anavem.
Back to Glossary
S

Security Groups

Security groups are collections of users, devices, or services used to assign permissions and control access to resources.

What are security groups?

Security groups are logical groupings of identities - such as users, computers, service accounts, or devices - used to grant or deny access to resources. Instead of assigning permissions individually, administrators assign them to a group and manage membership.

Security groups are a foundational concept in directory services and cloud IAM.

Why security groups matter

Security groups are essential because they:

  • Simplify access management at scale
  • Enforce least-privilege principles
  • Reduce administrative overhead
  • Improve consistency and auditability
  • Enable role-based access control (RBAC)

They are central to enterprise security and governance.

How security groups are used

Security groups commonly control access to:

  • File shares and folders
  • Applications and services
  • Network resources
  • Cloud resources and subscriptions
  • Administrative privileges

Permissions are evaluated based on group membership.

Security groups vs distribution groups

These group types serve different purposes:

Group typePurpose
Security groupAccess control and permissions
Distribution groupEmail distribution only

Only security groups can be used to authorize access to resources.

Security groups in directory services

In directory-based environments:

  • Security groups are stored in directory services
  • Membership can be static or dynamic
  • Groups can be nested
  • Access checks evaluate group membership at runtime

They integrate tightly with authentication and authorization workflows.

Security groups and RBAC

Security groups are often used to implement Role-Based Access Control (RBAC):

  • Groups represent roles (e.g., "HR Read", "App Admin")
  • Users are added or removed from roles
  • Permissions are assigned to roles, not individuals

This model improves security and manageability.

Nested security groups

Security groups can be nested:

  • A group can be a member of another group
  • Enables hierarchical permission models
  • Simplifies large-scale access management

However, excessive nesting can complicate troubleshooting.

Security groups in cloud environments

In cloud and hybrid environments, security groups:

  • Control access to cloud resources
  • Integrate with identity providers
  • Support conditional access and policies
  • Are often synchronized from on-prem directories

They are a core building block of modern cloud IAM.

Security considerations

Key security considerations include:

  • Avoiding over-privileged groups
  • Regularly reviewing group membership
  • Using naming conventions and documentation
  • Limiting nested group depth
  • Auditing changes and access usage

Mismanaged groups are a common source of excessive permissions.

Common misconceptions

  • "Security groups are only for file permissions"
  • "Groups and OUs are the same"
  • "Adding a user to many groups is harmless"
  • "Security groups manage authentication"