Problem
Organizational policy confers use of a service to people identified by a business process that is reflected in the organization's Identity Management system. Notwithstanding, additional policies give limited authority to others to grant or deny access to the service.
Context
The set of people tracked by a given business process is, by definition, accurate and authoritative for its original purpose. In time, some well-established processes lend their names to the communities of people they track, and organizational authorities find it convenient to use these familiar terms to describe who should be allowed or denied access to services. However, in these new contexts the original business process is often not fully accurate, giving rise to the need to interpret high-level policy and accordingly "tweak" the official roster by effectively adding or removing people.
Example
The faculty, staff, and students of the University are permitted to use the University's wireless service. However, the Network Security group is empowered to deny access to anyone whose computer is thought to be interfering with normal operations. Further, University guests are to be given access to wireless.
Solution
Reflect the official source in the membership of a group. Create two other groups for the whitelist and blacklist and assign Updater or Admin privilege to those with authority to grant or deny access to the service (if there is more than one such authority for either the whitelist or the blacklist, follow the "Multiple Registrars for a Service" solution pattern). Using Grouper, form a group of people authorized to use the service for its run-time access control by
- Make an intermediate group: official1 = official Union whitelist.
- Make the authorized group = official1 Complement blacklist.
What to name these groups is an application of the site's naming plan.