Grouping Directory EntriesChapter 4 Designing the Directory Tree 71About RolesRoles are a new entry grouping mechanism. Your directory tree organizesinformation hierarchically. This hierarchy is a grouping mechanism, though it isnot suited for short-lived, changing organizations. Roles provide another groupingmechanism for more temporary organizational structures.Roles unify static and dynamic groups. You use static groups to create a groupentry that contains a list of members. Dynamic groups allow you to filter entriesthat contain a particular attribute and include them in a single group.Each entry assigned to a role contains the nsRole attribute, a computed attributethat specifies all of the roles an entry belongs to. A client application can check rolemembership by searching the nsRole attribute, which is computed by the directoryand therefore always up-to-date.Roles are designed to be more efficient and easier to use for applications. Forexample, applications can locate the roles of an entry, rather than select a groupand browse the members list.You can use roles to do the following:• Enumerate the members of the role.Having an enumerated list of role members can be useful for resolving queriesfor group members quickly.• Determine whether a given entry possesses a particular role.Knowing the roles possessed by an entry can help you determine whether theentry possesses the target role.• Enumerate all the roles possessed by a given entry.• Assign a particular role to a given entry.• Remove a particular role from a given entry.Each role has members, entries that possess the role. You can specify memberseither explicitly (meaning each entry contains an attribute associating it with a role)or dynamically (by creating a filter that assigns entries to roles depending upon anattribute contained by the entry). How you specify role membership depends uponthe type of role you are using. There are three types of roles:• Managed roles—A managed role allows you to create an explicit enumeratedlist of members. Managed roles are added to entries using the nsRoleDNattribute.