Keystone-Essex-BP-AuthZ

Goals:


 * Support a capability model (Ex: Delete Files) by allowing services identify capabilities by endpoint
 * Map capabilities to role, allowing a role to span multiple endpoints & services
 * Allow restrictions on capabilities to certain resources (ex: John Doe may have access to Delete Files but only on myserver.server.com).
 * Map users and groups to roles