小组与角色(有什么真正的区别吗?) [英] Group vs role (Any real difference?)

问题描述

谁能告诉我，团队和角色之间的真正区别是什么?我一直在努力弄清楚这一点，阅读的信息越多，我越能感觉到这是为了混淆人们而产生的，并且没有真正的区别.两者都能胜任对方的工作.我一直使用一个小组来管理用户及其访问权限.

Can anyone tell me, what's the real difference between group and role? I've been trying to figure this out for some time now and the more information I read, the more I get the sense that this is brought up just to confuse people and there is no real difference. Both can do the other's job. I've always used a group to manage users and their access rights.

最近，我遇到了一个管理软件，那里有很多用户.每个用户可以分配一个模块(整个系统分为几个部分，称为模块，即管理模块，调查模块，订单模块，客户模块).最重要的是，每个模块都有一个功能列表，每个用户可以允许或拒绝这些功能.这么说吧，用户John Smith可以访问订单模块并可以编辑任何订单，但无权删除其中的任何订单.

Recently, I've come across an administration software, where is a bunch of users. Each user can have assigned a module (whole system is split into a few parts called modules ie. Administration module, Survey module, Orders module, Customer module). On top of it, each module have a list of functionalities, that can be allowed or denied for each user. So let's say, a user John Smith can access module Orders and can edit any order, but haven't given a right to delete any of them.

如果有更多具有相同能力的用户，我将使用一个小组来进行管理.我会将这些用户聚合到同一个组中，然后将对模块及其功能的访问权限分配给该组.同一组中的所有用户将具有相同的访问权限.

If there was more users with the same competency, I would use a group to manage that. I would aggregate such users into the same group and assign access rights to modules and their functions to the group. All users in the same group would have the same access rights.

为什么称其为组而不是角色?我不知道，我就是这样.在我看来，这根本不重要:]但是我仍然想知道真正的区别.

Why call it a group and not role? I don't know, I just feel it that way. It seems to me that simply it doesn't really matter :] But I still would like to know the real difference.

有人建议为什么应该将其称为角色而不是小组或相反?

Any suggestions why this should be rather called role than group or the other way round?

推荐答案

Google是您的朋友:)

Google is your friend :)

无论如何，角色和组之间的鸿沟来自于计算机安全性的概念(与简单的资源管理相对).拉维·桑德(Ravi Sandhu)教授对角色和群体之间的语义差异进行了开创性的报道.

Anyways, the divide between role and group comes from concepts of computer security (as opposed to simply resource management). Prof. Ravi Sandhu provides a seminal coverage of the semantic difference between roles and groups.

http://profsandhu.com/workshop/role-group.pdf

组是具有给定权限集(分配给用户)的一组给定用户的集合.角色是权限的集合，并且用户在该角色下操作时可以有效地继承这些权限.

A group is a collection of users with a given set of permissions assigned to the group (and transitively, to the users). A role is a collection of permissions, and a user effectively inherits those permissions when he acts under that role.

通常，您的组成员身份将在您登录期间保持不变.另一方面，可以根据特定条件激活角色.如果您当前的角色是医疗人员"，您也许可以查看给定患者的一些病历.但是，如果您的角色也是医师"，则您可能会看到仅具有医疗人员"角色的人所能看到的其他医疗信息.

Typically your group membership remains during the duration of your login. A role, on the other hand, can be activated according to specific conditions. If your current role is 'medical-staff' you might be able to see some of the medical records for a given patient. If, however, your role is also 'physician', you might be able to see additional medical information beyond what a person with just a role of 'medical-staff' can see.

角色可以通过一天中的时间，访问位置来激活.角色也可以被增强/与属性相关联.您可能以医师"的身份进行操作，但是如果您没有与我(具有患者"角色的用户)的主要医师"属性或与我的关系，那么您将看不到我的全部病史.

Roles can be activated by time of day, location of access. Roles can also be enhanced/associated with attributes. You might be operating as 'physician', but if you do not have a 'primary physician' attribute or relation with me (a user with 'patient' role), then you cannot see my entirety of medical history.

您可以对小组进行所有操作，但是同样，小组倾向于关注身份，而不是角色或活动.而且，刚刚描述的安全方面的类型倾向于使后者与前者更好地保持一致.

You could do all that with groups, but again, groups tend to focus on identity, not role or activity. And the type of security aspects just described tend to align themselves better with the later than with the former.

在许多情况下，为了将事物分类在一起(仅此而已)，组和角色的功能是相同的.但是，组是基于身份的，而角色是用于划分活动的.不幸的是，操作系统倾向于模糊区分，将角色视为组.

