Group (computing)
From Wikipedia, the free encyclopedia
 |
This article or section needs to be wikified to meet Wikipedia's quality standards. Please help improve this article with relevant internal links. (August 2007) |
In computing, the term group generally refers to a grouping of users. In principle, users may belong to none, one, or many groups (although in practice some systems put limits on this.) The primary purpose of using groups is to simplify access control arrangements.
Suppose a computer science department has a computing system which is shared by both students and academics. The department has made a list of directories which the students are allowed to access; in addition, there is another list of directories which the staff are allowed to access. Without groups, one would have to give each student permission individually to each student directory, and each staff member permission individually to each staff directory. In practice, that would be very unworkable, since every time a student or staff member arrived or left, you would have to change the permissions on every one of those directories.
With groups, however, the task is much simpler: create a student group and a staff group, and put each student or staff user in the respective group, then grant the appropriate group access to each directory. Then, to add or remove an account, you only need to do it in one place (in the definition of the group), rather than on every directory. This also provides clear separation of concerns: to change the policies, change the directory permissions; to change the individuals which at this moment fall under the policy, change the group definitions.
Contents |
[edit] Uses of groups
The primary uses of groups are:
- access control - use groups to simplify the policies on who is allowed to access what
- accounting - how much disk space are the students using? how much disk space is being used by the staff?
- default per-user configuration profiles - by default, every staff account should have this directory in its PATH
- content selection - only display content relevant to group members - e.g. this portal channel is intended for students, this mailing list is for the chess club
[edit] Delegable group administration
Many systems provide facilities for delegation of group administration. For example, in some systems (e.g. Linux using shadow passwords) when a group is created, one or more users may be named as group administrators; these users are then free to add or remove users to the group, without having to rely on the system administrator to do so.
Some systems also provide joinable groups, which are groups to which users may elect to add themselves. (Obviously, joinable groups are not intended to be used for access control, but rather for such purposes as mailing lists.)
[edit] Static vs. Dynamic groups
Many systems (especially LDAP systems) today offer the facility of dynamic groups. Traditionally groups are static: you define the group by listing its members. In dynamic groups, however, you specify a search criteria; all users which (at this moment) match the search criteria. The search criteria refer to the attributes of the user account.
For example, we might build our LDAP directory using source data from the student administration system. The student system could provide an attribute degreeCode, which (suppose) is a numeric code identifying the degree program in which the student is enrolled. Suppose then that degreeCode 55 is Bachelor of Computer Science. We could then define a group "BCS-Students" as "(degreeCode=55)" - having defined the group, we do not need to manually modify its membership -- its membership will change automatically as updates flow through from the student administration system. We can construct even more complex definitions: "BCS-Students-1" could be "(&(degreeCode=55)(enrolmentYear=1))", etc.
[edit] Roles
Some systems (e.g. Sun/Netscape/iPlanet LDAP servers) distinguish between groups and roles. These concepts are mostly equivalent: the main difference is that with a group, its membership is stored as an attribute of the group; whereas with roles, the membership is stored within the users, as a list of roles they belong to. The difference is essentially one of performance trade-offs, in terms of which type of access will be faster: the process of enumerating the membership of a given collection (faster for groups), or the process of enumerating which collections this user belongs to (faster for roles).
