As the use of online services and systems increases, accurate authentication and authorization of users is of increasing interest and importance. For example, it is often desirable for service providers to wish to ensure that users accessing resources such as applications, application features, content, and the like, are authorized to do so and are the specific user that each is claiming to be. To do so, service providers such as hosted applications often ask for credentials such as a username and password to verify a user's identity. In some cases, single sign-on (SSO) systems are used that allow users to authenticate once, such as by providing one username and password, and subsequently access multiple applications, systems, or the like, without being prompted or otherwise required to provide separate or additional credentials. In some cases, SSO systems are intended to reach across multiple services and/or multiple sources or providers of services, such as where a user provides credentials to a social networking application, which then allows the user to access any other services that have partnered with the social networking service and provide access based on the initial authentication to the social networking service. Similarly, one service may allow a user to authenticate using credentials managed by another service, such as where a gaming or news website allows a user to authenticate to the gaming website using social networking credentials.
Some conventional systems use a role-based system, for example by assigning roles such as Administrator, User, Guest, and the like to each user. This process ties the permissions to the implemented features of the application platform.