...
7. A centralized XACML-like service which essentially grants or denies access
On Roles and Privileges
The definition of role is a common debate in access management. There are good definitions for role, but many identity management and access management technologies have used the term for their own purposes, thus adding to the confusion. In the Apache Shiro project, a role is a collection of privileges. However, there are two differentiators between that definition and the definition used in this document. A collection of privileges is not necessarily a role. Privileges can have inheritance, so a privilege that implies other privileges might not be a role. Roles generally describe the subjects' affiliation, job function, or responsibility. Roles can inherit privileges from other roles.
...