Deciding Between Roles And Groups - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

Hide thumbs Also See for DIRECTORY SERVER 8.1 - DEPLOYMENT:

Command reference manual (372 pages)

Configuration and command reference (292 pages)

Reference (228 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

page of 164

/ 164
Contents
Table of Contents
Bookmarks

Table of Contents

Roles are designed to be more efficient and easier to use for applications. For example, applications

can locate the roles of an entry rather than select a group and browse the members list.

Roles can organize groups in a number of different ways:

• Enumerate the members of the role.

Having an enumerated list of role members can be useful for resolving queries for group members

quickly.

• Determine whether a given entry possesses a particular role.

Knowing the roles possessed by an entry can help determine whether the entry possesses the

target role.

• Enumerate all the roles possessed by a given entry.

• Assign a particular role to a given entry.

• Remove a particular role from a given entry.

Each role has members, entries that possess the role. Members can be specified either explicitly

(meaning each entry contains an attribute associating it with a role) or dynamically (by creating a filter

that assigns entries to roles according to an attribute contained in the entry). How role membership is

specified depends on the type of role. There are three types of roles:

• Managed roles create an explicit, enumerated list of members. Managed roles are added to entries

using the nsRoleDN attribute.

• Filtered roles assign entries to the role depending on the attribute contained in each entry by

specifying an LDAP filter. Entries that match the filter are said to possess the role.

• Nested roles create roles that contain other roles. The roles nested within the parent role are

specified using the nsRoleDN attribute.

4.3.2. Deciding Between Roles and Groups

Both methods of grouping entries have advantages and disadvantages. Roles reduce client-side

complexity at the cost of increased server complexity. With roles, the client application can check role

membership by searching the nsRole attribute. From the client application point of view, the method

for checking membership is uniform and is performed on the server side.

Dynamic groups, from an application point of view, offer no support from the server to provide a list

of group members. Instead, the application retrieves the group definitions and then runs the filter. For

static groups, the application must make sure the user is part of a particular UniqueMember attribute

value. The method for determining group membership is not uniform.

Managed roles can do everything that static groups can do, while filtered roles can filter and identify

members as dynamic groups do.

Even though roles are easier to use, more flexible, and reduce client complexity, they do so at the cost

of increased server complexity. Determining role membership is more resource intensive because the

server does the work for the client application.

Deciding Between Roles and Groups

Table of Contents

Deciding Between Roles And Groups - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

4.3.2. Deciding Between Roles and Groups

Related Manuals for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT

Related Content for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT

Table of Contents