Concept of groups vs concept of roles

Hi!
I'm designing an LDAP structure mainly for authentication and authorization of users. I want to use the LDAP server for applications, intranet (different platforms like linux, NT, ...) and portals.
I read the Admin guide about groups and roles and found, that there aren't that many reasons for using roles instead of groups. The only real difference is (as I understood) that when using roles, I don't have to search for the the groups a user is member of, because every user contains the nsrole attribute with all the roles he is member of.
One big reason for not using roles is, that they are quite specific for iPlanet Directory Server. If one ever changes to another product (for example OpenLDAP) the roles concept may or may not be the same. When using groups I don't have that problem.
(If my information about that is incorrect please conradict!)
A mixture of groups and roles is a quite bad idea because if I put a group in a role, the "nsrole" attribute is added only to the group but not the the members of the group, so if I use roles, I should stick to them and should not use any groups.
As I told at the beginning, I am planning an LDAP structure. I don't have any "real life LDAP-experience" so if your experience is different, please tell me.
Thanks in advance for your opinion!
Florian

1. Why there could be a problem without scopes in
groups. If I have two companies and each of them has
a group "employees". Two companies would probably be
separated in two different subtrees, so I just use a
dynamic group, where I can specify a subtree where
groupmembers can be located or I use static groups,
where I define each entry.You see, you had to make a choice on which group type you could use - not because one was more convenient for defining members for the problem at hand, but because only one would work at all.
One thing I did not mention about roles advantages: they all work the same way - if a new role type were invented, applications written to work with roles prior to the new role, would still work with that role type. Groups types are so different that forward compatibility is not possible - mostly because to even use groups, applications have to do all the work to do common things like, enumerate the group, enumerate the groups an entry belongs to, test for group membership etc.
>
2. The coding logic for group evaluation with dynamic
and static groups and even mixtures of it is quite
complicated, it is much easier to ask an entry for a
roledn and thats it, but do most clients support
roles? Probably not. But then roles have not been around as long. I don't have any hard data on how many apps use roles - you would be surprised how hard it is to get that data for a developer.
As far as I know roles are not used in any
other LDAP Server. Well, the Sun DS, and the Netscape DS (which admittedly were once the same thing) both support the same roles.
So you can optimize an
applications implementing a role based queries, but
if you have a OpenLDAP environment you also need a
possibility to use groups. Talk to the OpenLDAP people about that. I believe they (at one time at least) decided to support the Netscape slapi interface - roles have interface components in that api.
I do understand what you are saying - there isn't an RFC, so other servers don't support roles. Well, I'm sorry, I never got around to it. To be perfectly frank, a lot of LDAP RFCs/Drafts merely describe some proprietary mechanism which other servers never adopt. Some even describe mechanisms that nobody has ever implemented.
When it comes down to it, it is only you who can decide whether being able to move to OpenLDAP or some other server without any reimplimentation is an important consideration. Every server will have features not supported by others, and if your choice is to use only those that are commonly supported, then that is your choice.
Roles will allow much less complex coding in order to use them and they are much faster than equivalent client side operations, but the price is non-comformance with other servers. But when that non-conformance simply boils down to entries which merely "describe" the groups without adding application level functionality - how much have you really lost? Well, until you need to change server vendor you have only gained, and then you'll need to put in the effort you saved ealier.
On the other side, what
application do support roles right now? (I really
don't know)Apart from applications by vendors that also supply DS I don't know either - but support for features such as this need to come from customers of those products. It is surprisingly simple to add support for roles in a product (for most it will almost be free) - much simpler than for groups.

Similar Messages

  • How to transport Associated Group in a Portal Role?

    Hi,
    I created a portal role which is contained in a folder X under Portal Content.  This portal role is associated with a particular ABAP menu-role by means of Assigned Groups.  When I transported the folder X with all dependent objects from Dev to QA, the portal role appeared but the Assigned Groups is empty.  Another words, the association between portal role and the ABAP menu-role could not be transported.  How can Associated Groups in a Portal Role be transported?
    Thank you in advance.
    Best regards,
    Zabrina

