SlideShare une entreprise Scribd logo

Authorization and attributes glossary

G
govindsri

NIST

TechnologieBusiness
1  sur  6
Télécharger pour lire hors ligne
Authorization & Attributes Glossary 1 Glossary of Terms1 2 3 Access: 4 o Opportunity to make use of an information system (IS) resource. [CNSSI-4009] 5 o To interact with a system entity to use or gain knowledge of resources. [RFC 6 2828] 7 Access Control: 8 o Limiting access to IS resources only to authorized users, programs, processes, or 9 other systems. [CNSSI-4009] 10 o The process of regulating access to resources by reference to a security policy. 11 [RFC 2828] 12 Access Control List (ACL): 13 o Mechanism implementing discretionary and/or mandatory access control between 14 subjects and objects. [CNSSI-4009] 15 o A mechanism that implements access control for a resource by enumerating the 16 identities of the system entities that are permitted to access the resource. [RFC 17 2828] 18 Access Rights: A description of the type of authorized interactions a subject can have 19 with a resource. Examples include read, write, execute, add, modify, and delete. 20 [SAML] 21 Administrative Domain: An environment or context that is defined by some 22 combination of one or more administrative policies. An administrative domain may 23 contain or define one or more security domains. [SAML] 24 Asserting Party (AP): 25 o The administrative domain that produces assertions. [SAML] 26 o A system entity that provides information to another system entity that relies on 27 that information for action. [AATT, 24 June 08] 28 Assertion: A piece of information produced from an authoritative source that provides 29 information about the state or properties of a subject or resource. [SAML] 30 Attribute: A distinct characteristic of an object. [SAML] 31 Attribute Authority: A system entity that produces attribute assertions. [SAML] 32 Attribute Assertion: An assertion that conveys information about attributes of a subject. 33 [SAML] 34 Attribute-Based Access Control (ABAC): A policy-based access control solution that 35 uses attributes assigned to subjects, resources or the environment to enable access to 36 resources and controlled information sharing. ABAC could be used for access to either 37 local or enterprise services. [AATT] 1 This Glossary is a living document. As attributes are used in operation, there will likely be additions and changes. For the latest version, please see one of the following web sites: DKO [https://www.us.army.mil/] JWICS [http://www.intelink.ic.gov/wiki/IC_Authorization_and_Attribute_Services_Tiger_Team] Intelink-U [https://www.intelink.gov/wiki/Authorization_and_Attribute_Tiger_Team] Version 16, 7 October 2008 1
Authorization & Attributes Glossary 38 Attribute Management: The act of dynamically creating, maintaining, disseminating, 39 and revoking IA attributes (e.g., clearances, citizenship, location, biometrics, group 40 memberships, and work roles), which are assigned and bound to subjects. These 41 attributes are a critical component of any resource access decision made in conjunction 42 with resource metadata and in accordance with constraints imposed by digital policy. 43 This paradigm is a shift from the static, identity/group-based privilege model commonly 44 implemented through ACLs. Privilege Management occurs in a federated manner and is 45 closely coordinated with IA Metadata and Digital Policy Management. [ESM] 46 Attribute Service: A service that provides a common access point to accurate and 47 current attributes obtained from one or more Authoritative Attribute Sources. [AATT, 13 48 May 08] 49 Authenticate: To verify the identity of a user, user device, or other entity, or the integrity 50 of data stored, transmitted, or otherwise exposed to unauthorized modification in an IS, or 51 to establish the validity of a transmission. [CNSSI-4009] 52 Authentication: 53 o Security measure designed to establish the validity of a transmission, message, or 54 originator, or a means of verifying an individual's authorization to receive specific 55 categories of information. [CNSSI-4009] 56 o Security measure that verifies a claimed identity. [PP] 57 Authoritative Attribute Source: The official source that originates and maintains the 58 attributes of entities. [AATT] 59 Authorization: 60 o Access privileges granted to a user, program, or process. [CNSSI-4009] 61 o The process of determining whether a subject is allowed to access a particular 62 resource. [SAML] 63 o Permission, granted by an entity authorized to do so, to perform functions and 64 access data. [PP] 65 Authorization Attributes (AAs): Attributes used by the PDP when making an access 66 control decision. [AATT] 67 Authorization Decision: The result of an act of authorization. [SAML] 68 Authorization Decision Assertion: An assertion that conveys information about an 69 authorization decision. [SAML] 70 Authorization Repository: A directory or database that contains the policies attributes, 71 and entitlements required to make authorization decisions. [AATT] 72 Authorization Service (AS): The collection of capabilities required to perform assured 73 access control decisions and enforcement. These capabilities are represented by the PDP, 74 PEP, and PP. [AATT] 75 Basic Enterprise Authorization Attribute: An attribute available via an attribute 76 service that is populated and managed in accordance with enterprise guidance and has a 77 consistent meaning across the DoD/Intelligence Community environment. [AATT, 24 78 June 08] 79 Community of Interest (COI): A collaborative group of users who must exchange 80 information in pursuit of their shared goals, interests, missions, or business processes and 81 who therefore must have shared vocabulary for the information they exchange. [DoD] Version 16, 7 October 2008 2
