Group vs role (Any real difference?)

roles rights

Can anyone tell me, what's the real difference between group and role? I've been trying to figure this out for some time now and the more information I read, the more I get the sense that this is brought up just to confuse people and there is no real difference. Both can do the other's job. I've always used a group to manage users and their access rights.

Recently, I've come across an administration software, where is a bunch of users. Each user can have assigned a module (whole system is split into a few parts called modules ie. Administration module, Survey module, Orders module, Customer module). On top of it, each module have a list of functionalities, that can be allowed or denied for each user. So let's say, a user John Smith can access module Orders and can edit any order, but haven't given a right to delete any of them.

If there was more users with the same competency, I would use a group to manage that. I would aggregate such users into the same group and assign access rights to modules and their functions to the group. All users in the same group would have the same access rights.

Why call it a group and not role? I don't know, I just feel it that way. It seems to me that simply it doesn't really matter :] But I still would like to know the real difference.

Any suggestions why this should be rather called role than group or the other way round?


Google is your friend :)

Anyways, the divide between role and group comes from concepts of computer security (as opposed to simply resource management). Prof. Ravi Sandhu provides a seminal coverage of the semantic difference between roles and groups.

http://profsandhu.com/workshop/role-group.pdf

A group is a collection of users with a given set of permissions assigned to the group (and transitively, to the users). A role is a collection of permissions, and a user effectively inherits those permissions when he acts under that role.

Typically your group membership remains during the duration of your login. A role, on the other hand, can be activated according to specific conditions. If your current role is 'medical-staff' you might be able to see some of the medical records for a given patient. If, however, your role is also 'physician', you might be able to see additional medical information beyond what a person with just a role of 'medical-staff' can see.

Roles can be activated by time of day, location of access. Roles can also be enhanced/associated with attributes. You might be operating as 'physician', but if you do not have a 'primary physician' attribute or relation with me (a user with 'patient' role), then you cannot see my entirety of medical history.

You could do all that with groups, but again, groups tend to focus on identity, not role or activity. And the type of security aspects just described tend to align themselves better with the later than with the former.

For many cases, for the usage of classifying things together (and nothing more), groups and roles function just the same. Groups, however, are based on identity, whereas roles are meant to demarcate activity. Unfortunately, operating systems tend to blur the distinction, treating roles as groups.

You see a much clearer distinction with application or system-level roles - carrying application or system-specific semantics (like in Oracle roles) - as opposed to 'roles' implemented at the OS level (which are typically synonymous to groups.)

There can be limitations to roles and role-based access control models (like with anything of course):

http://www.lhotka.net/weblog/CommentView,guid,9efcafc7-68a2-4f8f-bc64-66174453adfd.aspx

About a decade ago I saw some research on attribute-based and relationship-based access control which provide much better granularity than role-based access control. Unfortunately, I haven't seen much activity on that realm in years.

The most important difference between roles and groups is that roles typically implement a mandatory access control (MAC) mechanism. You do not get to assign yourself (or others) to roles. A role admin or role engineer does that.

This is superficially similar to UNIX groups where a user can/might be able to assign himself to a group (via sudo of course.) When groups are assigned according to a security engineering process, the distinction blurs a bit, however.

Another important characteristic is that true RBAC models can provide the concept of mutually exclusive roles. In contrast, identity-based groups are additive - a principal's identity is the sum (or conjunction) of the groups.

Another characteristic of a true-RBAC based security model is that elements created for a particular role typically cannot be transitively accessed by someone who does not act under that role.

On the other hand, under a discretionary access control (DAC) model (the default model in Unix), you cannot get that type of guarantee with groups alone. BTW, this is not a limitation of groups or Unix, but a limitation of DAC models based on identity (and transitively, with identity-based groups.)

Hope it helps.

=======================

Adding some more after seeing Simon's well-put response. Roles help you manage permissions. Groups help you manage objects and subjects. Moreover, one could think of roles as 'contexts'. A role 'X' can describe a security context that rule how subject Y access (or does not access) object Z.

Another important distinction (or ideal) is that there is a role engineer, a person that engineers the roles, the contexts, that are necessary and/or evident in an application, system or OS. A role engineer typically is (but does not have to be) also a role admin (or sysadmin). Moreover, the true role (no pun intended) of a role engineer is in the realm of security engineering, not administration.

This is a novel group formalized by RBAC (even if it seldom gets used), one which has typically not been present with group-capable systems.


A group is a means of organising users, whereas a role is usually a means of organising rights.

This can be useful in a number of ways. For example, a set of permissions grouped into a role could be assigned to a set of groups, or a set of users independently of their group.

For example, a CMS might have some permissions like Read post, Create post, Edit post. An Editor role might be able to Read and Edit, but not create (don't know why!). A post might be able to Create and Read etc. A group of managers might have the editor role, while a user in IT, who is not in the managers group, may also have the editor role, even though the rest of his or her group does not.

So while in a simple system groups and roles are often closely aligned, this is not always the case.


A "group" is a collection of users. A "role" is a collection of permissions. That means that when group alpha includes group beta, alpha receives all the users from beta and beta receives all the permissions from alpha. Conversely, you could say role beta includes role alpha and the same conclusions would apply.

A concrete example makes things more clear. Consider "customer support" and "senior customer support". If you think of those collections as groups, then it is clear that customer support users "includes" senior customer support users. However, if you look at them as roles, then it is clear that senior customer support permissions "includes" customer support permissions.

In theory, you could simply have one collection type. However, it would be ambiguous if you were to say that "collection alpha includes collection beta". In that case, you can't tell if the users in alpha are in beta (like a role) or the users in beta are in alpha (like a group). In order to make terminology like "includes" and visual elements like tree views unambiguous, most rbac systems require you to specify whether the collection at issue is a "group" or a "role" at least for the sake of discussion.

Some analogies might help. Framed in terms of set theory, when group alpha is a subset of group beta, then permissions alpha are a superset of permissions beta. Compared to genealogy, if groups are like a tree of descendants, then roles are like a tree of ancestors.


Although there is semantic difference between Roles and Groups (as described above by other answers), technically Roles and Groups seems to be the same. Nothing prevents you to assign Permissions directly to Users and Groups (this can be considered as a fine-tuning access control). Equivalently, when User is assigned a Role, it can be considered a role Member, in the same sense when user becomes Member of a Group.

So we can end up with no real difference between Roles and Groups. Both can be considered for grouping Users AND/OR Permissions. Thus difference is only semantic: — if it is semantically used for grouping Permissions, it is then a Role; — if it is semantically used for grouping Users, it is then a Group. Technically, there is no difference.

Related

How do I unit test web api action method when it returns IHttpActionResult?
Does Eclipse have line-wrap
Variable interpolation in the shell
Detecting production vs. development React at runtime
Mysql - How to quit/exit from stored procedure
How to get argument types from function in Typescript [duplicate]
How to extract the year from a Python datetime object?
Difference between Select and ConvertAll in C#
Heroku/GoDaddy: send naked domain to www [closed]
Difference between CPPFLAGS and CXXFLAGS in GNU Make
404 error for Google Tag Manager
duplicate MIME type "text/html"?