We try to avoid it, but sometimes technical terms appear on the CWL website. Use this glossary if you need some help understanding what these terms mean.


An administrator in CWL is a login for which at least one role has been associated to at least one permission and granted to the login. There are two basic types: departamental and role/service administrators.

Administrator groups

CWL accounts are assigned to “administrator” groups, which follow departmental lines. This allows departmental administrators to maintain the CWL accounts for the people in their departments. If someone is assigned to an incorrect department, an update will need to be made to the Human Resources database.


Affiliations represent the relationship users have with the University. There are three affiliations that allow people to sign up for CWL: students, staff and faculty.


The process by which a system challenges a user to prove their identity. In the case of CWL, it involves a combination of a username and password known only to the person who holds the account.


Authorization occurs when a system grants the appropriate privileges to a person (identified by their account) once authentication is achieved. In CWL, account privileges are identified by roles.


CWL uses departments as they are listed by Human Resources.

Department administrator

A department administrator can manage CWL accounts and roles for their department.

Grant/ revoke role

Roles are added to and removed from accounts. Roles may be granted automatically based on the person’s affiliation, by a departmental administrator or a service administrator.


A single person in the CWL database who has one or more accounts.

Identity repository/ database

A trusted system/ database that is the official repository of information for people associated to UBC via a campus identity system (e.g. SIS for students). CWL passes certain identifying keys to identify a person associated to a login.


Logins are one of the building blocks of the CWL system along with Roles. Logins are system identities given to identified people or assigned to one person or more by a department (shared logins).


A permission is a privilege associated with a role. People are granted permissions, or privileges, when roles are assigned to accounts.


Roles are one of the building blocks of the CWL system along with logins. A role is string of identifiers separated by dots "." Roles on their own have no great value, but they are what CWL uses to know what rights have been granted to a user. The correct role can give you access to an interface or system. Roles are also used to administer CWL interfaces and administrators.

Role/ service administrator

A role administrator is a service owner who has been granted permission to manage one or more aspects of a role.

Role membership

A list accounts that have been assigned a certain role.


See Identity.