For many cases, for the usage of classifying things together (and nothing more), groups and roles function just the same. Groups, however, are based on identity, whereas roles are meant to demarcate activity. Unfortunately, operating systems tend to blur the distinction, treating roles as groups.

您发现应用程序或系统级角色之间的区别更加明显-带有应用程序或系统特定的语义(例如

You see a much clearer distinction with application or system-level roles - carrying application or system-specific semantics (like in Oracle roles) - as opposed to 'roles' implemented at the OS level (which are typically synonymous to groups.)

角色和基于角色的访问控制模型可能会受到限制(当然，当然还有其他限制):

There can be limitations to roles and role-based access control models (like with anything of course):

http://www.lhotka.net/weblog/CommentView ，guid，9efcafc7-68a2-4f8f-bc64-66174453adfd.aspx

大约十年前，我看到了一些关于基于属性和基于关系的访问控制的研究，这些研究提供了比基于角色的访问控制更好的粒度.不幸的是，多年来我在该领域没有看到太多活动.

About a decade ago I saw some research on attribute-based and relationship-based access control which provide much better granularity than role-based access control. Unfortunately, I haven't seen much activity on that realm in years.

角色和组之间最重要的区别是角色通常实现强制性访问控制(MAC)机制.您无法将自己(或其他人)分配给角色.角色管理员或角色工程师可以做到这一点.

The most important difference between roles and groups is that roles typically implement a mandatory access control (MAC) mechanism. You do not get to assign yourself (or others) to roles. A role admin or role engineer does that.

从表面上看，它类似于UNIX组，在该组中，用户可以(也许通过sudo)将自己分配给一个组.但是，根据安全工程过程分配组时，区别有点模糊.

This is superficially similar to UNIX groups where a user can/might be able to assign himself to a group (via sudo of course.) When groups are assigned according to a security engineering process, the distinction blurs a bit, however.

另一个重要特征是，真正的RBAC模型可以提供互斥角色的概念.相反，基于身份的组是加性的-主体的身份是组的总和(或合集).

Another important characteristic is that true RBAC models can provide the concept of mutually exclusive roles. In contrast, identity-based groups are additive - a principal's identity is the sum (or conjunction) of the groups.

基于True-RBAC的安全模型的另一个特征是，为特定角色创建的元素通常不能由不担任该角色的人员进行传递访问.

Another characteristic of a true-RBAC based security model is that elements created for a particular role typically cannot be transitively accessed by someone who does not act under that role.

另一方面，在自由访问控制(DAC)模型(Unix中的默认模型)下，您不能仅凭组获得这种类型的保证.顺便说一句，这不是组或Unix的限制，而是基于身份(以及基于身份的组的可传递)的DAC模型的限制.

On the other hand, under a discretionary access control (DAC) model (the default model in Unix), you cannot get that type of guarantee with groups alone. BTW, this is not a limitation of groups or Unix, but a limitation of DAC models based on identity (and transitively, with identity-based groups.)

希望有帮助.

======================

=======================

在看到Simon的好评后再添加一些内容.角色可帮助您管理权限.组可以帮助您管理对象和主题.此外，人们可以将角色视为情境".角色"X"可以描述一个安全上下文，该上下文确定主体Y如何访问(或不访问)对象Z.

Adding some more after seeing Simon's well-put response. Roles help you manage permissions. Groups help you manage objects and subjects. Moreover, one could think of roles as 'contexts'. A role 'X' can describe a security context that rule how subject Y access (or does not access) object Z.

另一个重要的区别(或理想情况)是，有一个角色工程师，一个工程师在应用程序，系统或OS中必需和/或显而易见的角色，上下文.角色工程师通常也是(但不一定是)角色管理员(或sysadmin).此外，角色工程师的真正角色(不是双关语)是安全工程领域，而不是管理领域.

Another important distinction (or ideal) is that there is a role engineer, a person that engineers the roles, the contexts, that are necessary and/or evident in an application, system or OS. A role engineer typically is (but does not have to be) also a role admin (or sysadmin). Moreover, the true role (no pun intended) of a role engineer is in the realm of security engineering, not administration.

这是一个由RBAC正式化的新型小组(即使很少使用)，这在具有小组功能的系统中通常是不存在的.

This is a novel group formalized by RBAC (even if it seldom gets used), one which has typically not been present with group-capable systems.

这篇关于小组与角色(有什么真正的区别吗?)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！