Authorization & Attributes Glossary 82 Core Enterprise Authorization Attribute: See Basic Enterprise Authorization 83 Attribute. [AATT] 84 Credential: Data that is used to establish a claimed identity. [SAML] 85 Data Provider: The agency/internal organization that maintains and secures data objects 86 contained in the agency’s data repositories (applications, databases, data warehouses, 87 etc.). [AATT] 88 Digital Policy: Hierarchical rule sets that control digital resource management, 89 utilization, and protection. [ESM] 90 Digital Policy Management: The act of dynamically creating, disseminating, and 91 maintaining hierarchical rule sets to control digital resource management, utilization, and 92 protection. This includes identifying and adjudicating conflicts that may occur among 93 existing and new rule sets due to the hierarchical and dynamic nature of policy. Digital 94 policy may define rules for authentication (trusted authorities, criteria for determining 95 authenticity), authorization (access rules, authorized providers), Quality of Protection 96 (QoP), Quality of Service (QoS), transport connectivity, bandwidth allocation and 97 priority, audit, and computer network defense. Digital Policy Management must protect 98 digital policies, allowing only authorized subjects to create, modify, and delegate 99 management of rules. It assures proper implementation and enforcement of rules through 100 interactions with policy engines and policy enforcement mechanisms and it provisions 101 individual aspects of policy decisions to appropriate IA mechanisms. [ESM] 102 End User: A system entity (usually a human individual) that makes use of resources for 103 application purposes. [SAML] 104 Enterprise: 105 o A unit of economic organization or activity; especially: a business organization. 106 [WEB] 107 o For the purposes of the DoD/Intelligence Community AATT, the enterprise 108 consists of the Intelligence Community, DoD and their partners. [AATT, 24 June 109 08] 110 Environment: Aggregate of external procedures, conditions, and objects affecting the 111 development, operation, and maintenance of an IS. [CNSSI-4009] 112 Extended Authorization Attribute: An attribute available via an attribute service that 113 is accessible and understandable across the enterprise but may not be populated or 114 managed according to enterprise guidance. Typically an Extended Authorization 115 Attribute has an agreed-upon meaning and agreed-upon values between two or more 116 organizational entities. [AATT, 1 July 08 and 9 September 08] 117 Federated: Belonging to a federation. [WEB] 118 Federation: A union of organizations. [WEB] 119 Federated Authorization Service (FAS): A collection of individual organization-owned 120 authorization services used within a defined and administered operational environment. 121 [AATT] 122 Identifier: A representation mapped to a system entity that uniquely refers to it. 123 [SAML] 124 Identity: A representation (e.g., a string) uniquely identifying an authorized user, which 125 can either be the full or abbreviated name of that user or a pseudonym. [PP] Version 16, 7 October 2008 3
Authorization & Attributes Glossary 126 Identity Management: The act of registering identities and issuing, maintaining, and 127 revoking globally unambiguous, assured identifiers for human and non-human subjects 128 (e.g. individuals, organizations, work roles, COIs, devices, and automated processes). 129 Identity management is performed in a federated manner. Subjects will exchange and 130 must reliably interpret federated identifiers; therefore, identifiers must be defined and 131 communicated according to open standards. Identity Management is fundamentally 132 integrated with Credential Management, the ESM capability where identity proofing is 133 performed. [ESM] 134 Local Authorization Attribute: An attribute available via a local attribute service, 135 accessible and understandable within the domain, but not populated or managed 136 according to enterprise guidance. [AATT, 1 July 08] 137 Policy: Definite course or method of action selected from among alternatives and in light 138 of given conditions to guide and determine present and future decisions. [WEB] 139 Policy Decision Point (PDP): A system entity that makes authorization decisions for 140 itself or for other system entities that request such decisions. [SAML] 141 Policy Decision: An authorization decision accomplished by applying an entity’s 142 attributes and entitlements against the PP of the PR. [AATT] 143 Policy Enforcement Point (PEP): A system entity that requests and subsequently 144 enforces authorization decisions. Typically the PEP is located on the server hosting the 145 PR. [SAML] 146 Principal: A system entity whose identity can be authenticated. [SAML] 147 Principal Identifier: A representation of a principal’s identity, typically an identifier. 