<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[Roles] and [Entitlements] are hard and complex.

We typically strive to utilize the [Access Control Model] called [Adaptive Policy-based Access Management] ([APAM]).

In our simplified [Example] we will try to put together an [{$pagename}] that will hopefully help.

Think about how the day to day Business Functions. We will use a bank, but the concept is common across all businesses.

!! &quot;Bank Teller&quot;
For a &quot;Bank Teller&quot; to do their job, the &quot;Bank Teller&quot;, for each branch they work in, needs:
* Access to the Building they work in
* Use Coffee Machine
* Use Teller Machine
Each of these [Entitlements] requires some [Privilege] for [Access Control] in the different systems.

Each of these individual [Entitlements] make up the &quot;Bank Teller&quot; [Role]

!! &quot;Bank Manager&quot;
Likewise the &quot;Bank Manager&quot; of the Bank Branch needs:
* Access to the Building they work in.
* Use Coffee Machine
* Use Teller Machine
AND
* Able to lock and un-lock Building door
* Able to Arm and Dis-Arm Security
* Able to lock and un-lock safe
* Administer Teller Machine
* Spend &lt;=$500
* Manage Key Cards for Building
Each of these individual [Entitlements] make up the &quot;Bank Manager&quot; [Role]

!! The Big Question
In day-to-day operations we are always trying to answer the question, can this [user|Digital Identity] have access to this [resource]?

In our Bank teller example, [Alice] shows up at the bank's door and the &quot;door system&quot; needs to know should I let [Alice] ([Alice] is a [Digital Identity]) in?

The &quot;door system&quot;, in this example, is the [Policy Enforcement Point] ([PEP]), sends: 
* [Alice]'s UserID
* building Number
* door number 
to the [Policy Decision Point] ([PDP]) asking: can I let [Alice] in?

The [Policy Decision Point] ([PDP]) runs the rule check ([Policy]) to determine if [Alice] is allowed (i.e. has the [Privilege]) to have &quot;[Access] to the Building they work in&quot; and returns Yes or No.

The [Policy Decision Point] ([PDP]) may use any [Entitlement parameter values] and other data such as [Adaptive Risk] [data]. For example, is [Alice], at the [geolocation]?

In our [example] above, the [Role] might be &quot;Bank Teller&quot; or &quot;Bank Manager&quot;. Each [Role] consists of one or more [Entitlements] which may have Zero or more [Entitlement parameter values].

[Entitlements] typically have [Entitlement parameter values]. As an [example] the [entitlement]:\\
&quot;Access to the Building they work in&quot; might have a multi-valued attribute to Identity which Buildings the entity &quot;Works In&quot; These values are typically driven from an attribute form the [Digital Identity].

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>