Authentication is the act of confirming the identity of a subject (a user). The most common method of confirming an identity is with a username/password combination (it is checked if the password is correct).

This is the act of confirming if a subject has the right permissions to execute some action. For example, a check is made that user "Joe" has the permission to execute the "shutdown" command.

A realm is a resource which allows access to the security components of an application (users, passwords, roles, permissions). So realms are responsible for both authentication and authorization.

A subject represents an user with all his roles and permissions.

A user can have multiple roles. For example, a user can have the role "developer", but he can also be responsible for the administration (role: administrator) or for the sales (role: sales). A role is  basically a collection of permissions.

Principials are the identifying attributes of a subject (name, id, ...).

Information which is used to verify the identity of a user.

The ability to perform an action. In OntoBroker permissions could be

OntoBroker also allows wildcard permissions for some features. For example, you can use '*' as a wildcard to specify modules:

Joe:User[hasRole-> ResearchAndDevelopmentMember].

ResearchAndDevelopmentMember:Role[hasReadPermission->*].

It is also possible to use wildcard permissions for command executions:

role.admin = ob:command:*

Instead of specifying a list of allowed commands we grant the "admin" role access to all commands.