Are there really large numbers of applications deployed that grok static groups ? I'd like to hear about them because I can't remember ever seeing one. Mind you I don't get out much ;) I think it would be useful to hear more about the use-cases in applications for groups. Understanding those might shed more light on the subject. I used the mail list group example previously, but there will be many others each with its own peculiar set of issues I suspect. Way back I did think about intercepting a search for a particular uniquemember attribute value on a group, generating the result from roles-like logic. However, at the time it seemed good to leave the static group semantics alone and define a new mechanism (roles/cos). The intention at the time was to submit the work to the IETF working group and eventually have industry-wide support for the feature. Since that didn't happen perhaps the choice to not integrate with static groups was wrong, I'm still not sure though. One key aim with roles/cos was that an application should be able to determine all the things it needed to know in connection with an entry by inspection of _the_entry_ itself (and not some other object such as a group entry). The logic was: I'm an app, I want to make a decision about entitlement or somesuch for this entity, so let me look at their LDAP entry and decide what to do. The idea was that the policy regarding entitlement and access would be contained in and interpreted by the DS (and hence allow arguably useful benefits such as centralized management of entitlement/access control across the enterprise). I believe that AD has this for its groups : you can see the groups an entry belongs to by looking only at the entry. You can't do that with FDS static groups.
