We typically strive to utilize the Access Control Model called Adaptive Policy-based Access Management (APAM).
In our simplified Example we will try to put together an Entitlement Example that will hopefully help.
Think about how the day to day Business Functions. We will use a bank, but the concept is common across all businesses.
Each of these individual Entitlements make up the "Bank Teller" Role
In our Bank teller example, Alice shows up at the bank's door and the "door system" needs to know should I let Alice (Alice is a Digital Identity) in?
The "door system", in this example, is the Policy Enforcement Point (PEP), sends:
The Policy Decision Point (PDP) runs the rule check (Policy) to determine if Alice is allowed (i.e. has the Privilege) to have "Access to the Building they work in" and returns Yes or No.
The Policy Decision Point (PDP) may use any Entitlement parameter values and other data such as Adaptive Risk data. For example, is Alice, at the geolocation?
In our example above, the Role might be "Bank Teller" or "Bank Manager". Each Role consists of one or more Entitlements which may have Zero or more Entitlement parameter values.
Entitlements typically have Entitlement parameter values. As an example the entitlement:
"Access to the Building they work in" might have a multi-valued attribute to Identity which Buildings the entity "Works In" These values are typically driven from an attribute form the Digital Identity.