Groups vs Roles

A group is a collection of users, while a role is a collection of privileges (permissions and rights). Semantically, a user is added to a group, while a role is assigned to a user. A group is used to simplify account management or reflect organizational structure. A role is used to grant privileges to users to access resources or perform actions.

Group members are usually dynamic or changeable; that is, a member or user can be added into or removed from a group anytime. A nested group is a group that can contain other groups as its group members.

Privileges associated with a role can be dynamic or unchangeable, depending on the implementation. It’s common for web applications supporting role-based access control to hardcode role privileges and make them immutable.


Windows Groups

Built-in groups of Microsoft Windows, such as Administrators, Backup Operators, Power Users, Users, Guests, etc., are actually hardcoded roles. They are built-ins with hardcoded privileges. You can not change their privileges.


Microsoft Active Directory (AD)

Groups in Microsoft Active Directory (AD) are quite flexible because AD provides different types of groups to support the concept of “grouping” users and “granting” privileges.

AGDLP (Account, Global group, Domain Local group, Permissions) is Microsoft’s implementation to support RBAC (Role-Based Access Control).

  • Global groups are used to group users (accounts)
  • Domain Local groups are used to grant privileges to users. IMO, they are actually roles. (Microsoft doesn’t distinguish privileges from permissions strictly)


MS-SQL Roles

The privileges associated with built-in database roles are hardcoded and unchangeable, for example, db_owner and public. However, you can create your own roles and assign privileges to them.


Leave a Reply