An Access Control List (short: ACL) is a list of permissions attached to a protected resource. An ACL specifies which roles are granted access to resources , as well as what operations are allowed on given resources.
Each entry in an ACL specifies: - a resource with its type - the owner of a resource - a list of grants, each consisting of a role and the allowed operations (privileges)

The applicable scope defines which contractual party ( contract provider or consumer) will own the resources of a contract. Ownership either remains with the provider or the consumer will have their own resources.

An application is owned by exactly one tenant. It has the knowledge about the resources it manages and what a user could do with such resources: read, modify, etc…​ . Each of this actions can be allowed by corresponding privileges with the same name. This knowledge has to be described for Multitenant Access Control as soon as the resources should be protected. Multitenant Access Control allows it to control the resource access by using the resource access description provided by the application, but the application is responsible to enforce resource protection.

An application is the same thing as a module. The term module is used in the user interface and from a business point of view whereas the term application is used in the REST APIs and from a more technical point of view.

An application role is defined by an application and represents a predefined set of resource access permissions on static resources. They provide administrators a convenient way to control access to application managed resources required by role typical use-cases. An application role can only be managed by the corresponding application and is treated as read-only for all other users. Application roles can be part of a contract.

The audience an access token is intended for. Limits for which resource providers an access token can be used.

Microsoft’s cloud offering for SQL databases.

Bosch Connected Industries

Certification Authority

A software that uses functionality implemented in another software

A contract is used to define what is shared between two tenants. It potentially reflects the result of a real world contract, but is not meant to digitize any real world contract.
Technically speaking, it is an entity used by Multitenant Access Control to manage directed associations between two tenants and it allows one tenant to grant access on resources to another one.
A contract distinguishes between one tenant acting as a provider and the other one acting as consumer.
The provider of the contract can grant resource access permissions to the other tenant and defines also the applicable scope of these permissions.

Fine-Grained Access describes the ability of applications to not only restrict access based on broad concepts like "all machines", "all tickets", "Overview-Page" but instead create and manage resources that denote a specific entity (or group of entities) and are unique to the tenant they are created by. Example: "Area 1", "Machine 47/11", Station "1.52". Resources of the former kind are called static resources, those of the latter kind are called dynamic resources. Read more on this concept in Fine Grained Access

A group is a kind of organizational unit, like a department, team, etc…​ it is possible to create hierarchical organizational structures by creating sub-groups within groups. Like any organizational unit a group can have 0 or many users as members.

Digital identities are provided and securely managed by identity providers (IdP). They enable single-sign on at a single trust anchor, thus reducing the risk of leaking credentials.

see Identity provider

Java EE Database Connectivity

Lightweight Directory Access Protocol

Lightweight Directory Access Protocol over Secure Sockets Layer

Multitenant Access Control (Management Application)

Microsoft’s on premise database.

A module is the same thing as an application.

The term module is used in the user interface and from a business point of view whereas the term application is used in the REST APIs and from a more technical point of view.

A module consists of one or more services.

One or more modules build a solution.

This is the superset of Microsoft’s sql offerings of AzureSQL and SQLserver .

Nexeed Industrial Application System

OpenId Connect

An organization can be a customer, a department, a business-unit, a plant, etc. An organization exists independent of other organizations in the same system. All data of a specific organization is separated from the data of other organizations. This is achieved by applying the concept multi-tenancy to Multitenant Access Control itself. In consequence, it allows each organization to manage their own users , groups , applications and resource access without impacting other organizations.

The technical term is "tenant".

see privilege

Proof Key for Code Exchange by OAuth 2.0 Public Clients, a challenge-response extension for OAuth 2 to secure the authorization code in the Authorization Code Grant Flow. RFC7636

A privilege defines what is allowed to be done, or in other words: it describes in which way resources can be accessed by privileged users. Privileges can be granted to resource access permissions. Multitenant Access Control supports the privileges listed in the following table.

A client that is "incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means." (see RFC 6749 The OAuth2 Authorization Framework)

A resource is something which is managed by an application : this could be data, a certain type of data or a certain data record, infrastructure as well as functionality, etc. A specific resource belongs always to exactly one application and is owned by one tenant. The meaning what a resource stands for, is only known by the application.
A resource in the context of Multitenant Access Control is anything you want to protect. The application developer decides for which resources you want to use Multitenant Access Control to manage roles and permissions.
Static resource: Are part of an application and are valid for any tenant having access to the application, e.g. "Tickets", "Groups".
Dynamic resource: While defined by an application, do not exist by default and only exist at one tenant, e.g. "Ticket 42", "Forklift 42"..

The resource access descriptor is used by the application to share the knowledge about a resource and applicable access privileges .

A resource access permission is a permit describing how a privileged user is allowed to access a specific resource. Resource access permissions can be part of a contract as part of application roles.

A role can be considered as a kind of job description of a user. It groups resource access permissions required for the tasks executed by such users.
Roles can be generally assigned to groups or users independently of their specific types to grant access.
Multitenant Access Control supports two different types of roles: 1. Application role 2. Tenant/Organization role

An application consists of one or more services. Every service has it’s own REST API and is running independently from the other services of the same application. From business point of view and UI all services of one application build together a module.

Provide another tenant access to functionality or data, both represented as privileges on resources. Two types of sharing are offered:
* Provision: Allows contractual partner organization to use module functionality for their own purposes.
Outdated terminology: application sharing.
* Access: Allows contractual partner organization to act on behalf of my organization (data and functionality).
Outdated terminology: data sharing, resource sharing, tenant sharing (please rather use "sharing between tenants").

A solution is a software that offers certain functionalities to a user.

In many cases a solution consists of one module and both terms are used equivalent. In other cases a solution is built by a set of modules that work together.

A single page application is a rich client web application that consist of a single HTML document and dynamically loads requested content.

Single-Sign On

A tenant in the context of Multitenant Access Control represents an organization

A tenant relation is used to enable a kind of handshake between two tenants to become visible to each other

A tenant/organization role is a role which can be managed by each user that is privileged to do so. It represents a custom set of resource access permissions representing privileges (add, read, modify and delete) on static and dynamic resources. Tenant/Organization roles cannot be part of a contract.

A user is an entity which belongs to exactly one tenant but can be a member of zero or many groups. A user is a person that uses one or more applications.