Group (computing)

Last updated October 02, 2019

In computing, the term group generally refers to a grouping of users. In principle, users may belong to none, one, or many groups (although in practice some systems place limits on this.) The primary purpose of user groups is to simplify acess to crazy stuff and computer things .

A user is a person who utilizes a computer or network service. Users of computer systems and software products generally lack the technical expertise required to fully understand how they work. Power users use advanced features of programs, though they are not necessarily capable of computer programming and system administration.

Suppose a computer science department has a network which is shared by students and academics. The department has made a list of directories which the students are permitted to access and another list of directories which the staff are permitted to access. Without groups, administrators would give each student permission to every student directory, and each staff member permission to every staff directory. In practice, that would be very unworkable – every time a student or staff member arrived, administrators would have to allocate permissions on every directory.

A computer network is a digital telecommunications network which allows nodes to share resources. In computer networks, computing devices exchange data with each other using connections between nodes. These data links are established over cable media such as wires or optic cables, or wireless media such as Wi-Fi.

A student is primarily a person enrolled in a school or other educational institution who attends classes in a course to attain the appropriate level of mastery of a subject under the guidance of an instructor and who devotes time outside class to do whatever activities the instructor assigns that are necessary either for class preparation or to submit evidence of progress towards that mastery. In the broader sense, a student is anyone who applies themselves to the intensive intellectual engagement with some matter necessary to master it as part of some practical affair in which such mastery is basic or decisive.

A system administrator, or sysadmin, is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems; especially multi-user computers, such as servers. The system administrator seeks to ensure that the uptime, performance, resources, and security of the computers they manage meet the needs of the users, without exceeding a set budget when doing so.

With groups, the task is much simpler: create a student group and a staff group, placing each user in the proper group. The entire group can be granted access to the appropriate directory. To add or remove an account, one must only need to do it in one place (in the definition of the group), rather than on every directory. This workflow provides clear separation of concerns: to change access policies, alter the directory permissions; to change the individuals which fall under the policy, alter the group definitions.

Uses of groups

The primary uses of groups are:

Access control
Accounting - allocating shared resources like disk space and network bandwidth
Default per-user configuration profiles - e.g., by default, every staff account could have a specific directory in their PATH
Content selection - only display content relevant to group members - e.g. this portal channel is intended for students, this mailing list is for the chess club

In computing, bandwidth is the maximum rate of data transfer across a given path. Bandwidth may be characterized as network bandwidth, data bandwidth, or digital bandwidth.

A mailing list is a collection of names and addresses used by an individual or an organization to send material to multiple recipients. The term is often extended to include the people subscribed to such a list, so the group of subscribers is referred to as "the mailing list", or simply "the list".

Chess is a two-player strategy board game played on a checkered board with 64 squares arranged in an 8×8 grid. The game is played by millions of people worldwide. Chess is believed to be derived from the Indian game chaturanga sometime before the 7th century. Chaturanga is also the likely ancestor of the Eastern strategy games xiangqi, janggi, and shogi. Chess reached Europe by the 9th century, due to the Umayyad conquest of Hispania. The pieces assumed their current powers in Spain in the late 15th century; the modern rules were standardized in the 19th century.

Delegable group administration

Many systems provide facilities for delegation of group administration. In these systems, when a group is created, one or more users may be named as group administrators. These group administrators are then capable of adding and removing other users from the group, without relying on a system administrator.

Some systems also provide joinable groups, which are groups to which users may elect to add themselves. Joinable groups are not intended to be used for access control, but rather for such purposes as electronic mailing lists.

Static vs. dynamic groups

Many systems (especially LDAP systems) offer the facility of dynamic groups. Traditionally groups are static: one defines a group by individually selecting its members. In dynamic groups, however, an administrator can specify search criteria. All users which match the search criteria will be considered a member of this dynamic group.

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

For example, one might build an LDAP directory using source data from a student administration system. The student system could provide an attribute degreeCode, which might be a numeric code identifying the degree program in which the student is enrolled. Suppose then that degreeCode 55 is Bachelor of Computer Science. We could then define a group "BCS-Students" as "(degreeCode=55)" – having defined the group, we do not need to manually modify its membership – its membership will change automatically as updates flow through the system. One can construct even more complex definitions: "BCS-Students-1" could be "(&(degreeCode=55)(enrollmentYear=1))" (meaning: a user is a member of the 'BCS-Students-1' group if it's true they're enrolled in the BSC Computer Science degree program and they're in their first year – i.e., Computer Science freshmen).

An academic degree is a qualification awarded to students upon successful completion of a course of study in higher education, usually at a college or university. These institutions commonly offer degrees at various levels, usually including bachelor's, master’s and doctorates, often alongside other academic certificates and professional degrees. The most common undergraduate degree is the bachelor's degree, although in some countries there are lower level higher education qualifications that are also titled degrees.

The Bachelor of Computer Science or Bachelor of Science in Computer Science is a type of bachelor's degree, usually awarded after three or four years of collegiate study in computer science, but possibly awarded in fewer years depending on factors such as an institution's course requirements and academic calendar. In some cases it can be awarded in five years. In general, computer science degree programs emphasize the mathematical and theoretical foundations of computing.

Roles

Some systems (e.g. Sun/Netscape/iPlanet LDAP servers) distinguish between groups and roles. These concepts are mostly equivalent: the main difference is that with a group, its membership is stored as an attribute of the group; whereas with roles, the membership is stored within the users, as a list of roles they belong to. The difference is essentially one of performance trade-offs, in terms of which type of access will be faster: the process of enumerating the membership of a given collection (faster for groups), or the process of enumerating which collections this user belongs to (faster for roles).

Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. Starting with Windows Server 2008, however, Active Directory became an umbrella title for a broad range of directory-based identity-related services.

