Group entitlement

Group entitlement is one of common ways for a service provider to use claims issued by an identity provider or a proxy for access control.

It requires another component (IdM system, database, LDAP etc.) to provide information about users and groups they are members of. The information is used by the identity provider or proxy to construct group entitlements – string attributes in a specific form (see AARC-G069) – and issues them on request.

Group entitlement is a form of group-based access control. Its weakness, esp. compared to resource capabilities, is direct dependency on group names and group structures, making it difficult to change either of those.

Glossary - Group entitlement (object diagram).png

click on the image to zoom in
^download:^svg^or^png^{; made with}^draw.io