A structure that organizes application access control permissions by using privilege, duty, and business process classifiers and that grants permissions that are aggregated into duties to user role assignments.