    Hi,
    I have tried to do it in two steps:
    1. Export and import portal contents which include the whole structure with folders, roles and iviews under each role.
    2. Export and import the same roles as user management data
    The result from 1 was that the whole structure including the roles is imported; however none of the portal role contains the associated assigned group.
    The result from 2 was that the UME roles with assigned group are imported as separat objects.
    Now, the same role appears both as portal role without assigned group and the UME object with assigned group. But, there is no connection between 1 and 2.  That means that I cannot use 2 anyway.
    Is there any other way to do than to export 1 and manuelly modify 1 with assigned role once again after transport?
    Thank you in advance for any helpful advice.
    Best regards,
    Zabrina

  • New BP grouping for existing BP role

    Hi Media experts,
    We have a requirement to add a new BP grouping for an existing role(Retailer- ISM001) which enable us to create a BP in the retailer role with a different number range. So we created new grouping and customer account group and assigned a new number range.The problem is that we created BP with the new number range but in change mode it shows only the general data.System not showing the company code and sales area datas.
    Note: Integration is BP to Customer
    Please give a solution
    Thanks in advance,
    Regards,
    Srikanth.M

    Thanks for your reply
    As you mentioned we checked the configuration, but it is quite okay. We normally create BP with the same settings. You mean to say that we need to change the configuration under u2018Configure Field Attributes per activityu2019 for the new BP Grouping we created? Could you please explain little more about how BP Grouping (Newly created) links with the above mentioned customizing activity? Isnu2019t this customizing common in create, change display activity irrespective of BP Grouping?
    with warm regards,
    Srikanth.M

  • User does not appear in group created from SAP role

    Hello --
    I have a user that has logged into InfoView successfully with SAP authentication and is showing in the CMC under the "User List." When I view the list of users in the group that was created from the SAP role he was a part of, he is not there.   When I go to the user account and view "Member of," the group IS shown in the list. 
    Any idea?  Any way I can "refresh" the group or anything like that?
    Thanks
    Casey

    Thanks for the replies.
    We are on XI 3.1 FP1.8 and we do have a CMS cluster.  Server reboots this weekend seem to have resolved the problem. I am curious why this question was asked, though:
    "Did you reassign the user to another SAP role after the user has already logged at least once in the InfoView?"
    Is this something that could have caused the problem or is it a possible workaround if we run into the issue again? 
    Thanks again...
    Casey

  • Check a group assigned to which role

    Hi,
    I have a group called as "GroupOne". There are no roles/users assigned to this. Now, how can we check whether any roles has added group "GroupOne" to its Assigned Groups under Identity Management.
    I know its a silly question, but I am not able to figure it out.
    Regards,
    Vaibhav

    Generally  users will be added to a relevant groups and each group will be added to the corresponding roles.  This is a general practice.
    Some times groups will be added to other groups as child groups where they will inherit the roles.
    So when you go to a group and try to check the roles without using the search recusively check box option, it will display diect roles that are assigned to the group.
    IF you check the check box recursivey and search then you will get all direct and indirect roles inherited from othere groups as well.
    Raghu

  • Portal Groups vs. ABAP Roles

    Hi,
    We have the following scenario:
    SAP EP (6.0 SP19) with content from BW and HR (ESS&MSS).
    The backend systems and the portal use CUA.
    The problem is that for example when a new user(employee) is created in HR, we would like that the user automatically gets a certain role in the portal (employee or manager, depending on the role given to him in the backend system).
    At the moment we first have to give the user a role in the backendsystem + assign the user to a group in the portal. Is there a better solution for this ?
    Regards,
    Kristian Rantakoski

    You can import backend roles in portal. After importing these backend roles in portal, these roles appear as Groups in portal.  As users are automatically part of these group in portal, You can assign manager roles of portal to Manager group ( which is actually a role in the backend) in Portal.
    The above approach worked for me in case when I configured Portal UME to ECC6.0 user database. I am not sure if the same approach will work in case of CUA.
    You can give it a try.
    Best Wishes
    Prabhakar

  • Automatically assign a BP Grouping for a BP Role

    Hi, everyone!
    I would like to automatically assign an specific Grouping range for a BP when creating it in an specific Role.  Now, the user has to select each them separately and sometimes makes mistakes because he selects a wrong Grouping for the Role he is selecting.
    Can this be done?  I will appreciate a lot your help.
    Thanks in advance.
    Adolfo Garay

