A SecurityGroupis an abstraction that represents the message security settings and security keys for a subset of NetworkMessagesexchanged between Publishersand Subscribers. The security keys are used to encrypt and decrypt NetworkMessagesand to generate and check signatures on a NetworkMessage.

A Security Key Service(SKS) manages SecurityGroupsand maintains a mapping between Rolesand their access Permissionsfor a SecurityGroup. This mapping defines if a Publisheror Subscriberhas access to the security keys of a SecurityGroup. The SKS is described in more detail in 5.4.4.

A SecurityGroupis identified with a unique identifier called the SecurityGroupId. It is unique within the SKS. A Publisherfor its PublishedDataSetsneeds to know the SecurityGroupId. For Subscribersthe SecurityGroupIdis distributed as metadata together with the DataSetMetaData. The metadata for a SecurityGroupIdincludes the EndpointDescriptionof the responsible SKS. Publishers and Subscribers use the EndpointDescriptionto access the SKS and the SecurityGroupIdto obtain the security keys for a SecurityGroup.