RE: Groups vs. Roles

["Simon Y. Blackwell" <sblackwell@psoom.com>]

see embedded comments

> -----Original Message-----
> From: bill parducci [mailto:bill@parducci.net]
> Sent: Thursday, July 26, 2001 8:15 AM
> To: Simon Y. Blackwell
> Subject: Re: Groups vs. Roles
> 
> 
> > There are some issues with describing a group as an 
> attribute of a user if
> > one is speaking about physical implementation. To support 
> some operations it
> > is useful to think of a group as an entity unto itself. 
> Group membership
> > does not seem to be the same type of thing as say "hair 
> color", which is
> > indeed an attribute of an individual.
> 
> true from the object standpoint, but a group without 'users' is a tree
> falling in a deserted forest. probably just a practical semantic, but
> pragmatically it is nothing more than a collection of users. 
> then again,
> a user cannot participate within a group without being a member of the
> group (group attribute). therefore, it is something of a symbiotic
> relationship . either way, at the level i mentally operate, a 
> group is a
> descriptor of a user (i.e. IDENTITY), whereas a role is is a 
> descriptor
> of the user's capabilities.  (group: simon is californian, simon's
> driver's license let's him operate a vehicle)

OK, we're in agreement here ... BTW, what's a driver's license? Do I need
one?-)

> 
> > On a slightly different tack, here is a comment extracted 
> from some Ponder
> > docs:
> > 
> > "A role is thus a special case of a group, in which all the 
> policies have
> > the same subject."
> >
> > This would imply that although roles are useful, one never 
> has to reference
> > a role from a policy. One can simply reference the group 
> which has a one to
> > one mapping with the named role. This is not inconsistent 
> with my first
> > statement:
> > 
> > "For all roles R, there exists a group G such that all 
> members M of G have
> > role R."
> 
> heretical maybe, but i disagree with ponder. i think that in this case
> the role is implied. a user cannot 'do' anything, only a role can.
> however ever object has at least one role, be it explicit or implicit.
> 
> b

Hmmmm ... and thus the need for foundational model! 

Perhaps it is the tuple of user-role that can do something, not the role
alone and not the user alone, i.e. only a user playing a role can do
something. Regardless, it does seem possible that given a mapping between
some role and at least one group (implict, explicit, and/or dynamic) that
contains all and only subjects that play that role, policies need not refer
to roles directly, they could always refer to groups. However, they may
still have to directly refer to specific subjects. Unless, of course, it is
declared there are identity groups that always have exactly one member and a
one-to-one mapping with each subject in a system. Note, this could well be
logically correct but might result in a policy language that is
comprehensible to just a limited set of users since it relies heavily on
indirect set-oriented semantics.

>