Jean Doe may be in the SalesDeptartment group with the off ReportWritter function that allows us to print our reports from SharePoint, but others in the SalesDepartment group may not have the ReportWritter role. - In other words, roles are special privileges with assigned groups. Hope this makes some scenes.

Hurrah!!!

0
01 Oct '15 at 17:17
source share


More articles:


All Articles