In large-scale computing environments, particularly those that are distributed across many machines, defining and enforcing authorization policies may be difficult.
A resource is anything that can be subject to a policy that governs what can be done with the resource. Examples of resources include files, devices, etc. Examples of things that can be done with a resource pursuant to a policy include reading, writing, executing, deleting, etc. One type of authorization system attaches a set of permissions to each resource, where the permissions define what actions can be done with a resource, and who or what has permission to perform the action. For example, a file might have a set of permissions that grant read/write/execute/delete access to the owner of the file, read-only access to a particular group, and no authorization to all other entities. In one example, this permission is attached to the resource, and is set individually for each resource.
Some systems attempt to assign permissions collectively for broad classes of resources. However, in practice, some of these systems prove unworkable, because control over classes of resource is not sufficiently fine-grained, and these systems lack the flexibility to define accurately the policies that apply to particular resources or classes of resources.