In computing, a file server is a computer attached to a network that provides a location for shared disk access, i.e. shared storage of computer files that can be accessed by the workstations that are able to reach the computer that shares the access through a computer network. The term server highlights the role of the machine in the client–server scheme, where the clients are the workstations using the storage. It is common that a file server does not perform computational tasks, and does not run programs on behalf of its clients. It is designed primarily to enable the storage and retrieval of data while the computation is carried out by the workstations.

The Network Information Service, or NIS, is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network. Sun Microsystems developed the NIS; the technology is licensed to virtually all other Unix vendors.

In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the account is not the determining factor; on Unix-like systems, for example, the user with a user identifier (UID) of zero is the superuser, regardless of the name of that account; and in systems which implement a role based security model, any user with the role of superuser can carry out all actions of the superuser account. The principle of least privilege recommends that most users and applications run under an ordinary account to perform their work, as a superuser account is capable of making unrestricted, potentially adverse, system-wide changes.

The British Computer Society (BCS) is a professional body and a learned society that represents those working in information technology (IT) and computer science, both in the United Kingdom and internationally. Founded in 1956, BCS has played an important role in educating and nurturing IT professionals, computer scientists, computer engineers, upholding the profession, accrediting chartered IT professional status, and creating a global community active in promoting and furthering the field and practice of computing.

On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests within a Windows domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

In Unix-like systems, multiple users can be put into groups. POSIX and conventional Unix file system permissions are organized into three classes, user, group, and others. The use of groups allows additional abilities to be delegated in an organized fashion, such as access to disks, printers, and other peripherals. This method, among others, also enables the superuser to delegate some administrative tasks to normal users, similar to the Administrators group on Microsoft Windows NT and its derivatives.

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interface can all use the registry. The registry also allows access to counters for profiling system performance.

NIS+ is a directory service developed by Sun Microsystems to replace its older 'NIS'. It is designed to eliminate the need for duplication across many computers of configuration data such as user accounts, host names and addresses, printer information and NFS disk mounts on individual systems, instead using a central repository on a master server, simplifying system administration. NIS+ client software has been ported to other Unix and Unix-like platforms.

In computing, privilege is defined as the delegation of authority to perform security-relevant functions on a computer system. A privilege allows a user to perform an action with security consequences. Examples of various privileges include the ability to create a new user, install software, or change kernel functions.

Code Access Security (CAS), in the Microsoft .NET framework, is Microsoft's solution to prevent untrusted code from performing privileged actions. When the CLR loads an assembly it will obtain evidence for the assembly and use this to identify the code group that the assembly belongs to. A code group contains a permission set. Code that performs a privileged action will perform a code access demand which will cause the CLR to walk up the call stack and examine the permission set granted to the assembly of each method in the call stack. The code groups and permission sets are determined by the administrator of the machine who defines the security policy.

In computing, delegated administration or delegation of control describes the decentralization of role-based-access-control systems. Many enterprises use a centralized model of access control. For large organizations, this model scales poorly and IT teams become burdened with menial role-change requests. These requests — often used when hire, fire, and role-change events occur in an organization — can incur high latency times or suffer from weak security practices.

The Global Address List (GAL) is an electronic shared address book which contains usually all people of given organization. This address book is accessed over the computer network using LDAP protocol, CardDAV or some other electronic means.

The Boston Computer Society (BCS) was an organization of personal computer users, based in Boston, Massachusetts, U.S., that ran from 1977 to 1996. At one point, it was the largest such group in the world, with regular user group meetings, many publications, permanent offices in Boston, and hosting major product announcements, including the East Coast release of the Apple Macintosh in 1984.

AGDLP briefly summarizes Microsoft's recommendations for implementing role-based access controls (RBAC) using nested groups in a native-mode Active Directory (AD) domain: User and computer accounts are members of global groups that represent business roles, which are members of domain local groups that describe resource permissions or user rights assignments. AGUDLP and AGLP summarize similar RBAC implementation schemes in Active Directory forests and in Windows NT domains, respectively.

PERMIS is a sophisticated policy-based authorization system that implements an enhanced version of the U.S. National Institute of Standards and Technology (NIST) standard Role-Based Access Control (RBAC) model. PERMIS supports the distributed assignment of both roles and attributes to users by multiple distributed attribute authorities, unlike the NIST model which assumes the centralised assignment of roles to users. PERMIS provides a cryptographically secure privilege management infrastructure (PMI) using public key encryption technologies and X.509 Attribute certificates to maintain users' attributes. PERMIS does not provide any authentication mechanism, but leaves it up to the application to determine what to use. PERMIS's strength comes from its ability to be integrated into virtually any application and any authentication scheme like Shibboleth (Internet2), Kerberos, username/passwords, Grid proxy certificates and Public Key Infrastructure (PKI).

Strathclyde Personal Interactive Development and Educational Resource (SPIDER) is a virtual learning environment used by the University of Strathclyde to provide an online platform for class material, support and more.

In computer security, general access control includes identification, authorization, authentication, access approval, and audit. A more narrow definition of access control would cover only access approval, whereby the system makes a decision to grant or reject an access request from an already authenticated subject, based on what the subject is authorized to access. Authentication and access control are often combined into a single operation, so that access is approved based on successful authentication, or based on an anonymous access token. Authentication methods and tokens include passwords, biometric scans, physical keys, electronic keys and devices, hidden paths, social barriers, and monitoring by humans and automated systems.

In computer security, LDAP injection is a code injection technique used to exploit web applications which could reveal sensitive user information or modify information represented in the LDAP data stores. LDAP injection exploits a security vulnerability in an application by manipulating input parameters passed to internal search, add or modify functions. When an application fails to properly sanitize user input, it is possible for an attacker to modify an LDAP statement.

References

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.