...
I think that the interface must at least allow for all of the functionality
marked with an asterisk 
( * ) below. Most of the use cases apply not only to
implied authorizations but also to regular authorizations (those that
are directly maintained within the Roles DB).
...
* To support typical auditors requests, we need the functionality for at least
one of (5) - (7).
( * ) 5. Given a function F and a qualifier Q, return a list of agents who are
authorized to do function F with qualifier Q.
Reason: This functionality may or may not be needed by an application.
It would be useful to an auditor. It would also be useful to
a person who maintains authorizations. It might be useful to
a person who maintains the non-authorization data that in turn
implies authorizations.
( * ) 6. Given a function F, return a list of agents who are
authorized to do function F with at least one qualifier.
Reason: This functionality may or may not be needed by an application.
It returns information similar to (5), but less specific.
It would be useful to an auditor, and in fact, this specific
question has been asked by auditors in the past about
some existing financial functions. It would also be useful to
a person who maintains authorizations. It might be useful to
a person who maintains the non-authorization data that in turn
implies authorizations.
( * ) 7. Given a function F, return a list of authorizations (Agent, Function,
and Qualifier).
...