Business Domain
An authorization grantor is an individual that is allowed to assign roles and/or groups to users.
FAM needs to know the OIDC client ID in order to match to an application. The relationship between OIDC client and application is many-to-one because sometimes there is more than one OIDC client for an application and it is convenient to be able to configure the authorization once (at the application level) and re-use it (at the OIDC level).
An application is a digital product that fulfils a specific user goal. It can be a front-end application, a back-end API, a combination of these, or something else entirely.
A user is a person or system that can authenticate and then interact with an application.
A BCeID user is a person that can authenticate using BCeID. There are two flavors: business BCeID and basic BCeID. Business BCeID is a level 2 identity, meaning that there is some identity proofing involved in obtaining the credential. FSA uses business BCeID to authenticate forest clients. Basic BCeID is a level 1 identity, which is essentially anonymous. FSA does not use basic BCeID.
An IDIR user is a person that can authenticate using IDIR. This is typically a BC Government employee or contractor.
A role is a qualifier that can be assigned to a user in order to identify a privilege within the context of an application.
A group is a collection of roles. When a group is assigned to a user, the user indirectly assumes the privileges of all the roles encompassed by the group. Groups are used to define profiles in order to make it easier to manage common sets of roles for users. A group can contain roles from multiple applications in order to handle the case where users typically have a certain set of privileges across multiple applications.
A forest client is a business, individual, or agency that is identified as an entity that a user can have a privilege "on behalf of".
A forest client role is a role that limits a general role by making it only applicable in the context of a particular forest client.
A forest client group is a group that can only contain forest client roles.
A FAM administrator is an individual that has the privileges to create applications and create application administrators.
An application administrator is an individual that has the privileges to create authorization grantors for one or more applications.