Security groups and mail distribution lists
Most organizations rely on directories, such as Active Directory or other LDAP implementation, to identify and authenticate users, to assign users access rights and to manage e-mail distribution lists.
Groups are central to user management:
- They are used to simplify the assignment of access rights.
It is a best practice to assign privileges to groups and not
to users directly. Users gain access rights through group
- Groups are also used to send e-mails to pre-defined sets of
- Groups may represent organizational structure, user roles or temporary relationships, such as project assignment.
In most directories, groups can be nested, to simplify management. This means that groups can contain, among their members, other groups.
Terminology: groups versus roles
It is important to differentiate between two concepts: roles and groups. Hitachi ID Systems uses these terms as follows:
- Groups are objects on target systems to which users are attached and which are assigned application-specific access rights.
- Roles are objects that exist strictly within an identity and access management (IAM) system. They are named collections of accounts, groups and other roles (i.e., they can be nested).
- Users are representations of people on the IAM system and may be linked to multiple accounts on multiple target systems.
Groups are assigned to accounts while roles are assigned to users. Groups can be assigned directly to accounts or indirectly, when a user is assigned a role that includes a group. Roles can be assigned directly to users or indirectly, when a parent role is assigned to a user.
Confusingly, within some systems and applications, groups are referred to as roles or by other names, such as privileges. For consistency, all such constructs, which exist on target systems and are assigned to accounts on those systems will be referred to as groups here.