AANTS: Groups and Roles in WiscNIC
This document explains the difference between a WiscNIC Role and a WiscNIC group.
The logic for the WiscNIC database includes the explicit concept of the role (i.e. role records exist in the database) and the implicit concept of groups (i.e. the Groups Manager tool allows the creation of manageable groups, but there is no groups record in the database itself).
Groups are different than roles. Let’s talk about them.
A group is a virtual collection of users that is managed by the Groups Manager tool:
You can create a group, add people to that group, then push that collection of people to a set of subnets and/or VLANs. If someone leaves or joins the group you just make the change to the group in the tool, then push it back out and it will add or delete people from that set of subnets and VLANs.
WiscNIC itself doesn’t know anything about groups. It will just look like those users are on the VLANs and Subnets as admins or techs.
So you could create a group for something like “NS Engineering” and then push that collection of people to some set of Subnets or VLANs. Then in six months if someone gets hired or leaves NS Engineering, you could edit the group and re-push it to the set of Subnets and/or VLANs and it would take care of the change without you having to put someone on all those records individually or take them off.
The important thing about a group is that every person is on the record individually so that if we use MailByDevice or MailByVlan to send an alert, every person will get the alert individually.
Each person on those records will also be granted appropriate access to AANTS devices (e.g. EdgeConf).
WiscNIC Roles are just regular WiscNIC accounts that do not have a NetID (so they won't work for login with SAML)
The Role has a single email associated with it, so when we use MailByVlan or MailByDevice to send out an alert only that email will get notified, not all the individual people. So if there was a “firstname.lastname@example.org” email on that role, only that email would get the alert and each person associated with the role would not get the alert individually.
Roles do NOT grant anyone access to AANTS tools (e.g. EdgeConf). There is no NetID associated with a Role, so there is no way to "log-in" as a role for purposes of getting access to AANTS tools.
Roles can be added to groups in the same manner as individual Nic Handles.