Users, Groups, Roles -- what are they?

  • Many people are writing and talking INCORRECTLY about the term “Role”. We are confusing ourselves, and this leads to more implementation and instructions around incorrect usage, which extends the confusion.  We need to clarify and use these terms consistently.


    • users - the name of a person or an agent that accesses the system.  An account.
    • groups - a collection of other entities, either users or other groups.  
    • role - a relationship between a user (or group) and an object or context.  


    These are used in BPM in a very specific way.  Processes and activities are the contexts that are important, and users and groups are defined in a directory server.  The role is the name of the way that those are linked together.  


    This might sound complicated, but it is really not that complicated:





    You know what an Activity is, and you know what a Process is.


    There are things in the directory called “Groups” (and Users but in this diagram I have hidden the users). Thus you can talk about “Programmers” that is a group of people in the directory. It is a name that ultimately specifies zero, one, or more people. Sometimes people put job titles as the name of a group, such as “Director of Middleware IV” and even though this is only a single person, we still call it a “Group”.


    When you want to assign people to an activity, you specify the name of a Group from the directory.


    You do NOT specify a “Role”. A Role is a relationship between people and something like a job or a context. When we talk about an “Assignee” of an activity, that name “Assignee” is the role that the person assigned to the task plays. It is the relationship. There is another role you might play at the same time, and that is “Process Owner”.


    The name “Programmers” above is NOT a Role. It is a Group. Some people like to call Groups Roles. This creates a LOT of confusion. “Managers” is not a role. “Testers” is not a role. Directory servers do NOT have roles in them.


    What we have to do, is to start SPEAKING correctly about these concepts, and updating old example files when we see them.


    In my recent experience, almost every use of the word “Role” is used incorrectly.  If you are talking about processes and activities, you should essentially never use the term “Role”. People talk about “changing the role” when they mean “changing the Assignee”. They talk about “no role assigned” when they mean “no group assigned”. They say that the “role is empty” when they mean “the group has no members”.


    This is the easiest thing to remember:  the things in the directory server are Groups & Users -- NEVER ROLES.


    Why do people run into problems?


    It is tempting to make groups with names that reflect the relationship that they are designed to participate in.  This happens all the time: in Windows, there is, by default, a "user" named "administrator" even thought "administrator" should really be a role reflecting the relationship between a particular user and that operating system.  


    True capability-based systems never have a user named "administrator" -- they don't need it and they avoid a lot of confusion by not creating one.  Whether or not your OS requires a "user" named "Administrator" it is important to remember that this is a "user" that is defined in the user table, and it is not a "role".  It is simply a user named after the role it was created to play.


    It is pretty easy, really to learn this and use it correctly.