148 [SAML] 149 Protected Resource (PR): An information resource that is being protected by a Policy 150 Enforcement Point. [AATT] 151 Protection Policy (PP): A set of access control logic that represents the data owner’s 152 requirements for access to the protected data or service. [AATT] 153 Proxy: 154 o An entity authorized to act for another. [SAML] 155 o Software agent that performs a function or operation on behalf of another 156 application or system while hiding the details involved. [CNSSI-4009] 157 Relying Party (RP): 158 o A system entity that uses the SAML protocol to request services from another 159 system entity (a SAML authority, a responder). [SAML] 160 o A system entity that decides to take action based on information from another 161 system entity. [AATT, 24 June 08] 162 Requester, SAML Requester: A system entity that uses the SAML protocol to request 163 services from another system entity (a SAML authority, a responder). [SAML] 164 Resource: 165 o An IS 166 o An application 167 o Data contained in an IS or 168 o A service provided by a system. [AATT] Version 16, 7 October 2008 4
Authorization & Attributes Glossary 169 Responder, SAML Responder: A system entity that uses the SAML protocol to respond 170 to a request for services from another system entity (a requester). [SAML] 171 SAML Attribute Assertion: An assertion that contains an Intelligence Community set 172 of approved, shareable user authorization attributes associated with a specific subject of a 173 received query that is in a specific SAML construct and is generated by the AP. [AATT] 174 SAML Authority: An abstract system entity in the SAML domain model that issues 175 assertions. [SAML] 176 Security Domain: An environment or context that is defined by security models and 177 security architecture, including a set of resources and set of system entities that are 178 authorized to access the resources. One or more security domains may reside in a single 179 administrative domain. [SAML] 180 Security Policy: A set of rules and practices that specify or regulate how a system or 181 organization provides security services to protect resources. [RFC 2828] 182 Service: A mechanism to enable access to one or more capabilities. [AATT] 183 Session: A lasting interaction between system entities, often involving a user, typified by 184 the maintenance of some state of the interaction for the duration of the interaction. 185 [SAML] 186 Source of Record: A Data Asset that satisfies the following business rule: the data 187 contained within it is designated by the owning organization as having been generated by 188 policy compliant business processes that ensures its integrity. [FEA] 189 Source of Reference: A Data Asset containing data that may replicate the data from a 190 data source of record. [AATT] 191 Subject: 192 o A system entity that causes information to flow among objects or changes the 193 system state. [RFC 2828] 194 o An individual, process, or device causing information to flow among objects or 195 change to the system state. [CNSSI-4009] 196 System Entity: An active element of a system that incorporates a specific set of 197 capabilities. [RFC 2828] 198 System of Records Notice (SORN): Notice of Establishment of a New System of 199 Records, published in the United States Federal Register, which is the official daily 200 publication for rules, proposed rules, and notices of Federal agencies and organizations, 201 as well as executive orders and other presidential documents. Notice is required by the 202 Privacy Act of 1974. [5 U.S.C. § 552a ] 203 User: 204 o A person, organization entity, or automated process that accesses a system, 205 whether authorized to do so or not. [RFC 2828] 206 o Individual or process authorized to access an IS. [CNSSI-4009] or 207 o (PKI) Individual defined, registered, and bound to a public key structure by a 208 certification authority. [CNSSI-4009] 209 210 Version 16, 7 October 2008 5
Authorization & Attributes Glossary 211 Sources: 212 213 AATT – Authorization and Attribute Services Tiger Team 214 215 CNSSI-4009 – CNSSI 4009, The National Information Assurance Glossary 216 http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf 217 218 DoD – DoD Net-Centric Data Strategy 219 220 ESM – Enterprise Security Management terms extracted from the 221 GIG IA Architecture, and map back to the DoD Joint Capabilities Documents. 222 223 FEA – The Federal Enterprise Architecture - Data Reference Model (FEA-DRM) Version 2.0 224 dated November 17, 2005 225 226 ICAS – ICAS Concept of Operations 227 228 PP – Protection Profile 229 http://niap.bahialab.com/cc-scheme/pp/pp.cfm/id/pp_authsrv_br_v1.1/ 230 231 RFC 2828 – IETF RFC 2828 – Internet Security Glossary 232 233 SAML – SAML Glossary: http://docs.oasis-open.org/security/saml/v2.0/saml-glossary-2.0- 234 os.pdf 235 236 WEB – Webster’s Online Dictionary - http://www.merriam-webster.com/dictionary 237 238 5 U.S.C. § 552a – The Privacy Act of 1974: http://www.usdoj.gov/oip/privstat.htm 239 240 241 Version 16, 7 October 2008 6

