> But why restrict tags to have only users and not let include groups
? Tags are associated with a role. Someone in the "Engineering" role can apply a "source-code" tag to a file. There's no such thing as a group, but rather everyone fills a role.
Sorry I meant role instead of group. Ah so tags are tied to a role, all good then. But you could still give permissions for a role through a tag. Like Someone in "Engineering" role can apply a "source-code" tag to a file, which will grant permission to person A, person B, person C but also to people of Role 1 and Role 2
Someone in the "engineering" role can apply the "source-code" tag to a file, which will grant people in the "engineering" role read-write permissions, and the "dev-ops" role read permissions. Users don't have tags associated with them, so they don't get permissions from having a tag assigned. They can't because the policy doesn't allow you to stick a bare user into the (role,tag,permission) tuple.
So when you're auditing permissions, you can check to see if the tags have the appropriate permissions, the roles have appropriate tags, and users have appropriate roles.
? Tags are associated with a role. Someone in the "Engineering" role can apply a "source-code" tag to a file. There's no such thing as a group, but rather everyone fills a role.