"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Authorization and attributes glossary
1. Authorization & Attributes Glossary
1 Glossary of Terms1
2
3 Access:
4 o Opportunity to make use of an information system (IS) resource. [CNSSI-4009]
5 o To interact with a system entity to use or gain knowledge of resources. [RFC
6 2828]
7 Access Control:
8 o Limiting access to IS resources only to authorized users, programs, processes, or
9 other systems. [CNSSI-4009]
10 o The process of regulating access to resources by reference to a security policy.
11 [RFC 2828]
12 Access Control List (ACL):
13 o Mechanism implementing discretionary and/or mandatory access control between
14 subjects and objects. [CNSSI-4009]
15 o A mechanism that implements access control for a resource by enumerating the
16 identities of the system entities that are permitted to access the resource. [RFC
17 2828]
18 Access Rights: A description of the type of authorized interactions a subject can have
19 with a resource. Examples include read, write, execute, add, modify, and delete.
20 [SAML]
21 Administrative Domain: An environment or context that is defined by some
22 combination of one or more administrative policies. An administrative domain may
23 contain or define one or more security domains. [SAML]
24 Asserting Party (AP):
25 o The administrative domain that produces assertions. [SAML]
26 o A system entity that provides information to another system entity that relies on
27 that information for action. [AATT, 24 June 08]
28 Assertion: A piece of information produced from an authoritative source that provides
29 information about the state or properties of a subject or resource. [SAML]
30 Attribute: A distinct characteristic of an object. [SAML]
31 Attribute Authority: A system entity that produces attribute assertions. [SAML]
32 Attribute Assertion: An assertion that conveys information about attributes of a subject.
33 [SAML]
34 Attribute-Based Access Control (ABAC): A policy-based access control solution that
35 uses attributes assigned to subjects, resources or the environment to enable access to
36 resources and controlled information sharing. ABAC could be used for access to either
37 local or enterprise services. [AATT]
1
This Glossary is a living document. As attributes are used in operation, there will likely be additions and changes.
For the latest version, please see one of the following web sites:
DKO [https://www.us.army.mil/]
JWICS [http://www.intelink.ic.gov/wiki/IC_Authorization_and_Attribute_Services_Tiger_Team]
Intelink-U [https://www.intelink.gov/wiki/Authorization_and_Attribute_Tiger_Team]
Version 16, 7 October 2008 1
2. Authorization & Attributes Glossary
38 Attribute Management: The act of dynamically creating, maintaining, disseminating,
39 and revoking IA attributes (e.g., clearances, citizenship, location, biometrics, group
40 memberships, and work roles), which are assigned and bound to subjects. These
41 attributes are a critical component of any resource access decision made in conjunction
42 with resource metadata and in accordance with constraints imposed by digital policy.
43 This paradigm is a shift from the static, identity/group-based privilege model commonly
44 implemented through ACLs. Privilege Management occurs in a federated manner and is
45 closely coordinated with IA Metadata and Digital Policy Management. [ESM]
46 Attribute Service: A service that provides a common access point to accurate and
47 current attributes obtained from one or more Authoritative Attribute Sources. [AATT, 13
48 May 08]
49 Authenticate: To verify the identity of a user, user device, or other entity, or the integrity
50 of data stored, transmitted, or otherwise exposed to unauthorized modification in an IS, or
51 to establish the validity of a transmission. [CNSSI-4009]
52 Authentication:
53 o Security measure designed to establish the validity of a transmission, message, or
54 originator, or a means of verifying an individual's authorization to receive specific
55 categories of information. [CNSSI-4009]
56 o Security measure that verifies a claimed identity. [PP]
57 Authoritative Attribute Source: The official source that originates and maintains the
58 attributes of entities. [AATT]
59 Authorization:
60 o Access privileges granted to a user, program, or process. [CNSSI-4009]
61 o The process of determining whether a subject is allowed to access a particular
62 resource. [SAML]
63 o Permission, granted by an entity authorized to do so, to perform functions and
64 access data. [PP]
65 Authorization Attributes (AAs): Attributes used by the PDP when making an access
66 control decision. [AATT]
67 Authorization Decision: The result of an act of authorization. [SAML]
68 Authorization Decision Assertion: An assertion that conveys information about an
69 authorization decision. [SAML]
70 Authorization Repository: A directory or database that contains the policies attributes,
71 and entitlements required to make authorization decisions. [AATT]
72 Authorization Service (AS): The collection of capabilities required to perform assured
73 access control decisions and enforcement. These capabilities are represented by the PDP,
74 PEP, and PP. [AATT]
