is a 3-part entity, consisting of a person + function + qualifier. Note that these 3-part structures bear some similarity to the 3-part structures in RDF or the Symantic Web: Subject + Verb + Object
- is the technical step of allowing or denying access to resources based on business rules created by the service owner (subject to enterprise policy). The business rules are generally expressed as access control lists that leverage identity attributes that are defined and maintained by the enterprise. There is a wide variety in the architecture and style of expressing, mixing, and optimizing identity attributes, roles, privilege and access control lists (ACLs) for efficient management of authorization across the enterprise. (from CMU Identity glossary )
is the component of an Authorization that describes the action (or role or group of actions) that the person is allowed to do.
can be an account number, organization number, budget group, etc.. Since qualifiers of each type are organized into a hierarchy, a qualifier can also be a branch of the tree of account numbers, a branch of the tree of organizations, etc. Qualifiers are generally extracted from other systems as part of a nightly feed. Some functions are either "all or nothing" and do not require a qualifier; in these cases a placeholder qualifier of NULL is included in the authorization.