Resource capability

Resource capabilities is one of common ways for a service provider to use claims issued by an identity provider or a proxy for access control.

Typically, t requires another component (IdM system, database, LDAP etc.) to provide information about users and associated resources with capability attributes. The information is used by the identity provider or proxy to construct resource capabilities – string attributes in a specific form (see AARC-G027) – and issues them on request.

Resource capability is a form of attribute-based access control. Its strength, esp. compared to group entitlements, is the implementation is not dependent on group names or group structures, making it easier to change any of those.

Glossary - Resource capability (object diagram).png

click on the image to zoom in
^download:^svg^or^png^{; made with}^draw.io