Groups are a common tool for making Authorization rules more manageable, by assigning privileges to sets of users, irrespective of their individual identity. They can also be used for a variety of other application-specific purposes.

When combined with federated identity, groups may be locally administered while consisting of users from multiple domains, or less commonly they may be distributed such that control over membership in the group is determined by one or more external domains/authorities.

• Local Groups
  • User Identification
  • Provisioning (and Deprovisioning)

• Federated Groups
  • Single vs. Multi-Domain
  • Implications for UI and application design
  • Blacklisting to override distributed authorities

• Representation
  • isMemberOf
  • eduPersonEntitlement

• Privacy Implications
  • Visibility of members to other members
  • Sharing groups across services