OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: Groups vs. Roles

for my own edification, i would like to take a shot at this in lay

first, i believe that the discussion arose in response to a
statement/question regarding groups being the same thing as roles. i see
the fundamental difference as this:

groups identify who you ARE, roles describe what you [can] DO.
therefore, a group is an attribute of a 'user' (or group), while a role
is a collection of policies that are applied to a user. policies are not
assigned directly to a user; by 'assigning' a policy to a user, you are
in actuality assigning a policy to the role that is applied the user,
either explicitly (via a discretely defined role assigned to a user) or
implicitly (via the unique, unstated role assigned to a user for such

does this make sense?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC