Flags: RAM,runtime
Multiplicity: [0,-1]
Display order:
Generic assignments of one object to another object.
This will usually be assignment of a role to a user, assignment of an
organizational unit, team or whatever. It may also be used to assign
role to another role, creating a role hierarchy.
Assignment is an abstract concept. It can be anything that
gives the "receptor" object additional access rights, privileges,
capabilities or similar ability or right. But it may also constraint
the object with policy, e.g. to implement separation of duties. Roles,
organizations and privileges in IDM system are examples of assignments.
The assignment may target either existing IDM object (such as a role)
or abstract resource account that may or may not exist. In case of resource
objects it is constrained to accounts, as accounts are the only resource objects
that can be assigned to a user. Other resource objects (entitlements) can
be assigned to accounts, but not to users.
TODO: constraints