Recommandé

Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...Netwrix Corporation
 
Content Aware SIEM™ defined
Content Aware SIEM™ definedContent Aware SIEM™ defined
Content Aware SIEM™ definedEnterprise Technology Management (ETM)
 
Accountability in Distributed Environment For Data Sharing in the Cloud
Accountability in Distributed Environment For Data Sharing in the CloudAccountability in Distributed Environment For Data Sharing in the Cloud
Accountability in Distributed Environment For Data Sharing in the CloudEditor IJCATR
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionIn a Rocket
 
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job? Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job? Stanford GSB Corporate Governance Research Initiative
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting PersonalKirsty Hulse
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanPost Planner
 
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika AldabaLightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldabaux singapore
 

Recommandé

Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...Netwrix Corporation
 
Content Aware SIEM™ defined
Content Aware SIEM™ definedContent Aware SIEM™ defined
Content Aware SIEM™ definedEnterprise Technology Management (ETM)
 
Accountability in Distributed Environment For Data Sharing in the Cloud
Accountability in Distributed Environment For Data Sharing in the CloudAccountability in Distributed Environment For Data Sharing in the Cloud
Accountability in Distributed Environment For Data Sharing in the CloudEditor IJCATR
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionIn a Rocket
 
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job? Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job? Stanford GSB Corporate Governance Research Initiative
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting PersonalKirsty Hulse
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanPost Planner
 
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika AldabaLightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldabaux singapore
 
Comprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security ChallengesComprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security Challengessidraasif9090
 
RAINBOW BOOK - Orange book
RAINBOW BOOK - Orange bookRAINBOW BOOK - Orange book
RAINBOW BOOK - Orange bookFelipe Prado
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational TeleportTeleport
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0 Shamun Mahmud
 
CMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationCMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationInfosec
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE Mahzad Zahedi
 
The day when role based access control disappears
The day when role based access control disappearsThe day when role based access control disappears
The day when role based access control disappearsUlf Mattsson
 
Security On The Cloud
Security On The CloudSecurity On The Cloud
Security On The CloudTu Pham
 
Security issues in grid computing
Security issues in grid computingSecurity issues in grid computing
Security issues in grid computingijcsa
 
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET Journal
 
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdf
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdfdatabase-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdf
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdfDr Amit Phadikar
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...Zara Nawaz
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 
Certification Authority Monitored Multilevel and Stateful Policy Based Author...
Certification Authority Monitored Multilevel and Stateful Policy Based Author...Certification Authority Monitored Multilevel and Stateful Policy Based Author...
Certification Authority Monitored Multilevel and Stateful Policy Based Author...CSCJournals
 
Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015AFCEA International
 
unit4.pptx
unit4.pptxunit4.pptx
unit4.pptxApurvSingh65
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE ArchitecturesFIWARE
 
AUTHENTICATE SYSTEM OBJECTS USING ACCESS CONTROL POLICY BASED MANAGEMENT
AUTHENTICATE SYSTEM OBJECTS USING ACCESS CONTROL POLICY BASED MANAGEMENTAUTHENTICATE SYSTEM OBJECTS USING ACCESS CONTROL POLICY BASED MANAGEMENT
AUTHENTICATE SYSTEM OBJECTS USING ACCESS CONTROL POLICY BASED MANAGEMENTEditor IJCATR
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorizationzakieh alizadeh
 
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdfSOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdfinfosecTrain
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Contenu connexe

