+AAF acronym stands for Application Authorization Framework and initially it was focused on “Authorization”, but now supports implementations for both Authentication and Authorization. AAF is a set of Client Libraries (CADI Framework) and RESTful Services that support multiple Authentication Protocols and Fine-Grained Authorization.
+The goal of AAF project is to provide consistent authentication, authorization and security to various ONAP components. AAF organizes software authorizations so that applications, tools and services can match the access needed to perform job functions. AAF is designed to cover Fine-Grained Authorization, meaning that the Authorizations provided are able to use an Application's detailed authorizations, such as whether a user may be on a particular page, or has access to a particular Pub-Sub topic controlled within the App. This is a critical function for Cloud environments, as Services need to be able to be installed and running in a very short time, and should not be encumbered with local configurations of Users, Permissions and Passwords. The sister framework CADI (Code Access Data Identity) allows Java Applications to utilize Identity Authentication methods as plugins. Certificate Manager delivers X509 certificates in support of 2 way x509 TLS.
+
+AAF contains some elements of Role Based Authorization, but includes Attribute Based Authorization elements as well.
+
+Entities within AAF
+-------------------
+
+AAF is an IAM that organizes software authorizations so that applications, tools and services can match the access needed to perform job functions. AAF is more than a typical RBAC. There are Roles, to be sure, but the important Architectural Pattern includes separation of Roles and Permissions.
+
+|image0|
+
+.. |image0| image:: sections/architecture/images/aaf-permission-mapping.png
+ :height: 200px
+ :width: 500px
+
+A permission is composed of the following attributes:
+
+* Type: core name of the permission
+* Instance: the object that is being interacted
+* Action: What is happening with this object
+
+All roles, permissions identities of a given module in ONAP is covered by a Namespace (e.g. roles, permission and identities for the APP-C modules of ONAP)
+
+The permissions, having a 3 part definition, make AAF also like an ABAC (A=Attribute).
+Roles, Permissions are stored centrally, but segregated by Application (the proverbial Namespace). The Application Creates Permissions that match their code (for the question "Does User have Permission"). Permissions are granted to Roles, to which the User belongs. AAF is not a Policy Engine, where dynamically based Policies are validated against differing kinds of Data Stores. AAF (Application Authorization Framework) is focused on RealTime Authentication and Authorization.
+
+Namespace
+^^^^^^^^^
+A Namespace, in AAF, is the ensemble of Roles, Permissions and Identities. Namespaces are known by domain, example com.onap.dcae or com.onap.appc and they are hierarchically managed. A Namespace is assigned to an application and contains one or more roles and one or more permissions. By default, every namespace has an admin role
+
+**People in Namespaces**
+
+Tasks Owner (Responsible) must do:
+
+* Owners receive by email a notification to Approve
+* Owners also receive notifications of time based activities
+
+ * Periodic Revalidation of Users in Roles in Namespace
+ * Periodic Revalidation of Permission in Namespace to Roles
+
+Admins may:
+
+* Create/Delete/Modify Roles in Namespace
+* Add/Remove Users from Roles in Namespace
+* Create/Delete/Modify Permissions in Namespace
+* Grant/Ungrant Permissions in Namespace to any Role in the company (Cross Company Role Grants are possible, but require approvals from both sides).
+
+Only Namespace Admins may manage Roles/Permissions within a Namespace. The Granting process is One-Way. The Namespace Admins must Grant given Permissions to Roles on request.
+
+
+
+
+Object Model
+^^^^^^^^^^^^
+
+|image1|
+
+.. |image1| image:: sections/architecture/images/aaf-hl-object-model.png
+ :height: 600px
+ :width: 800px
+
+Resource Owner in ONAP defines permissions:
+
+* He defines and grants permission to roles
+* Get notified by a mail when an Identity with a Role asks to be granted a permission