75 Basic Enterprise Authorization Attribute: An attribute available via an attribute
76 service that is populated and managed in accordance with enterprise guidance and has a
77 consistent meaning across the DoD/Intelligence Community environment. [AATT, 24
78 June 08]
79 Community of Interest (COI): A collaborative group of users who must exchange
80 information in pursuit of their shared goals, interests, missions, or business processes and
81 who therefore must have shared vocabulary for the information they exchange. [DoD]
Version 16, 7 October 2008 2
3. Authorization & Attributes Glossary
82 Core Enterprise Authorization Attribute: See Basic Enterprise Authorization
83 Attribute. [AATT]
84 Credential: Data that is used to establish a claimed identity. [SAML]
85 Data Provider: The agency/internal organization that maintains and secures data objects
86 contained in the agency’s data repositories (applications, databases, data warehouses,
87 etc.). [AATT]
88 Digital Policy: Hierarchical rule sets that control digital resource management,
89 utilization, and protection. [ESM]
90 Digital Policy Management: The act of dynamically creating, disseminating, and
91 maintaining hierarchical rule sets to control digital resource management, utilization, and
92 protection. This includes identifying and adjudicating conflicts that may occur among
93 existing and new rule sets due to the hierarchical and dynamic nature of policy. Digital
94 policy may define rules for authentication (trusted authorities, criteria for determining
95 authenticity), authorization (access rules, authorized providers), Quality of Protection
96 (QoP), Quality of Service (QoS), transport connectivity, bandwidth allocation and
97 priority, audit, and computer network defense. Digital Policy Management must protect
98 digital policies, allowing only authorized subjects to create, modify, and delegate
99 management of rules. It assures proper implementation and enforcement of rules through
100 interactions with policy engines and policy enforcement mechanisms and it provisions
101 individual aspects of policy decisions to appropriate IA mechanisms. [ESM]
102 End User: A system entity (usually a human individual) that makes use of resources for
103 application purposes. [SAML]
104 Enterprise:
105 o A unit of economic organization or activity; especially: a business organization.
106 [WEB]
107 o For the purposes of the DoD/Intelligence Community AATT, the enterprise
108 consists of the Intelligence Community, DoD and their partners. [AATT, 24 June
109 08]
110 Environment: Aggregate of external procedures, conditions, and objects affecting the
111 development, operation, and maintenance of an IS. [CNSSI-4009]
112 Extended Authorization Attribute: An attribute available via an attribute service that
113 is accessible and understandable across the enterprise but may not be populated or
114 managed according to enterprise guidance. Typically an Extended Authorization
115 Attribute has an agreed-upon meaning and agreed-upon values between two or more
116 organizational entities. [AATT, 1 July 08 and 9 September 08]
117 Federated: Belonging to a federation. [WEB]
118 Federation: A union of organizations. [WEB]
119 Federated Authorization Service (FAS): A collection of individual organization-owned
120 authorization services used within a defined and administered operational environment.
121 [AATT]
122 Identifier: A representation mapped to a system entity that uniquely refers to it.
123 [SAML]
124 Identity: A representation (e.g., a string) uniquely identifying an authorized user, which
125 can either be the full or abbreviated name of that user or a pseudonym. [PP]
Version 16, 7 October 2008 3
4. Authorization & Attributes Glossary
126 Identity Management: The act of registering identities and issuing, maintaining, and
127 revoking globally unambiguous, assured identifiers for human and non-human subjects
128 (e.g. individuals, organizations, work roles, COIs, devices, and automated processes).
129 Identity management is performed in a federated manner. Subjects will exchange and
130 must reliably interpret federated identifiers; therefore, identifiers must be defined and
131 communicated according to open standards. Identity Management is fundamentally
132 integrated with Credential Management, the ESM capability where identity proofing is
133 performed. [ESM]
134 Local Authorization Attribute: An attribute available via a local attribute service,
135 accessible and understandable within the domain, but not populated or managed
136 according to enterprise guidance. [AATT, 1 July 08]
137 Policy: Definite course or method of action selected from among alternatives and in light
138 of given conditions to guide and determine present and future decisions. [WEB]
139 Policy Decision Point (PDP): A system entity that makes authorization decisions for
140 itself or for other system entities that request such decisions. [SAML]
141 Policy Decision: An authorization decision accomplished by applying an entity’s
142 attributes and entitlements against the PP of the PR. [AATT]
143 Policy Enforcement Point (PEP): A system entity that requests and subsequently
144 enforces authorization decisions. Typically the PEP is located on the server hosting the
