A pluggable architecture allows security and business logic plugins to be
inserted into a security service hosted by a server, and to control
access to one or more secured resources on that server, on another server
within the security domain, or between security domains. The security
service may act as a focal point for security enforcement, and access
rights determination, and information used or determined within one login
process can flow transparently and automatically to other login
processes. Entitlements denote what a particular user may or may not do
with a particular resource, in a particular context. Entitlements reflect
not only the technical aspects of the secure environment (the permit or
deny concept), but can be used to represent the business logic or
functionality required by the server provider. In this way entitlements
bridge the gap between a simple security platform, and a complex business
policy platform.