Similaire à Authorization and attributes glossary

Comprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security ChallengesComprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security Challengessidraasif9090
 
RAINBOW BOOK - Orange book
RAINBOW BOOK - Orange bookRAINBOW BOOK - Orange book
RAINBOW BOOK - Orange bookFelipe Prado
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational TeleportTeleport
 
CMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationCMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationInfosec
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE Mahzad Zahedi
 
The day when role based access control disappears
The day when role based access control disappearsThe day when role based access control disappears
The day when role based access control disappearsUlf Mattsson
 
Security On The Cloud
Security On The CloudSecurity On The Cloud
Security On The CloudTu Pham
 
Security issues in grid computing
Security issues in grid computingSecurity issues in grid computing
Security issues in grid computingijcsa
 
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET Journal
 
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdf
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdfdatabase-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdf
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdfDr Amit Phadikar
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...Zara Nawaz
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 
Certification Authority Monitored Multilevel and Stateful Policy Based Author...
Certification Authority Monitored Multilevel and Stateful Policy Based Author...Certification Authority Monitored Multilevel and Stateful Policy Based Author...
Certification Authority Monitored Multilevel and Stateful Policy Based Author...CSCJournals
 
Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015AFCEA International
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE ArchitecturesFIWARE
 
AUTHENTICATE SYSTEM OBJECTS USING ACCESS CONTROL POLICY BASED MANAGEMENT
AUTHENTICATE SYSTEM OBJECTS USING ACCESS CONTROL POLICY BASED MANAGEMENTAUTHENTICATE SYSTEM OBJECTS USING ACCESS CONTROL POLICY BASED MANAGEMENT
AUTHENTICATE SYSTEM OBJECTS USING ACCESS CONTROL POLICY BASED MANAGEMENTEditor IJCATR
 
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdfSOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdfinfosecTrain
 

Similaire à Authorization and attributes glossary (20)

Comprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security ChallengesComprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security Challenges
 
RAINBOW BOOK - Orange book
RAINBOW BOOK - Orange bookRAINBOW BOOK - Orange book
RAINBOW BOOK - Orange book
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational Teleport
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0
 
CMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationCMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organization
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
 
The day when role based access control disappears
The day when role based access control disappearsThe day when role based access control disappears
The day when role based access control disappears
 
Security On The Cloud
Security On The CloudSecurity On The Cloud
Security On The Cloud
 
Security issues in grid computing
Security issues in grid computingSecurity issues in grid computing
Security issues in grid computing
 
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using Blockchain
 
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdf
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdfdatabase-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdf
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdf
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system security
 
Certification Authority Monitored Multilevel and Stateful Policy Based Author...
Certification Authority Monitored Multilevel and Stateful Policy Based Author...Certification Authority Monitored Multilevel and Stateful Policy Based Author...
Certification Authority Monitored Multilevel and Stateful Policy Based Author...
 
Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015
 
unit4.pptx
unit4.pptxunit4.pptx
unit4.pptx
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE Architectures
 
AUTHENTICATE SYSTEM OBJECTS USING ACCESS CONTROL POLICY BASED MANAGEMENT
AUTHENTICATE SYSTEM OBJECTS USING ACCESS CONTROL POLICY BASED MANAGEMENTAUTHENTICATE SYSTEM OBJECTS USING ACCESS CONTROL POLICY BASED MANAGEMENT
AUTHENTICATE SYSTEM OBJECTS USING ACCESS CONTROL POLICY BASED MANAGEMENT
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
 
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdfSOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
 

Dernier

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Dernier (20)

