...
The Security Service is defined using a lock and key descriptive paradigm. Creating a key defines a authorization grant. Unlocking a resource tests for authorized access to perform a function on that resource (or collection). The Security Service also allows SecurityAdvisors to be created and added (in a stack order). Advisors enable policies to be defined that potentially override default group permissions.
The AuthzGroup Service
The AuthzGroupService provides methods for managing AuthzGroups. It allows groups to be created, added, removed, and found. Methods are provided to manage membership and test for authorization to perform functions in a particular group given the role of the active user.
The Function Manager
...