    Thank you very much, Javier! I will try to explore this.  By any chance, do you have any example that could help me to do this?
    Anyone else have some examples that can be useful for this case?
    Regards,
    Adolfo

  • Automatic Number Range Determination in grouping by custom BP Roles

    Hi,
    I am not aware whether we can automate the grouping (Number assignment) while creating BP with different Roles ( Instead of asking user to choose the number range object while creation of BP with different roles)
    Scene: BP Creation selection for "Prospect" always trigger "xy" object defined for specific number range( No Other Grouping Selection can be allowed).
    I am looking for inbuilt functionality with in CRM  5.0...Please let me now ...
    Points & Best wishes are always there...............Regards, Ashok

    DearAshok
    You can create number range and assign it BP group and only one can be made as standard or u can call it as defaulf no. but for different BP roles it does not follow  R/3 procedure which flows from account group here we need to select manualy out of the list of grouping arrange the reason is
    usually R/3 will be leading CRM so in R/3 we would have maintained internal no. range and here we need to maintain external no. range and there can be different ranges for different groups
    for eg. in R/3 we maintain all the customer irresepective of person, sales org.,group as same customer master
    but in CRm we maintain them according to Person , org. or group so here we are classifying the customers so if required we can use std. no. range or we can distingauish by no. for easy idenfication suppose if it si person it will start with 1000 & org with 2000 like that
    this is as per my knowledge still not convinced mail me i will respond to u @  [email protected]

  • Rules for AD Groups mapping with ECC roles in GRC

    Hi All,
    I'm actually looking at an option to define the Rules in GRC where i can map AD (LDAP) groups to ECC roles. Is it possible? Could you please let me know if i can achieve this with Rule Architect in GRC 5.3 OR by any other mean.
    Regards
    - V

    Gurus,
    Any thoughts on this?
    Regards
    Vaib

  • WLS Groups and JDeveloper Enterprise Roles

    When there are roles (global, domain, etc.) in the WLS Console, they seem to not have any representation in JDeveloper. It seems that JDeveloper Enterprise Roles correspond to WLS Groups. When I add permissions in the jazn-data.xml, it is Groups that I have to grant to users in the WLS Console, not roles.
    SecurityContext.getUserRoles() also returns a list of WLS Groups assigned to given user.
    Is it some disarray in the terminology, or am I doing something wrong?

    Hi,
    The term "Enterprise Roles" match to WLS groups. Enterprise is a more genric synonym for user groups as on different servers these may have different names otherwise. Note that getUserRoles() shows the enterprise roles and the application roles a user is member of
    Frank

  • Assigning Group(of users)  to Role when starting a process programmatically

    Hi All,
    I m starting a process programmatically(using startProcess()).
    Process initiation is working fine, but i need to assign a 'Group' to the role, and not a user. It is a portal group, available at portal end only. How can this be done?
    Please guide.
    Thanks and Regards,
    Sakshi

    you can use the following code
    import com.sap.caf.eu.gp.process.api.GPProcessFactory;
    import com.sap.caf.eu.gp.process.api.IGPProcess;
    import com.sap.caf.eu.gp.process.rt.api.IGPProcessRoleInstanceList;
    import com.sap.caf.eu.gp.process.rt.api.IGPRuntimeManager;
    import com.sap.security.api.IUser;
    public void startProcess( java.lang.String processId )
       // retrieve the Runtime Manager
       IGPRuntimeManager rtm = GPProcessFactory.getRuntimeManager();
       // create an empty role assignment list
       IGPProcessRoleInstanceList roles = rtm.createProcessRoleInstanceList();
       // get the process role number
       int rolenum = process.getRoleInfoCount();
       // iterate over the required roles
       for (int i = 0; i < rolenum; i++) {
          // create a new role instance by specifying the role's unique name
          IGPProcessRoleInstance roleInstance = roles. createProcessRoleInstance(process.getRoleInfo(i).getRoleName());
          // add a user to the role instance
          roleInstance.addUser(roleUser);
          // add the new role to the assignment list
          roles.addProcessRoleInstance(roleInstance);    
    Thanks and Regards
    shanto aloor

  • Linking Query group to an SAP role

    I am able to link the Query group to the role but when we test the user does not have access to it. I know this used to be a problems years ago that I thought was fixes. Any ideas on how to get this to work?

