Can someone please explain to me the difference between a role and a profile on a SA2000?
From what i can see they essentially do the same thing.....
The difference perhaps is that a role is configured per user, and a profile is more like a global object than anyone can use?
Is that about right?
User Role = Logical grouping of users. Grouping is based on certain common criteria like:
1. Access methods (Web based, NC, WSAM, etc)
2. What resources they need access to.
3. Typically such grouping is already well defined on a the backend AAA infrastructure like AD or Radius and is just mapped/extrapolated to Roles on the SA.
For example: I have 8 roles that are based on the various departments that an employee belongs to. Also on my AD server I have 8 security groups and when an employee joins the organization he is added to one the 8 security groups on AD.
Resource Policy = A resource policy defines certain attribute depending on what type of policy it is. For example Web ACL defines what web resources are allowed/denied (if there is no match then default action is deny). Resource policies can be applied to one Role or Several Roles.
Resource Profile = An easy to configure option for a common set of Resource Policies. For Example a Web Resource Profile will allow you to configure all possible types of Web Resource Policies like ACL, SSO, Caching, etc and Apply them to one or Several roles and all this is done from one central Location rather than having to click all over the place. So it achieves the same thing that Resource Policies does but is a mush easier way to configure it. In addition there are some predefined Resource Profiles that serve as config templates for commonly accessed application like OWA, Citrix, etc
I'm assuming you're wondering about configuring resources themselves under either the Role itself or Resource Profiles.
Generally, you can achieve the same thing both ways. But what I've found to be best is to make something a Resource Profile if you will be assigning it to more than one Role. If you make Resource Profiles for everything, you'll end up with an enormous list of profiles and a bunch of 1:1 [Role:Resource Profile] mappings anyway.
So for example, we have a lot of partner/vendor roles configured, where there really isn't much duplication of resources. They all access different things, so this is where we generally put resources within the Role itself. For our internal employee resources though, we generally make Resource Profiles so that they can easily be assigned to multiple Roles.
To more specifically answer your question about roles being a user thing and profiles being more global, the answer is "kind of." While you can map a specific user(s) to a role, it is just as often done by AD or LDAP groups. Resource Profiles aren't "global" per se, since you still need to assign them to roles. But like I said, it's easier to assign Resource Profiles to multiple roles.