20

A lot of identity management implementations use roles in addition to groups. How are they different? So far I haven't found a compelling use case for separating the two. All the explanations I've read are vague and hand-wavey.

Can you give a good example where having roles and groups are necessary?

Alex B
  • 82,554
  • 44
  • 203
  • 280
  • 1
    possible duplicate of [Group vs role (Any real difference?)](http://stackoverflow.com/questions/7770728/group-vs-role-any-real-difference) – Swati Jun 23 '14 at 15:21
  • @Swati this question was asked earlier than your specified SO question. – Buhake Sindi Sep 18 '15 at 08:01
  • 1
    @BuhakeSindi, "Possible duplicate" is a way to clean-up - to close similar questions and keep one with the best answers. The date is not essential. See http://meta.stackexchange.com/questions/147643/should-i-vote-to-close-a-duplicate-question-even-though-its-much-newer-and-ha If you agree that it requires clarification please vote on http://meta.stackexchange.com/questions/281980/add-clarification-link-to-possible-duplicate-automated-comment – Michael Freidgeim Nov 12 '16 at 12:37

5 Answers5

25

Roles are sets of rights.

Groups are sets of people.

Imagine you have 2 groups of people (G1, G2) using an application (A1) for which you have two types of users: administrators and read only users.

You can create a role of admin on A1, define its rights and give G1 this role. If G2 also needs these rights, you don't have to grant them one by one, you can simply give G2 the same role you created for G1.

Daniel Serodio
  • 4,229
  • 5
  • 37
  • 33
vc 74
  • 37,131
  • 7
  • 73
  • 89
  • Addition to @vc 74 Roles are functional terms. As vc 74 said, Groups are groups of people but roles are functions that groups of people can eligible to do. – bahadir arslan Sep 24 '10 at 07:38
  • So roles = users and admins, then what would be G1 and G2? – Alex B Sep 24 '10 at 07:45
  • 2
    Roles could be users and admins but G1 and G2 represent groups of people, for instance G1 contains John Smith and Agatha Christie, G2 contains Bod Green, Mike Patton and Alicia Keys. Then the admin role can be defined as: can add users to the application, can remove users from the application, can change the main page colors. Once this role has been created, you can give it to G1 and John Smith and Agatha Christie will have these rights – vc 74 Sep 24 '10 at 07:52
  • @vc So why not just conflate groups and roles? admin group/role = {John Smith, Agatha Christie}, users group/role = {Bod Green, Mike Patton, Alicia Keys}. So it's redundant *in this example*. – Alex B Sep 24 '10 at 07:55
  • @Alex, it's not. Imagine the situation when another group of users (G2) needs to be admin of the application. You don't have to define the rights set once again. Additionally and more importantly, the same users groups can be reused for different applications – vc 74 Sep 24 '10 at 08:08
  • 1
    What if Groups could be contain groups; a group of groups. This would have all the benefits but be more flexible, because you could have "role groups". Admittedly, the added flexibility might be misused to create a complicated mess. But still, is combining roles and groups an option in this case? – Buttons840 Mar 12 '12 at 20:20
24

Person - Group - Roles

  • A person is a member of one or more groups.
  • A group is assigned multiple roles.

Example:

  • Two roles exist in a system stock_purchaser, timecard_supervisor.
  • Two groups exist in a system shift_supervisor, regional_manager.
  • regional_manager has the stock_purchaser and timecard_supervisor role.
  • shift_supervisor has the timecard_supervisor role.

In the event a new role (e.g. review_leave_requests) is created - this can be added to all those groups who require this role. In a system only having roles it may be a laborious task adding the role to all people that require it.

Dale Reidy
  • 1,189
  • 9
  • 22
  • and please do not forget roles can be a member of another role. Person - Group - Role - RoleOfRole - Role – AnyOne Dec 27 '11 at 14:21
  • It is totally possible that a large source of confusion around this occurs when looking at Windows groups. I came across this answer when looking at whether an AD group relates to a role and saw [this answer](https://stackoverflow.com/a/762302/685760). The documentation on `WindowsPrincipal.IsInRole(string role)` states; "Determines whether the current principal belongs to the Windows user group with the specified name." I presume this means that Windows is an exception to the description above?!? – Mr Moose Dec 28 '17 at 21:08
  • @MrMoose Roles and groups work the same way technically (although an OS can make a distinction if it wants to be friendly). To make them work practically, you have to make the distinction. – FastAl May 23 '19 at 15:01
2

One important that is missing in all comments is the fact that you can assign roles to individual users as well, and not just to groups.

Here is a use case: A university Physics professor has "Grade Test" role (aka right or privilege) for a particular course or set of courses. However, he decides to go on sabbatical for year and wants another instructor (or perhaps, several instructors - a group), i.e. his replacement(s), to have the same role(s) (privileges) over the same set of courses. Note that the substituting instructors may belong to different user groups. The administrator can easily assign the role(s) in question to individual users or groups of users. Of course, after the tenured professor returns, the administrator can revoke those roles (privileges).

From a system perspective we only care which methods a user (or a group of users) is allowed to execute. Before executing restricted method we check user roles by calling other methods that normally return Boolean values.

George
  • 21
  • 1
0

For me the difference between "groups" and "roles" is in the Cardinality

A group can not contain a group. But a role can contain roles.

I like the way PostgreSQL handles it: From Database Roles and Privileges

A role can be thought of as either a database user, or a group of database users, depending on how the role is set up

This means using roles can make applications simpler and more flexible. Imagine an issue tracking tool. With a Foreign-Key to a role, you handle both cases: You can reference a single person or several persons.

guettli
  • 25,042
  • 81
  • 346
  • 663
  • 3
    In many systems, a group can contain a group so this is not really true. My group might be "London Office" and that might contain a group "London Sales" and another group "London Customer Support". imho it would be inefficient and pointless to not permit groups to contain groups otherwise work might be duplicated when new people start or leave. – Lukos Apr 24 '18 at 15:41
  • The system I use (Linux, Django) do not have recursive groups. – guettli Apr 25 '18 at 06:21
  • Above definition is from the PostgreSQL docs. Someone else says that role is a set of rights. If rights would be recursive (a right can contain a right), then the term "role" would not be needed. – guettli Apr 25 '18 at 06:23
0

The tendency that we do as application implementation with groups is focusing on the association between groups and the user rather than the actual group. I have seen several implementation (and am guilty of doing so myself early on), that just check the name of the group.

This is obviously a bit problematic, because each application will define its own permissions, resulting in elevating permissions in systems and inconsistency in permissions.

The role has explicit association with role and those will change at a central location. This become more consistent and can be managed by an admin for all applications.

Conceptually the idea of groups and roles can be interchangeable but in implementation this can get difficult to manage

Here are some more info here:

https://csrc.nist.gov/projects/role-based-access-control/faqs#:~:text=As%20normally%20implemented%2C%20a%20group,groups%20to%20which%20they%20belong.&text=RBAC%20requires%20all%20access%20through,roles%2C%20not%20directly%20to%20users.

Alexei Dmitri Kouminov
  • 43
  • 7