The management and authorisation process of controlling access to Roles, Resources and Services by Identities and Accounts. Roles are a pre-packaging of resources and services. Resources and services can be any object for which access can be controlled, such as hardware, software, devices, equipment, buildings, doors, and so on. If the role names (or descriptions) are based on one or more attributes directly related to the roles of an identity (e.g. a position title, location, function) it will enable dynamic role provisioning as a by-product of existing business processes - for example LAN access, email, building access. If the role names are not based on identity attributes (e.g. a particular software package, a PDA, internet access), they are a static role that is provisioned on a discretionary basis (i.e. an identity must request them in addition to the dynamic roles). The assigning of access rights may be permanent or temporary, and may only be valid for a single session. Also see Authorisation, RBAC and GBAC. This process is not to be confused with the registration and authentication of an identity; access is part of the risk/trust relationship that determines what a user is permitted to do, not who they are.