It’s a combination of scope, resource types/operations and action type (similar to HTTP method, but somewhat normalized). Not that different from most ACL based systems.

The main problem raised by the article is a governance failure.