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

Authorization and attributes glossary

  • 1. Authorization & Attributes Glossary 1 Glossary of Terms1 2 3 Access: 4 o Opportunity to make use of an information system (IS) resource. [CNSSI-4009] 5 o To interact with a system entity to use or gain knowledge of resources. [RFC 6 2828] 7 Access Control: 8 o Limiting access to IS resources only to authorized users, programs, processes, or 9 other systems. [CNSSI-4009] 10 o The process of regulating access to resources by reference to a security policy. 11 [RFC 2828] 12 Access Control List (ACL): 13 o Mechanism implementing discretionary and/or mandatory access control between 14 subjects and objects. [CNSSI-4009] 15 o A mechanism that implements access control for a resource by enumerating the 16 identities of the system entities that are permitted to access the resource. [RFC 17 2828] 18 Access Rights: A description of the type of authorized interactions a subject can have 19 with a resource. Examples include read, write, execute, add, modify, and delete. 20 [SAML] 21 Administrative Domain: An environment or context that is defined by some 22 combination of one or more administrative policies. An administrative domain may 23 contain or define one or more security domains. [SAML] 24 Asserting Party (AP): 25 o The administrative domain that produces assertions. [SAML] 26 o A system entity that provides information to another system entity that relies on 27 that information for action. [AATT, 24 June 08] 28 Assertion: A piece of information produced from an authoritative source that provides 29 information about the state or properties of a subject or resource. [SAML] 30 Attribute: A distinct characteristic of an object. [SAML] 31 Attribute Authority: A system entity that produces attribute assertions. [SAML] 32 Attribute Assertion: An assertion that conveys information about attributes of a subject. 33 [SAML] 34 Attribute-Based Access Control (ABAC): A policy-based access control solution that 35 uses attributes assigned to subjects, resources or the environment to enable access to 36 resources and controlled information sharing. ABAC could be used for access to either 37 local or enterprise services. [AATT] 1 This Glossary is a living document. As attributes are used in operation, there will likely be additions and changes. For the latest version, please see one of the following web sites: DKO [https://www.us.army.mil/] JWICS [http://www.intelink.ic.gov/wiki/IC_Authorization_and_Attribute_Services_Tiger_Team] Intelink-U [https://www.intelink.gov/wiki/Authorization_and_Attribute_Tiger_Team] Version 16, 7 October 2008 1
  • 2. Authorization & Attributes Glossary 38 Attribute Management: The act of dynamically creating, maintaining, disseminating, 39 and revoking IA attributes (e.g., clearances, citizenship, location, biometrics, group 40 memberships, and work roles), which are assigned and bound to subjects. These 41 attributes are a critical component of any resource access decision made in conjunction 42 with resource metadata and in accordance with constraints imposed by digital policy. 43 This paradigm is a shift from the static, identity/group-based privilege model commonly 44 implemented through ACLs. Privilege Management occurs in a federated manner and is 45 closely coordinated with IA Metadata and Digital Policy Management. [ESM] 46 Attribute Service: A service that provides a common access point to accurate and 47 current attributes obtained from one or more Authoritative Attribute Sources. [AATT, 13 48 May 08] 49 Authenticate: To verify the identity of a user, user device, or other entity, or the integrity 50 of data stored, transmitted, or otherwise exposed to unauthorized modification in an IS, or 51 to establish the validity of a transmission. [CNSSI-4009] 52 Authentication: 53 o Security measure designed to establish the validity of a transmission, message, or 54 originator, or a means of verifying an individual's authorization to receive specific 55 categories of information. [CNSSI-4009] 56 o Security measure that verifies a claimed identity. [PP] 57 Authoritative Attribute Source: The official source that originates and maintains the 58 attributes of entities. [AATT] 59 Authorization: 60 o Access privileges granted to a user, program, or process. [CNSSI-4009] 61 o The process of determining whether a subject is allowed to access a particular 62 resource. [SAML] 63 o Permission, granted by an entity authorized to do so, to perform functions and 64 access data. [PP] 65 Authorization Attributes (AAs): Attributes used by the PDP when making an access 66 control decision. [AATT] 67 Authorization Decision: The result of an act of authorization. [SAML] 68 Authorization Decision Assertion: An assertion that conveys information about an 69 authorization decision. [SAML] 70 Authorization Repository: A directory or database that contains the policies attributes, 71 and entitlements required to make authorization decisions. [AATT] 72 Authorization Service (AS): The collection of capabilities required to perform assured 73 access control decisions and enforcement. These capabilities are represented by the PDP, 74 PEP, and PP. [AATT] 75 Basic Enterprise Authorization Attribute: An attribute available via an attribute 76 service that is populated and managed in accordance with enterprise guidance and has a 77 consistent meaning across the DoD/Intelligence Community environment. [AATT, 24 78 June 08] 79 Community of Interest (COI): A collaborative group of users who must exchange 80 information in pursuit of their shared goals, interests, missions, or business processes and 81 who therefore must have shared vocabulary for the information they exchange. [DoD] Version 16, 7 October 2008 2
