Introduction

The granting of access rights to a subject (for example, a user, or program)

This definition, however, does not draw a strong enough distinction between:

1. The administrative act of asserting that a subject should be granted a set of privilege attributes

   and

2. The operational act of allowing a subject to access a resource after determining that he, she, or it has been granted the required set of privilege attributes

Acts 1 and 2 could both be described as "granting access rights to a subject".

Because of this ambiguity, it is useful to distinguish between privilege attribute administration and access control. Act 1 is a privilege attribute administration task, whereas act 2 is an access control task.

ISO 7498-2, the ISO Security Architecture, defines access control as

The prevention of unauthorized use of a resource, including the prevention of use of a resource
in an unauthorized manner.

This document defines an Application Programming Interface (API) for access control. This API is designed to be used in systems whose access control facilities conform to the architecture described in ISO 10181-3 - Access Control Framework. The API defined in this document does not provide for privilege attribute administration, although it does provide facilities which allow a subject to control which of its privilege attributes are used to authorize a particular access request (such facilities are often called least privilege).

The API defined in this document is called the aznAPI; "azn" is an abbreviation of "AuthoriZatioN".