    Hi,
    Assign the required user groups to the user in Sq03. if user still getting same error even after assignments in Sq03, ask user to please change query areas as below and check.
    Sq01 --> Environment --> Query areas --> select "Stanard area (client-specific).
    Regards,
    Gowrinadh

  • OID Dynamic Groups and J2EE security roles

    Hi
    I've searched the forums but can't get a definite answer. Is it possible to use OID dynamic groups and map them to J2EE security roles? I can't find anything that says specificially not but I can't seem to get it to work.
    Thanks
    Adam

    Hi,
    Let me know if you find answer of your question.
    thanks

  • Assigning authorization group to users or roles.

    Hi
    How do I assign authorization group I created for ECM digital signature approval to users

    Hi,
    Provide the authorization group and the role details to which it needs to be linked to your basis team and they should be able to do this for you.
    Regards
    Sreekanth

  • Reduced group chat commands and roles?

    Hello, I recently noticed a lack of chat commands in newly created group conversations. In an old group conversation (created around July/August 2013) where I hold the MASTER role, /help gives me this set of commands:  Available commands:
     /me [text]
     /topic [text]
     /add [skypename+]
     /alertson [text]
     /alertsoff
     /leave
     /get creator
     /get role
     /whois [skypename]
     /setrole [skypename] MASTER|HELPER|USER|LISTENER
     /kick [skypename]
     /kickban [skypename]
     /get uri
     /get options
     /set options [[+|-]flag] ..
     /setpassword [password] [password hint]
     /clearpassword
     /get password_hint
     /get banlist
     /get allowlist
     /set banlist [[+|-]mask] ..
     /set allowlist [[+|-]mask] ..
     /golive [token]
     /invite [skypename]
     /fork [skypename+]
     /help
    For more help please see http://www.skype.com/go/help.chathelp  However, in a new conversation which I /fork'ed from this old one yesterday (also created a new conversation with the same result), I hold the ADMIN role and only have this list of commands: Available commands:
     /me [text]
     /topic [text]
     /add [skypename+]
     /alertson [text]
     /alertsoff
     /leave
     /setrole [skypename] MASTER|USER
     /kick [skypename]
     /get blob
     /get uri
     /get options
     /set options [[+|-]flag] ..
     /golive [token]
     /invite [skypename]
     /showmembers
     /help
    For more help please see http://www.skype.com/go/help.chathelp "Old" commands like /fork are also not available in the new conversations but still in the older ones.I also noticed that the role CREATOR seems to have changed to ADMIN and the HELPER and LISTENER roles have been removed.Are my observation correct and if yes, is there any statement on this already?

    Everything Elaine said above is correct. Please take a look at the FAQ which explains:
    That there are two types of group chats (cloud group chats and legacy peer to peer chats)
    Which group chat commands are available for each type
    How you can tell them apart using the /get name chat command
    HorizontalPants wrote:
    the faq isn't even updated and i still have reduced chat commands.
    Can you explain what information you think is missing from the FAQ?

Maybe you are looking for

  • How do I get video to display on TV when using HDMI connector

    It show a green screen but I get audio

  • How do you keep the order using SELECT WHERE IN()?

    Hi, Is there a way to keep the order when using SELECT WHERE IN()? For example, using the following query: SELECT id FROM data_table WHERE id IN('56','55','54','1','7'); The results will come back using the default order by id. 1,7,54,55,56 When I wa

  • BOE/Webi Error

    Dear All, We are facing production server stability issue. From this Friday in morning almost each 30 min WebIntelligence Service is crash. When users are trying to refresh report it give following error The Web Intelligence Server could not be reach

  • What are the Pre-requisite to set Deletion Flag for Maintenance Order ?

    Hi Gurus,               Pls give me what are the pre- requisite to set the deletion flag.               I want to set deletion flag to some Maintenance Orders which are with notification, but deletion flag - SET,RESET Indiacaors are inactive.        

  • [Solved] Can't build svgalib

    On 2.6.30-ARCH I get this error compiling svgalib: make[1]: Entering directory `/tmp/yaourt-tmp-joe/aur-svgalib/svgalib/src/svgalib-1.9.25/lrmi-0.6m' cc -c -Wall -Wstrict-prototypes -fPIC -DPIC -I/include -I. -march=athlon-xp -mtune=athlon-xp -O3 -pi