  • 3. Authorization & Attributes Glossary 82 Core Enterprise Authorization Attribute: See Basic Enterprise Authorization 83 Attribute. [AATT] 84 Credential: Data that is used to establish a claimed identity. [SAML] 85 Data Provider: The agency/internal organization that maintains and secures data objects 86 contained in the agency’s data repositories (applications, databases, data warehouses, 87 etc.). [AATT] 88 Digital Policy: Hierarchical rule sets that control digital resource management, 89 utilization, and protection. [ESM] 90 Digital Policy Management: The act of dynamically creating, disseminating, and 91 maintaining hierarchical rule sets to control digital resource management, utilization, and 92 protection. This includes identifying and adjudicating conflicts that may occur among 93 existing and new rule sets due to the hierarchical and dynamic nature of policy. Digital 94 policy may define rules for authentication (trusted authorities, criteria for determining 95 authenticity), authorization (access rules, authorized providers), Quality of Protection 96 (QoP), Quality of Service (QoS), transport connectivity, bandwidth allocation and 97 priority, audit, and computer network defense. Digital Policy Management must protect 98 digital policies, allowing only authorized subjects to create, modify, and delegate 99 management of rules. It assures proper implementation and enforcement of rules through 100 interactions with policy engines and policy enforcement mechanisms and it provisions 101 individual aspects of policy decisions to appropriate IA mechanisms. [ESM] 102 End User: A system entity (usually a human individual) that makes use of resources for 103 application purposes. [SAML] 104 Enterprise: 105 o A unit of economic organization or activity; especially: a business organization. 106 [WEB] 107 o For the purposes of the DoD/Intelligence Community AATT, the enterprise 108 consists of the Intelligence Community, DoD and their partners. [AATT, 24 June 109 08] 110 Environment: Aggregate of external procedures, conditions, and objects affecting the 111 development, operation, and maintenance of an IS. [CNSSI-4009] 112 Extended Authorization Attribute: An attribute available via an attribute service that 113 is accessible and understandable across the enterprise but may not be populated or 114 managed according to enterprise guidance. Typically an Extended Authorization 115 Attribute has an agreed-upon meaning and agreed-upon values between two or more 116 organizational entities. [AATT, 1 July 08 and 9 September 08] 117 Federated: Belonging to a federation. [WEB] 118 Federation: A union of organizations. [WEB] 119 Federated Authorization Service (FAS): A collection of individual organization-owned 120 authorization services used within a defined and administered operational environment. 121 [AATT] 122 Identifier: A representation mapped to a system entity that uniquely refers to it. 123 [SAML] 124 Identity: A representation (e.g., a string) uniquely identifying an authorized user, which 125 can either be the full or abbreviated name of that user or a pseudonym. [PP] Version 16, 7 October 2008 3
  • 4. Authorization & Attributes Glossary 126 Identity Management: The act of registering identities and issuing, maintaining, and 127 revoking globally unambiguous, assured identifiers for human and non-human subjects 128 (e.g. individuals, organizations, work roles, COIs, devices, and automated processes). 129 Identity management is performed in a federated manner. Subjects will exchange and 130 must reliably interpret federated identifiers; therefore, identifiers must be defined and 131 communicated according to open standards. Identity Management is fundamentally 132 integrated with Credential Management, the ESM capability where identity proofing is 133 performed. [ESM] 134 Local Authorization Attribute: An attribute available via a local attribute service, 135 accessible and understandable within the domain, but not populated or managed 136 according to enterprise guidance. [AATT, 1 July 08] 137 Policy: Definite course or method of action selected from among alternatives and in light 138 of given conditions to guide and determine present and future decisions. [WEB] 139 Policy Decision Point (PDP): A system entity that makes authorization decisions for 140 itself or for other system entities that request such decisions. [SAML] 141 Policy Decision: An authorization decision accomplished by applying an entity’s 142 attributes and entitlements against the PP of the PR. [AATT] 143 Policy Enforcement Point (PEP): A system entity that requests and subsequently 144 enforces authorization decisions. Typically the PEP is located on the server hosting the 145 PR. [SAML] 146 Principal: A system entity whose identity can be authenticated. [SAML] 147 Principal Identifier: A representation of a principal’s identity, typically an identifier. 