Permissions stream-of-consciousness

Users:

• A user belongs to zero or more groups
• A user may have a permission for a device of type "Read", "Write" or "Admin"

Groups:

• A group has zero or more users
• A group may have a permission for a device of type "Read", "Write" or "Admin"
• A group may be created manually
• A group may be created by a trusted IdP
  • A Hub Administrator must manually specify which claim it will create groups from, if any

Global Permissions:

• A global permission is for a specific hub

Device Permissions:

• A device permission is for a specific device

Devices:

• A device has one driver

Device driver:

• A device driver has one or more device types
• A device driver may have one or more capabilities

Device type:

• A device type has zero or more potential capabilities, which ones are determined by the device driver
• A device type has zero or more device drivers

Device capability:

• A device capability can only have one device type

Clients:

• A client is owned by a user
• A client has zero or more Resource Grants