145 PR. [SAML]
146 Principal: A system entity whose identity can be authenticated. [SAML]
147 Principal Identifier: A representation of a principal’s identity, typically an identifier.
148 [SAML]
149 Protected Resource (PR): An information resource that is being protected by a Policy
150 Enforcement Point. [AATT]
151 Protection Policy (PP): A set of access control logic that represents the data owner’s
152 requirements for access to the protected data or service. [AATT]
153 Proxy:
154 o An entity authorized to act for another. [SAML]
155 o Software agent that performs a function or operation on behalf of another
156 application or system while hiding the details involved. [CNSSI-4009]
157 Relying Party (RP):
158 o A system entity that uses the SAML protocol to request services from another
159 system entity (a SAML authority, a responder). [SAML]
160 o A system entity that decides to take action based on information from another
161 system entity. [AATT, 24 June 08]
162 Requester, SAML Requester: A system entity that uses the SAML protocol to request
163 services from another system entity (a SAML authority, a responder). [SAML]
164 Resource:
165 o An IS
166 o An application
167 o Data contained in an IS or
168 o A service provided by a system. [AATT]
Version 16, 7 October 2008 4
5. Authorization & Attributes Glossary
169 Responder, SAML Responder: A system entity that uses the SAML protocol to respond
170 to a request for services from another system entity (a requester). [SAML]
171 SAML Attribute Assertion: An assertion that contains an Intelligence Community set
172 of approved, shareable user authorization attributes associated with a specific subject of a
173 received query that is in a specific SAML construct and is generated by the AP. [AATT]
174 SAML Authority: An abstract system entity in the SAML domain model that issues
175 assertions. [SAML]
176 Security Domain: An environment or context that is defined by security models and
177 security architecture, including a set of resources and set of system entities that are
178 authorized to access the resources. One or more security domains may reside in a single
179 administrative domain. [SAML]
180 Security Policy: A set of rules and practices that specify or regulate how a system or
181 organization provides security services to protect resources. [RFC 2828]
182 Service: A mechanism to enable access to one or more capabilities. [AATT]
183 Session: A lasting interaction between system entities, often involving a user, typified by
184 the maintenance of some state of the interaction for the duration of the interaction.
185 [SAML]
186 Source of Record: A Data Asset that satisfies the following business rule: the data
187 contained within it is designated by the owning organization as having been generated by
188 policy compliant business processes that ensures its integrity. [FEA]
189 Source of Reference: A Data Asset containing data that may replicate the data from a
190 data source of record. [AATT]
191 Subject:
192 o A system entity that causes information to flow among objects or changes the
193 system state. [RFC 2828]
194 o An individual, process, or device causing information to flow among objects or
195 change to the system state. [CNSSI-4009]
196 System Entity: An active element of a system that incorporates a specific set of
197 capabilities. [RFC 2828]
198 System of Records Notice (SORN): Notice of Establishment of a New System of
199 Records, published in the United States Federal Register, which is the official daily
200 publication for rules, proposed rules, and notices of Federal agencies and organizations,
201 as well as executive orders and other presidential documents. Notice is required by the
202 Privacy Act of 1974. [5 U.S.C. § 552a ]
203 User:
204 o A person, organization entity, or automated process that accesses a system,
205 whether authorized to do so or not. [RFC 2828]
206 o Individual or process authorized to access an IS. [CNSSI-4009] or
207 o (PKI) Individual defined, registered, and bound to a public key structure by a
208 certification authority. [CNSSI-4009]
209
210
Version 16, 7 October 2008 5
6. Authorization & Attributes Glossary
211 Sources:
212
213 AATT – Authorization and Attribute Services Tiger Team
214
215 CNSSI-4009 – CNSSI 4009, The National Information Assurance Glossary
216 http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf
217
218 DoD – DoD Net-Centric Data Strategy
219
220 ESM – Enterprise Security Management terms extracted from the
221 GIG IA Architecture, and map back to the DoD Joint Capabilities Documents.
222
223 FEA – The Federal Enterprise Architecture - Data Reference Model (FEA-DRM) Version 2.0
224 dated November 17, 2005
225
226 ICAS – ICAS Concept of Operations
227
228 PP – Protection Profile
229 http://niap.bahialab.com/cc-scheme/pp/pp.cfm/id/pp_authsrv_br_v1.1/
230
231 RFC 2828 – IETF RFC 2828 – Internet Security Glossary
232
233 SAML – SAML Glossary: http://docs.oasis-open.org/security/saml/v2.0/saml-glossary-2.0-
234 os.pdf
235
236 WEB – Webster’s Online Dictionary - http://www.merriam-webster.com/dictionary
237
238 5 U.S.C. § 552a – The Privacy Act of 1974: http://www.usdoj.gov/oip/privstat.htm
239
240
241
Version 16, 7 October 2008 6