How are Authorization Decisions Made?
A system will allow or disallow an action based on three criteria: (1) Who the user is, (2) What action they want to perform, and (3) In which way they want to take this action:
Making Authorization Decisions. "Figure 1-6: Access Control" (page 10), Pfleeger, Charles P., et al. Security in Computing. Prentice Hall, 2015.