AANTS: Groups and Roles in WiscNIC

This document explains the difference between a WiscNIC Role and a WiscNIC group.

The logic for the WiscNIC database includes the explicit concept of the role (i.e. role records exist in the database) and the implicit concept of groups (i.e. the Groups Manager tool allows the creation of manageable groups, but there is no groups record in the database itself).

Groups are different than roles.  Let’s talk about them.

A group is a virtual collection of users that is managed by the Groups Manager tool:


You can create a group, add people to that group, then push that collection of people to a set of subnets and/or VLANs.  If someone leaves or joins the group you just make the change to the group in the tool, then push it back out and it will add or delete people from that set of subnets and VLANs.

WiscNIC itself doesn’t know anything about groups.  It will just look like those users are on the VLANs and Subnets as admins or techs.

So you could create a group for something like “NS Engineering” and then push that collection of people to some set of Subnets or VLANs.  Then in six months if someone gets hired or leaves NS Engineering, you could edit the group and re-push it to the set of Subnets and/or VLANs and it would take care of the change without you having to put someone on all those records individually or take them off.

The important thing about a group is that every person is on the record individually so that if we use MailByDevice or MailByVlan to send an alert, every person will get the alert individually. 

Each person on those records will also be granted appropriate access to AANTS devices (e.g. EdgeConf).

A role is similar to a group, but there’s a big difference also.  A role is a single entity that has WiscNIC users associated with it.  So you could create a role for “NS Engineering” and add a bunch of people to it (using their NIC Handles), and then you could put the Role on the Subnet and/or VLAN records (using the Role’s NIC Handle).

The Role has a single email associated with it, so when we use MailByVlan or MailByDevice to send out an alert only that email will get notified, not all the individual people.  So if there was a “ns-alert@doit.wisc.edu” email on that role, only that email would get the alert and each person associated with the role would not get the alert individually.

Roles do NOT grant anyone access to AANTS tools (e.g. EdgeConf).  There is no NetID associated with a Role, so there is no way to "log-in" as a role for purposes of getting access to AANTS tools.