* Nice model!
 * You do have 2 class models. Does that imply 2 different options?
 * parentOrganization is not necessary as an attribute, you can express this by making the relation to itself bidirectional
 * There is no concept of a distinguished data and function authorization yet. Data authorization is about who can manipulate which resource. Function is about who can use what functions. Usually function authorisation comes first, then data. Is it correct that this model only talks about functional authorisation?
 * UserRole should be ParticipantRole
 * Not so sure about the need of having the concept of a participant. What is the usecase?