Group and Role Abstraction
urn:js:virtue:aspire:proposal:21.1
TL;DR
- Allow common treatment of all users in a particular group by allocating users to groups.
- Allow abstraction of application specific and data specific permissions into roles.
- Assign roles to groups.
Rational
Very large numbers of users can have permissions modified practically and consistently for all users of a similar type
Assigning overall permission to use a particular application does not require the administrator to understand all of the fine grained application specific permissions.
Implications
- Permissions are changed appropriately when users change groups
- Adding an application to a group can be done by adding the suitable role to the group