Groups, roles, and CoS are defined as follows:
Groups are entries that name other entries, either as a list of members or as a filter for members. For groups that consist of a list of members, Directory Server generates values for the isMemberOf attribute on each user entry. The isMemberOf attribute on a user entry thus shows all the groups to which that entry belongs.
Roles provide the same functionality as groups, and more, through a mechanism that generates the nsrole attribute on each member of a role.
CoS generates a computed attribute, which allows entries to share a common attribute value without having to store the attribute in each entry.
You cannot use the isMemberOf attribute to make all the members of static groups automatically inherit from a common computed attribute value.
Directory Server provides the ability to perform searches that are based on the values of the roles, and groups and the CoS computed attributes. Filter strings used in any operation can include the nsRole attribute or any attribute generated by a CoS definition. Filter strings can also be used to perform any of the comparison operations on the value of this attribute. However, computed CoS attributes cannot be indexed. Therefore, any search that involves a CoS-generated attribute might consume a large amount of resources in terms of time and memory.
To take full advantage of the features offered by roles, groups, and class of service, determine your grouping strategy in the planning phase of your directory deployment. Refer to Chapter 11, Directory Server Groups and Roles, in Sun Directory Server Enterprise Edition 7.0 Reference for a description of these features and how they can simplify your topology.
To gain a deeper understanding of how roles and groups work, see Chapter 11, Directory Server Groups and Roles, in Sun Directory Server Enterprise Edition 7.0 Reference. For a detailed description of CoS, see Chapter 12, Directory Server Class of Service, in Sun Directory Server Enterprise Edition 7.0 Reference.