This system allows the access management for either a single multi-organization database or for multiple single-organization databases for different organizations, including possible sharing of either resources or data among them all this interfaced through LDAP/SAML to Active Directory system, allowing Single Sign-On (SSO)

1. We can organize a customer in multiple organizations with separate LDAP integration. Users can be part of more than one organization. Over LDAP metaBOF interrogates one or more Active Directories (AD) where it gets authentication and some basic info about each user. metaBOF does NOT change this data in any way or form.
2. Under that level, we have Users which we can organize in User Groups. Via LDAP their individual identity are defined. Within metaBOF the access control defines what they can do to or with what resources. Users are usually people but can be partnering systems.
3. The resources themselves can have different types: devices (cameras and sensors), Lists (Hit list aka alarm lists), applications (software)
4. Resources are grouped in Resource Unions. This makes it easier to bundle Permission Sets to a lot of different Resources (devices, lists or software) in one go.
5. Permissions define the right to do something to a Resource, per Type. This is defined by the software developers (i.e. .CanRead, .CanConfigure, .CanEdit, .CanDelete, .CanActivate, .CanLog, etc.).
6. Permissions are grouped in Permission Sets in order to facilitate the assignment in logical sets of permissions.
7. The metaBOF Access Control also has Time Schedules defining periods of time when a certain Permission Set to a certain Resource Union (of a certain Type) allowed to a certain User Group remains valid. Outside the active time period, there is NO access.
8. Finally, this complex and potentially sizeable structure is flattened into Access Rights for performance reasons.
9. User Retention Period plays a role in all Searches as well. The user can only see search results within his allowed retention period (i.e. 1 hour, a week, 6 months)

 A user from a certain organization will be known to metaBOF through LDAP, it will then be part of one (or more) User Groups according to his job attributions, this will give him access to certain Resource Types through Resource Unions which contain the Permission Sets to these Resources, defining what each User can do to or with these Resources (per Type).