Identities and permissions

This query subject provides information about identities to which permissions are directly assigned. Project information to which identities and permissions are directly scoped is also provided in this query subject.

Role hierarchy

Roles can be hierarchical. One role might act as a parent role to another role. This role hierarchy is provided by this query subject. It can provide the role details like ID, name, description; and it provides similar details for the parent role.

Identity role attachment

This query subject provides details about identities that belong to a role. These roles are associated to a project.

Identity and Entitlement database identity role attachment

This query subject provides details about identities that belong to a role. These roles are not associated to a project. These roles belong to the Identity and Entitlement database.

Membership qualifier

A membership qualifier describes the role membership data. The patterns (rules) for role membership can be defined based on the user attributes, such as job code, organization, or location. The users, who qualify based on those attributes and values specified in the rule, are part of the role or are associated with that role. This query subject provides details about the membership qualifier. For example, the role it applies to and all users that are part of that role based on the rule.

Project

This query subject provides details about the project entity.

Role hierarchy identities

Users or identities are part of or are associated to a role. Roles can exist in a hierarchy. In the RBAC model, the users are in an ascending hierarchy. For example a hierarchy has three roles R1, R2 and R3. The hierarchy for these roles is R1 is a parent of R2 and R2 is parent of R3. Each role has a corresponding user U1, U2, and U3.

• R1 - U1
• R2 - U2
• R3 - U3

In an ascending hierarchy, each role inherits users from its child roles. Inherited users are indicated by parenthesis.

• R1 - U1 (U2, U3)
• R2 - U2 (U3)
• R3 - U3

This query subject provides details about this type of inheritance.

Role hierarchy permissions

Permissions are part of or are associated to a role. Permission can exist in a hierarchy. In the RBAC model, the permissions are in a descending hierarchy. For example a hierarchy has three roles R1, R2 and R3. The hierarchy for these roles is R1 is a parent of R2 and R2 is parent of R3. Each role has a corresponding permission P1, P2, and P3.

• R1 - P1
• R2 - P2
• R3 - P3

In a descending hierarchy, each role inherits permissions from its parent roles. Inherited permissions are indicated by parenthesis.

• R1 - P1
• R2 - P2 (P1)
• R3 - P3 (P2, P1)

This query subject provides details about this type of inheritance.

Role permission attachment

This query subject provides details about permissions that belong to a role. The role is part of a project.

Identity and Entitlement database role permission attachment

This query subject provides details about permissions that belong to a role. The role is not associated to a project. The role belongs to the Identity Entitlement Database.

Project attribute values scoped permission and project attribute values scoped user

A rule can be applied to a project. Based on the rule evaluation, users and permissions can be scoped to or made part of a project. The rule is created based on the attribute and its values. The users or permissions that satisfy the rule are part of that project. This query subject provides individual details about permissions, users, and the project to which they belong based on the rule.