A subject, such as a computer program, is said to be using ambient authority if it only needs to specify the names of the involved object(s) and the operation to be performed on them in order for a permitted action to succeed.
When ambient authority is requested, permissions are granted or denied based on one or more global properties of the executing program, such as its identity or its role.
The executing program has no means to reify the permissions that it was granted for a specific purpose as first-class values.
[4] A program executing under an ambient authority access control model has little option but to designate permissions and try to exercise them, hoping for the best.
This property requires an excess of permissions to be granted to users or roles, in order for programs to execute without error.