A Group has members that can be either Principals or other Groups (nested). Groups essentially become a way to organize Entities (via Principal relationships) and other Groups within logical categories.

Groups can be given authorization to perform actions within applications by assigning them as members of Roles.

Groups can also have arbitrary identity information (i.e., Group Attributes) hanging from them. Group Attributes might be values for 'Office Address,' 'Group Leader,' etc.

Groups can be maintained at runtime through a user interface that is capable of workflow.