Term |
Description |
Action |
|
An operation on a resource. |
Attribute |
|
Property of an Object consisting of a type/value pair, e.g. type=Name,
value=John Doe. |
Attribute Authority |
AA |
Trusted authorities which assign roles to users. Normally this is done also
by the SOA. |
Attribute Certificate |
AC |
Attributes that are certified (digitally signed) by an Attribute
Authority as belonging to a particular object. As an analogy, if a PKC
corresponds to a passport, an AC corresponds to a visa. |
Attribute Certificate Revocation List |
ACRL |
List of revoked ACs issued by and AA. |
Authorization Decision |
|
The result of evaluating applicable policy, returned by the PDP to the PEP. A
function that evaluates to "Permit",
"Deny", "Indeterminate" or
"NotApplicable", and (optionally) a set of obligations |
Certification Authority |
CA |
Issues digital certificates. |
Credential Validation Service |
CVS |
Validates if the allocation of privileges is valid, decides according to
policies if an AA may allocate privileges. |
Credentials |
|
What AA needs from the SOA to be able to issue ACs. |
Decision Request |
|
The request by a PEP to a PDP to render an authorization decision |
Obligation |
|
An operation specified in a policy that should be performed by the PEP in
conjunction with the enforcement of an authorization decision |
Policy |
|
A set of rules, an identifier for the rule-combining algorithm and
(optionally) a set of obligations. May be a component of a policy set |
Policy decision point |
PDP |
The part of the Privilege Verification Subsystem (PVS) that evaluates
applicable policy and renders an authorization decision. |
Policy enforcement point |
PEP |
The part of the Privilege Verification Subsystem (PVS) that performs
access control, by making decision requests and enforcing authorization
decisions. |
Privilege Management Infrastructure |
PMI |
Similar to PKI except for authorization. |
Privilege Verification Subsystem |
PVS |
Decision Engine consisting of PEP and PDP. |
Public Key Certificate |
PKC |
An electronic document that using a digital signature binds together a
public key and an identity. As an analogy, if an AC corresponds to a visa, a PKC
corresponds to a passport. |
Public Key Infrastructure |
PKI |
Binds public keys with respective user identities by means of a CA. |
Role Based Access Control |
RBAC |
A model for controlling access to resources where permitted actions on
resources are identified with roles rather than with individual subject
identities. |
Resource |
|
Data, service or system component |
Role |
|
Type of attribute that is typically used to signify the position that
someone has in an organisation. |
Source of Authority |
SOA |
Root of trust, issues ACs and may have subordinate AAs. |
Subject |
|
An actor who wants to perform an action on a target. |
Target |
|
A resource on which a subject tries to perform an action. |
X.500 |
|
Series of computer networking standards covering electronic directory
access. Similar to LDAP. |
X.509 |
|
Standard for public-key and attribute certificate frameworks (PKI, PMI,
SSO). |