Which of the following statements pertaining to role-based and group-based user classifications
are true?
A.
A role is a subset of a group where all users share a commonidentity.
B.
Users can belong to one and only one role.
C.
A role can have any number of users.
D.
A group is a collection of users that perform the same function. A role is a collection of groups.
E.
Access privileges can be assigned to roles or groups.
Explanation:
A group is a set of users, classified by common trait.
A role is an abstract name for the permission to access a particular set of resources in an
application.
Multiple users can be mapped to a role.
Users can be mapped to multiple roles.
Incorrect answers
A, B: Just wrong.
D: A group is a collection of users, but a role does not need to be a collection of groups.
Note: Given the potentially large number of users of a system, access privileges are generally
not assigned at the user level. Instead, users are assigned to groups (mimicking the
organizational structure of a company), or roles (defined based on job functions that
users perform), or some combination of the two. Access privileges are then assigned to
groups and/or roles. The most natural case is that they are assigned to roles, since
roles align more closely with operations users naturally perform to accomplish their
job. The industry term for this is Role-Based Access Control (RBAC). RBAC is more
flexible than defining access rights based on usernames or static groups and enables an
organization to be more versatile when allocating resources.
With RBAC the system must determine if the subject (user or client) is associated with
a role that has been granted access to a resource. This process of user to role
ascertainment is called role mapping.
C, D and E