User classes define sets of individual users or types of relationships between users:

  • Sets of users:
    • By group membership
    • In an OU
    • Having certain attributes

  • Types of relationships:
    • Shared attributes (e.g., department, location).
    • Group membership of participants (e.g., security team).
    • Direct or indirect manager.

User classes are a natural way to define security policy:

  • Route requests (requester+recipient/authorizer).
  • Invite reviewers (user/certifier).
  • Escalate requests (old/new participants).
  • Limit visibility (viewer/user profile).
  • Define what is requestable (requester/recipient).