|Description||string||A class representing a company's and/or administrator's rules with respect to authorizing Identities (subjects), for access of target elements, based on associated Privileges/Roles. This includes dynamically permitting and denying access, statically adding or removing Identities (i.e., Subjects) and Targets to/from Roles via the MemberOfCollection and RoleLimitedToTarget associations, and adding or removing AuthorizedSubject and AuthorizedTarget associations when AuthorizedPrivilege classes are implemented.
Explaining this in more detail: If a request is made to access a target element associated to this AuthorizationRule via AuthorizationRuleAppliesToTarget, the rights to execute the request are verified by searching for matching Privilege instances and an associated Identity that is tied to the requestor. An Identity is associated to the rule using AuthorizationRuleAppliesToSubject. The associations of Privileges to an AuthorizationRule are either individually using AuthorizationRuleAppliesToPrivilege, or via collection into a Role class (where the Role is associated to the rule using AuthorizationRuleAppliesToRole). If the Identity's CurrentlyAuthorized property is TRUE and a corresponding 'granting' Privilege is defined, then the request for access is authorized. If any of the preceding conditions do not hold, then the request is denied.
Note that the evaluation of the AuthorizationRule's conditions MAY result in the 'static' instantiation of associations to AuthorizedPrivilege or Role - that are then traversed to determine access. Targets MAY be statically associated to Privileges or Roles using the AuthorizedTarget and RoleLimitedToTarget relationships, respectively. Identities MAY be statically associated to Privileges or Roles using the AuthorizedSubject and MemberOfCollection relationships, respectively.