It is important to understand the distinction between authentications and authorizations. Applications use authentications to verify that users who are logging into the applications have valid credentials. Applications use authorizations based on authorization policies to determine if users have been assigned the correct permissions to access the application or specific components of an application.
The authorization policies consist of rule sets and rules that define attributes and values from the Advanced Authentication repository. The authorization service uses any attributes that are available when a user authenticates. An authorization policy is a shared resource that you can apply to appmarks and applications. By defining the attributes and values, you can create policies that limit access to specific components in the service. For example, Salesforce contains multiple products. The authorization policies allow you to limit access to the Sales product in Salesforce for only the sales people in your organization.