Group (computing)
Encyclopedia
In computing, the term group generally refers to a grouping of users
. In principle, users may belong to none, one, or many groups (although in practice some systems place limits on this.) The primary purpose of user groups is to simplify access control to computer
systems.
Suppose a computer science department has a network
which is shared by student
s and academics. The department has made a list of directories
which the students are permitted to access and another list of directories which the staff are permitted to access. Without groups, administrator
s would give each student permission to every student directory, and each staff member permission to every staff directory. In practice, that would be very unworkable – every time a student or staff member arrived, administrators would have to allocate permissions on every directory.
With groups, the task is much simpler: create a student group and a staff group, placing each user in the proper group. The entire group can be granted access to the appropriate directory. To add or remove an account, one must only need to do it in one place (in the definition of the group), rather than on every directory. This workflow provides clear separation of concerns: to change access policies, alter the directory permissions; to change the individuals which fall under the policy, alter the group definitions.
Some systems also provide joinable groups, which are groups to which users may elect to add themselves. Joinable groups are not intended to be used for access control, but rather for such purposes as electronic mailing lists.
systems) offer the facility of dynamic groups. Traditionally groups are static: one defines a group by individually selecting its members. In dynamic groups, however, an administrator can specify search criteria. All users which match the search criteria will be considered a member of this dynamic group.
For example, one might build an LDAP directory using source data from a student administration system. The student system could provide an attribute degreeCode, which might be a numeric code identifying the degree
program in which the student is enrolled. Suppose then that degreeCode 55 is Bachelor
of Computer Science
. We could then define a group "BCS-Students" as "(degreeCode=55)" – having defined the group, we do not need to manually modify its membership – its membership will change automatically as updates flow through the system. One can construct even more complex definitions: "BCS-Students-1" could be "(&(degreeCode=55)(enrolmentYear=1))" (meaning: a user is a member of the 'BCS-Students-1' group if it's true they're enroled in the BSC Computer Science degree program and they're in their first year – i.e., Computer Science freshmen).
/Netscape
/iPlanet
LDAP servers) distinguish between groups and roles. These concepts are mostly equivalent: the main difference is that with a group, its membership is stored as an attribute of the group; whereas with roles, the membership is stored within the users, as a list of roles they belong to. The difference is essentially one of performance trade-offs, in terms of which type of access will be faster: the process of enumerating the membership of a given collection (faster for groups), or the process of enumerating which collections this user belongs to (faster for roles).
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
. In principle, users may belong to none, one, or many groups (although in practice some systems place limits on this.) The primary purpose of user groups is to simplify access control to computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
systems.
Suppose a computer science department has a network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
which is shared by student
Student
A student is a learner, or someone who attends an educational institution. In some nations, the English term is reserved for those who attend university, while a schoolchild under the age of eighteen is called a pupil in English...
s and academics. The department has made a list of directories
Directory
Directory may refer to:* Directory , or folder, a file system structure in which to store computer files* Directory , stored information about a database...
which the students are permitted to access and another list of directories which the staff are permitted to access. Without groups, administrator
System administrator
A system administrator, IT systems administrator, systems administrator, or sysadmin is a person employed to maintain and operate a computer system and/or network...
s would give each student permission to every student directory, and each staff member permission to every staff directory. In practice, that would be very unworkable – every time a student or staff member arrived, administrators would have to allocate permissions on every directory.
With groups, the task is much simpler: create a student group and a staff group, placing each user in the proper group. The entire group can be granted access to the appropriate directory. To add or remove an account, one must only need to do it in one place (in the definition of the group), rather than on every directory. This workflow provides clear separation of concerns: to change access policies, alter the directory permissions; to change the individuals which fall under the policy, alter the group definitions.
