The management and authorisation process of controlling access to Roles, Resources and Services by Identities and Accounts.
Roles are a pre-packaging of resources and services. Resources and
services can be any object for which access can be controlled, such as
hardware, software, devices, equipment, buildings, doors, and so on. If
the role names (or descriptions) are based on one or more attributes
directly related to the roles of an identity (e.g. a position title,
location, function) it will enable dynamic role provisioning as a
by-product of existing business processes - for example LAN access,
email, building access. If the role names are not based on identity
attributes (e.g. a particular software package, a PDA, internet
access), they are a static role that is provisioned on a discretionary
basis (i.e. an identity must request them in addition to the dynamic
roles). The assigning of access rights may be permanent or temporary,
and may only be valid for a single session. Also see Authorisation, RBAC and GBAC. This process is not to be confused with the registration and authentication of an identity; access is part of the risk/trust relationship that determines what a user is permitted to do, not who they are.