Query subjects can provide details about identities that
have permissions directly or indirectly assigned.
Identities and permissions indirect
This
query subject provides information about identities to which permissions
are indirectly assigned or inherited.
Identities and permissions direct
This query
subject provides information about identities to which permissions
are directly assigned. Project information to which identities and
permissions are directly scoped is also provided in this query subject.
- Role hierarchy
- Roles can be hierarchical. One role might act as a parent role
to another role. This role hierarchy is provided by this query subject.
It can provide the role details like ID, name, description; and it
provides similar details for the parent role.
- Identity role attachment
- This query subject provides details about identities that belong
to a role. These roles are associated to a project.
- Identity and Entitlement database identity role attachment
- This query subject provides details about identities that belong
to a role. These roles are not associated to a project. These roles
belong to the Identity and Entitlement database.
- Membership qualifier
- A membership qualifier describes the role membership data. The
patterns (rules) for role membership can be defined based on the user
attributes, such as job code, organization, or location. The users,
who qualify based on those attributes and values specified in the
rule, are part of the role or are associated with that role. This
query subject provides details about the membership qualifier. For
example, the role it applies to and all users that are part of that
role based on the rule.
- Project
- This query subject provides details about the project entity.
- Role hierarchy identities
- Users or identities are part of or are associated to a role. Roles
can exist in a hierarchy. In the RBAC model, the users are in an ascending
hierarchy. For example a hierarchy has three roles R1, R2 and R3.
The hierarchy for these roles is R1 is a parent of R2 and R2 is parent
of R3. Each role has a corresponding user U1, U2, and U3.
In an ascending hierarchy, each role inherits users from its
child roles. Inherited users are indicated by parenthesis.
- R1 - U1 (U2, U3)
- R2 - U2 (U3)
- R3 - U3
This query subject provides details about this type of inheritance.
- Role hierarchy permissions
- Permissions are part of or are associated to a role. Permission
can exist in a hierarchy. In the RBAC model, the permissions are in
a descending hierarchy. For example a hierarchy has three roles R1,
R2 and R3. The hierarchy for these roles is R1 is a parent of R2 and
R2 is parent of R3. Each role has a corresponding permission P1, P2,
and P3.
In a descending hierarchy, each role inherits permissions from
its parent roles. Inherited permissions are indicated by parenthesis.
- R1 - P1
- R2 - P2 (P1)
- R3 - P3 (P2, P1)
This query subject provides details about this type of inheritance.
- Role permission attachment
- This query subject provides details about permissions that belong
to a role. The role is part of a project.
- Identity and Entitlement database role permission attachment
- This query subject provides details about permissions that belong
to a role. The role is not associated to a project. The role belongs
to the Identity Entitlement Database.
- Project attribute values scoped permission and project attribute
values scoped user
- A rule can be applied to a project. Based on the rule evaluation,
users and permissions can be scoped to or made part of a project.
The rule is created based on the attribute and its values. The users
or permissions that satisfy the rule are part of that project. This
query subject provides individual details about permissions, users,
and the project to which they belong based on the rule.