148 [SAML] 149 Protected Resource (PR): An information resource that is being protected by a Policy 150 Enforcement Point. [AATT] 151 Protection Policy (PP): A set of access control logic that represents the data owner’s 152 requirements for access to the protected data or service. [AATT] 153 Proxy: 154 o An entity authorized to act for another. [SAML] 155 o Software agent that performs a function or operation on behalf of another 156 application or system while hiding the details involved. [CNSSI-4009] 157 Relying Party (RP): 158 o A system entity that uses the SAML protocol to request services from another 159 system entity (a SAML authority, a responder). [SAML] 160 o A system entity that decides to take action based on information from another 161 system entity. [AATT, 24 June 08] 162 Requester, SAML Requester: A system entity that uses the SAML protocol to request 163 services from another system entity (a SAML authority, a responder). [SAML] 164 Resource: 165 o An IS 166 o An application 167 o Data contained in an IS or 168 o A service provided by a system. [AATT] Version 16, 7 October 2008 4
  • 5. Authorization & Attributes Glossary 169 Responder, SAML Responder: A system entity that uses the SAML protocol to respond 170 to a request for services from another system entity (a requester). [SAML] 171 SAML Attribute Assertion: An assertion that contains an Intelligence Community set 172 of approved, shareable user authorization attributes associated with a specific subject of a 173 received query that is in a specific SAML construct and is generated by the AP. [AATT] 174 SAML Authority: An abstract system entity in the SAML domain model that issues 175 assertions. [SAML] 176 Security Domain: An environment or context that is defined by security models and 177 security architecture, including a set of resources and set of system entities that are 178 authorized to access the resources. One or more security domains may reside in a single 179 administrative domain. [SAML] 180 Security Policy: A set of rules and practices that specify or regulate how a system or 181 organization provides security services to protect resources. [RFC 2828] 182 Service: A mechanism to enable access to one or more capabilities. [AATT] 183 Session: A lasting interaction between system entities, often involving a user, typified by 184 the maintenance of some state of the interaction for the duration of the interaction. 185 [SAML] 186 Source of Record: A Data Asset that satisfies the following business rule: the data 187 contained within it is designated by the owning organization as having been generated by 188 policy compliant business processes that ensures its integrity. [FEA] 189 Source of Reference: A Data Asset containing data that may replicate the data from a 190 data source of record. [AATT] 191 Subject: 192 o A system entity that causes information to flow among objects or changes the 193 system state. [RFC 2828] 194 o An individual, process, or device causing information to flow among objects or 195 change to the system state. [CNSSI-4009] 196 System Entity: An active element of a system that incorporates a specific set of 197 capabilities. [RFC 2828] 198 System of Records Notice (SORN): Notice of Establishment of a New System of 199 Records, published in the United States Federal Register, which is the official daily 200 publication for rules, proposed rules, and notices of Federal agencies and organizations, 201 as well as executive orders and other presidential documents. Notice is required by the 202 Privacy Act of 1974. [5 U.S.C. § 552a ] 203 User: 204 o A person, organization entity, or automated process that accesses a system, 205 whether authorized to do so or not. [RFC 2828] 206 o Individual or process authorized to access an IS. [CNSSI-4009] or 207 o (PKI) Individual defined, registered, and bound to a public key structure by a 208 certification authority. [CNSSI-4009] 209 210 Version 16, 7 October 2008 5
  • 6. Authorization & Attributes Glossary 211 Sources: 212 213 AATT – Authorization and Attribute Services Tiger Team 214 215 CNSSI-4009 – CNSSI 4009, The National Information Assurance Glossary 216 http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf 217 218 DoD – DoD Net-Centric Data Strategy 219 220 ESM – Enterprise Security Management terms extracted from the 221 GIG IA Architecture, and map back to the DoD Joint Capabilities Documents. 222 223 FEA – The Federal Enterprise Architecture - Data Reference Model (FEA-DRM) Version 2.0 224 dated November 17, 2005 225 226 ICAS – ICAS Concept of Operations 227 228 PP – Protection Profile 229 http://niap.bahialab.com/cc-scheme/pp/pp.cfm/id/pp_authsrv_br_v1.1/ 230 231 RFC 2828 – IETF RFC 2828 – Internet Security Glossary 232 233 SAML – SAML Glossary: http://docs.oasis-open.org/security/saml/v2.0/saml-glossary-2.0- 234 os.pdf 235 236 WEB – Webster’s Online Dictionary - http://www.merriam-webster.com/dictionary 237 238 5 U.S.C. § 552a – The Privacy Act of 1974: http://www.usdoj.gov/oip/privstat.htm 239 240 241 Version 16, 7 October 2008 6