Uses of groups
The primary uses of groups are:- Access control
- Accounting - allocating shared resources like disk space and network bandwidthBandwidth (computing)In computer networking and computer science, bandwidth, network bandwidth, data bandwidth, or digital bandwidth is a measure of available or consumed data communication resources expressed in bits/second or multiples of it .Note that in textbooks on wireless communications, modem data transmission,...
- Default per-user configuration profiles - e.g., by default, every staff account could have a specific directory in their PATHPath (variable)PATH is an environment variable on Unix-like operating systems, DOS, OS/2, and Microsoft Windows, specifying a set of directories where executable programs are located...
- Content selection - only display content relevant to group members - e.g. this portal channel is intended for students, this mailing listMailing listA mailing list is a collection of names and addresses used by an individual or an organization to send material to multiple recipients. The term is often extended to include the people subscribed to such a list, so the group of subscribers is referred to as "the mailing list", or simply "the...
is for the chessChessChess is a two-player board game played on a chessboard, a square-checkered board with 64 squares arranged in an eight-by-eight grid. It is one of the world's most popular games, played by millions of people worldwide at home, in clubs, online, by correspondence, and in tournaments.Each player...
club
Delegable group administration
Many systems provide facilities for delegation of group administration. In these systems, when a group is created, one or more users may be named as group administrators. These group administrators are then capable of adding and removing other users from the group, without relying on a system administrator.Some systems also provide joinable groups, which are groups to which users may elect to add themselves. Joinable groups are not intended to be used for access control, but rather for such purposes as electronic mailing lists.
Static vs. dynamic groups
Many systems (especially LDAPLightweight Directory Access Protocol
The Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network...
systems) offer the facility of dynamic groups. Traditionally groups are static: one defines a group by individually selecting its members. In dynamic groups, however, an administrator can specify search criteria. All users which match the search criteria will be considered a member of this dynamic group.
For example, one might build an LDAP directory using source data from a student administration system. The student system could provide an attribute degreeCode, which might be a numeric code identifying the degree
Academic degree
An academic degree is a position and title within a college or university that is usually awarded in recognition of the recipient having either satisfactorily completed a prescribed course of study or having conducted a scholarly endeavour deemed worthy of his or her admission to the degree...
program in which the student is enrolled. Suppose then that degreeCode 55 is Bachelor
Bachelor
A bachelor is a man above the age of majority who has never been married . Unlike his female counterpart, the spinster, a bachelor may have had children...
of Computer Science
Computer science
Computer science or computing science is the study of the theoretical foundations of information and computation and of practical techniques for their implementation and application in computer systems...
. We could then define a group "BCS-Students" as "(degreeCode=55)" – having defined the group, we do not need to manually modify its membership – its membership will change automatically as updates flow through the system. One can construct even more complex definitions: "BCS-Students-1" could be "(&(degreeCode=55)(enrolmentYear=1))" (meaning: a user is a member of the 'BCS-Students-1' group if it's true they're enroled in the BSC Computer Science degree program and they're in their first year – i.e., Computer Science freshmen).
Roles
Some systems (e.g. SunSun
The Sun is the star at the center of the Solar System. It is almost perfectly spherical and consists of hot plasma interwoven with magnetic fields...
/Netscape
Netscape
Netscape Communications is a US computer services company, best known for Netscape Navigator, its web browser. When it was an independent company, its headquarters were in Mountain View, California...
/iPlanet
IPlanet
iPlanet was a product brand that was used jointly by Sun Microsystems and Netscape Communications Corporation when delivering software and services as part of a non-exclusive cross marketing deal that was also known as "A Sun|Netscape Alliance"....
LDAP servers) distinguish between groups and roles. These concepts are mostly equivalent: the main difference is that with a group, its membership is stored as an attribute of the group; whereas with roles, the membership is stored within the users, as a list of roles they belong to. The difference is essentially one of performance trade-offs, in terms of which type of access will be faster: the process of enumerating the membership of a given collection (faster for groups), or the process of enumerating which collections this user belongs to (faster for roles).