perMIT Glossary

A-spec (formerly called an AUTHORIZATION)

is a 3-part entity, consisting of a subject + function + qualifier. Note that these 3-part structures bear some similarity to the 3-part structures in RDF: Subject + Verb + Object

authorization

• is the act of testing a permission or privilege.

FUNCTION

is the component of an A-spec that describes the action (or role or group of actions) that the person is allowed to do.

• Each function belongs to a "Category", or application area
• Each function must be interpreted by downstream applications (those that use the Roles Database for access control) to represent some action or set of functionality within the application. Thus, the creation of functions must be coordinated with the application developer.
• Some functions can apply to more than one application, e.g., financial reporting authorizations apply both to the financial system and the data warehouse.
• Functions can have parent/child relationships; an authorization for a parent function implies authorizations for all child functions as well.

Permission

perMIT

is an authority system.

Privilege

QUALIFIER

can be an account number, organization number, budget group, etc.. Since qualifiers of each type are organized into a hierarchy, a qualifier can also be a branch of the tree of account numbers, a branch of the tree of organizations, etc. Qualifiers are generally extracted from other systems as part of a nightly feed. Some functions are either "all or nothing" and do not require a qualifier; in these cases a placeholder qualifier of NULL is included in the authorization.

role