Any system that deals with “external” clients invoking services has to deal with extending the authorization model of the system to the external clients. The internal authorization model (roles, attributes) often does not translate well to authorization mechanisms used by the external clients (e.g. OAuth2 scopes). For example, an OAuth2 scope may not match well with an internal role as the mapping might be 1:n or even n:n. This talk will explore a mechanism that allows for the external authorization model to remain simple for developers while providing a multi-level (coarse-grained to fine-grained) authorization model internally. ( Customer Identity, Authorization, Standards, Architecture & Deployment, Standards, George Fletcher)