PMI Group assignment model中Direct group naming和Group role naming的区别

Group Attribute Certificate定义了一个组具备的属性、权限。GAC会被分配给组内的成员。组成员主要通过如下两个方式被分配属性、权限。

Direct group naming。Group Attribute Certificate的Holder域的entityName选项中设置目录名，Attributes域设置好对应的属性，目录名在Directory Information Tree中构建起一棵子树。子树中每一项（组成员）都被赋予组属性证书中的属性权限。所以说是直接命名了一个组，每次需要根据GAC和DIT查看组成员是否具有这个组属性。

Group role naming。组成员被分配Role Assignment Certificate（通过PKC或AC实现），GAC中声明好组对应的Role  Attribute，组成员通过RAC和GAC证明具备权限属性。

16.4 Group assignment model
In some scenarios it might be required for an AA to issue privileges to a group of entities that share a common property, for example, a set of web servers or a team of people, rather than to a single entity. This is achieved by assigning a group attribute certificate to the group. There are two ways of identifying the members of a group who are assigned a group attribute certificate. These methods are called direct group naming and group role naming.

16.4.1 Direct group naming
In direct group naming, the holder component of the group attribute certificate shall take the entityName option, and the directoryName of GeneralName shall name a subtree in the DIT. Each entry in the subtree is assigned the attribute(s) in this group attribute certificate.

16.4.2 Group role naming
In group role naming, the members of the group are identified by the attributes that they hold, such attributes being assigned to them in role assignment attribute certificates. In group role naming, the holder component of the group attribute certificate takes the entityName option and holds the role(s) of the group members who are being assigned the attributes in this group attribute certificate. The GeneralNames should contain a single GeneralName containing a directoryName with a single relative distinguished name (RDN), whose attribute type is the role attribute defined in clause 16.5.1. If roleAuthority in the role attribute is present, this identifies the attribute authorities who are responsible for issuing the role assignment certificates to holders who are members of this group. If roleAuthority is absent from the role attribute, the identity of the responsible AAs to issue the role assignment certificates shall be determined through means outside this Specification. The roleName component of the role attribute identifies the role(s) of the group who are being assigned the attributes in this group attribute certificate.
NOTE 1 – Group role naming allows attribute based role assignments, role mappings and role hierarchies to be defined, by specifying that members of other (more powerful) roles are assigned the roles of this group attribute certificate.
NOTE 2 – Where the role in the holder component is the same as the role in the attributes component of this group attribute certificate, this is delegation of authority from the issuer of the group attribute certificate to the roleAuthority in the role attribute. However, a much simpler way of achieving the same effect is to use the roleAuthority as the holder.