!!! [RBAC] How are roles different from groups?
There is a superficial similarity between RBAC roles and traditional groups.  As normally implemented, a group is a collection of users, rather than a collection of permissions, and permissions can be associated with both users and the groups to which they belong. 

The ability to tie permissions directly to users in a group-based mechanism is regarded as a "loophole" that makes it difficult to control the user-permission relationships. 

! Strict [RBAC]
Strict RBAC requires all access through roles, and permissions are connected only to roles, not directly to users.  

! Indirection that Separates
The [role], as it is an indirection that separates users from fine grained [permissions] is more stable than the group concept. This level of indirection also allows more flexibility within the assignment of permissions by the ability to perform functions or [RBAC constraints] and [RBAC Hierarchical].

As an example, changing the [ACLs] assigned to a Group, would require the assignment be assigned directly (or indirectly) to each user that is a member.

! Concept of a Session
Another aspect of [RBAC] that distinguishes it from traditional group mechanisms is the concept of a session, which allows dynamic activation of a subset of [roles] assigned to a user based on their current activity.  

! Core RBAC
Core RBAC also allows those systems with a robust group/ACL mechanism that supports the construction of a many-to-many relation among users and permissions.

!!![Groups Are Bad|Groups Are Bad]
[Groups Are Bad|Groups Are Bad]

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]