What's the difference between groups and roles?

Question

A lot of identity management implementations use roles in addition to groups. How are they different? So far I haven\'t found a compelling use case for separating the two. A

Answer 1

Person - Group - Roles

• A person is a member of one or more groups.
• A group is assigned multiple roles.

Example:

• Two roles exist in a system stock_purchaser, timecard_supervisor.
• Two groups exist in a system shift_supervisor, regional_manager.
• regional_manager has the stock_purchaser and timecard_supervisor role.
• shift_supervisor has the timecard_supervisor role.

In the event a new role (e.g. review_leave_requests) is created - this can be added to all those groups who require this role. In a system only having roles it may be a laborious task adding the role to all people that require it.