Is a requirement by the customer. Given a user list of the permissions the user has. It does not really matter the resources on which the customer may have these permissions, we are just interested in the permissions. I imagine that the customer would like to give permission to a user for a given period of time and after that remove them thus, "let me see what permissions does user x have ... oh! now I want to remove permission a, b and c"