(Requirement) Enable different classes of users commensurate with their roles.
There are several types of users that will be interacting with the DataONE infrastructure, as such it is necessary to ensure that user roles can be supported by the identity management infrastructure. Closely related to https://trac.dataone.org/ticket/390
Rationale: Different user classes or groups provides an effective mechanismfor indicating the types of interaction that might be supported by the system. The alternative is to specifically assign privileges for each user - an
approach that is inefficient and potentially insecure as it is easy to miss an
individual when setting privileges for a large number of users.
A well defined set of standard groups is identified and can be easily manage (e.g. administrators, data contributors, data readers)
Users can be assigned to and removed from groups
Additional groups can be created to support group functions as necessary
Users can create their own groups for ad-hoc collaboration when needed and without approval of system administrators
Access control rules can be associated with groups and operate as expected.