Roles vs Groups, What’s the Diff

Posted on February 26, 2014



Have you ever wonder what the actual difference is between a security role and a security group? Superficially, they look the same. And operating systems such as Windows can conflate the two.  A good start for understanding the differences is Dr. Ravi Sandhu’s paper on the matter [1].

If you are too lazy to open up the pdf (hahaha, jk, but not really), then let us stick to the following:  groups are based on identity. Roles are based on capabilities.

Say what? Is that Klingon? No, not really. Bear with me.

The DAC Approach

Taking UNIX as an example, a group is a way to aggregate identities (users). A typical UNIX principal, joe, will have some type of access to resources based on the permissions assigned to him, and to the groups said user belongs to.  A principal’s identity is the sum total (or conjunction) of the groups he belong to, plus his id.

Moreover, a principal’s identity remains constant from session to session. As long as group assignments do not change, a principal can expect to have the same groups from login to login.

The RBAC Approach

In a true RBAC model, a role is a collection of capabilities.  Roles are hierarchical and inheritable. Roles can be mutually exclusive (more on that later). A role’s capabilities are the sum (or conjunction) of its capabilities assigned to it plus those it inherits.

Moreover, a role is only active when the principal has an active login session. A role can be activated by default, or by selection by an agent, be it the principal when prompted by a role prompt, or some other system or condition. If a system were to allow it, a principal could have two separate login sessions, each with distinct roles. In such a capacity, the capabilities of one session are separate from the other (again, if the underlying authentication/authorization system were to allow it.)

That bring us back to the idea of mutually exclusive roles. A principal could be assigned to two (or more) mutually exclusive roles (say, admin vs user). But only one role out of those marked as mutually exclusive can be activated per active session.

Those are the key distinctions between groups and roles. The implementation of such systems, however, can tend to blur the distinction between the two. Whether that is bad or wrong would depend on the desired goals.  I wrote more extensively about it on Stack Overflow a while ago [2], so if anyone were to be interested, they might want to head that way.

[1] Dr. Ravi Sandhu’s “Roles vs Groups”.
[2] My answer at Stack Overflow.