Authorization and attributes glossary

  • 296 views
Uploaded on

NIST

NIST

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
296
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Authorization & Attributes Glossary 1 Glossary of Terms1 2 3 Access: 4 o Opportunity to make use of an information system (IS) resource. [CNSSI-4009] 5 o To interact with a system entity to use or gain knowledge of resources. [RFC 6 2828] 7 Access Control: 8 o Limiting access to IS resources only to authorized users, programs, processes, or 9 other systems. [CNSSI-4009]10 o The process of regulating access to resources by reference to a security policy.11 [RFC 2828]12 Access Control List (ACL):13 o Mechanism implementing discretionary and/or mandatory access control between14 subjects and objects. [CNSSI-4009]15 o A mechanism that implements access control for a resource by enumerating the16 identities of the system entities that are permitted to access the resource. [RFC17 2828]18 Access Rights: A description of the type of authorized interactions a subject can have19 with a resource. Examples include read, write, execute, add, modify, and delete.20 [SAML]21 Administrative Domain: An environment or context that is defined by some22 combination of one or more administrative policies. An administrative domain may23 contain or define one or more security domains. [SAML]24 Asserting Party (AP):25 o The administrative domain that produces assertions. [SAML]26 o A system entity that provides information to another system entity that relies on27 that information for action. [AATT, 24 June 08]28 Assertion: A piece of information produced from an authoritative source that provides29 information about the state or properties of a subject or resource. [SAML]30 Attribute: A distinct characteristic of an object. [SAML]31 Attribute Authority: A system entity that produces attribute assertions. [SAML]32 Attribute Assertion: An assertion that conveys information about attributes of a subject.33 [SAML]34 Attribute-Based Access Control (ABAC): A policy-based access control solution that35 uses attributes assigned to subjects, resources or the environment to enable access to36 resources and controlled information sharing. ABAC could be used for access to either37 local or enterprise services. [AATT] 1 This Glossary is a living document. As attributes are used in operation, there will likely be additions and changes. For the latest version, please see one of the following web sites: DKO [https://www.us.army.mil/] JWICS [http://www.intelink.ic.gov/wiki/IC_Authorization_and_Attribute_Services_Tiger_Team] Intelink-U [https://www.intelink.gov/wiki/Authorization_and_Attribute_Tiger_Team] Version 16, 7 October 2008 1
  • 2. Authorization & Attributes Glossary38 Attribute Management: The act of dynamically creating, maintaining, disseminating,39 and revoking IA attributes (e.g., clearances, citizenship, location, biometrics, group40 memberships, and work roles), which are assigned and bound to subjects. These41 attributes are a critical component of any resource access decision made in conjunction42 with resource metadata and in accordance with constraints imposed by digital policy.43 This paradigm is a shift from the static, identity/group-based privilege model commonly44 implemented through ACLs. Privilege Management occurs in a federated manner and is45 closely coordinated with IA Metadata and Digital Policy Management. [ESM]46 Attribute Service: A service that provides a common access point to accurate and47 current attributes obtained from one or more Authoritative Attribute Sources. [AATT, 1348 May 08]49 Authenticate: To verify the identity of a user, user device, or other entity, or the integrity50 of data stored, transmitted, or otherwise exposed to unauthorized modification in an IS, or51 to establish the validity of a transmission. [CNSSI-4009]52 Authentication:53 o Security measure designed to establish the validity of a transmission, message, or54 originator, or a means of verifying an individuals authorization to receive specific55 categories of information. [CNSSI-4009]56 o Security measure that verifies a claimed identity. [PP]57 Authoritative Attribute Source: The official source that originates and maintains the58 attributes of entities. [AATT]59 Authorization:60 o Access privileges granted to a user, program, or process. [CNSSI-4009]61 o The process of determining whether a subject is allowed to access a particular62 resource. [SAML]63 o Permission, granted by an entity authorized to do so, to perform functions and64 access data. [PP]65 Authorization Attributes (AAs): Attributes used by the PDP when making an access66 control decision. [AATT]67 Authorization Decision: The result of an act of authorization. [SAML]68 Authorization Decision Assertion: An assertion that conveys information about an69 authorization decision. [SAML]70 Authorization Repository: A directory or database that contains the policies attributes,71 and entitlements required to make authorization decisions. [AATT]72 Authorization Service (AS): The collection of capabilities required to perform assured73 access control decisions and enforcement. These capabilities are represented by the PDP,74 PEP, and PP. [AATT]75 Basic Enterprise Authorization Attribute: An attribute available via an attribute76 service that is populated and managed in accordance with enterprise guidance and has a77 consistent meaning across the DoD/Intelligence Community environment. [AATT, 2478 June 08]79 Community of Interest (COI): A collaborative group of users who must exchange80 information in pursuit of their shared goals, interests, missions, or business processes and81 who therefore must have shared vocabulary for the information they exchange. [DoD] Version 16, 7 October 2008 2
  • 3. Authorization & Attributes Glossary 82 Core Enterprise Authorization Attribute: See Basic Enterprise Authorization 83 Attribute. [AATT] 84 Credential: Data that is used to establish a claimed identity. [SAML] 85 Data Provider: The agency/internal organization that maintains and secures data objects 86 contained in the agency’s data repositories (applications, databases, data warehouses, 87 etc.). [AATT] 88 Digital Policy: Hierarchical rule sets that control digital resource management, 89 utilization, and protection. [ESM] 90 Digital Policy Management: The act of dynamically creating, disseminating, and 91 maintaining hierarchical rule sets to control digital resource management, utilization, and 92 protection. This includes identifying and adjudicating conflicts that may occur among 93 existing and new rule sets due to the hierarchical and dynamic nature of policy. Digital 94 policy may define rules for authentication (trusted authorities, criteria for determining 95 authenticity), authorization (access rules, authorized providers), Quality of Protection 96 (QoP), Quality of Service (QoS), transport connectivity, bandwidth allocation and 97 priority, audit, and computer network defense. Digital Policy Management must protect 98 digital policies, allowing only authorized subjects to create, modify, and delegate 99 management of rules. It assures proper implementation and enforcement of rules through100 interactions with policy engines and policy enforcement mechanisms and it provisions101 individual aspects of policy decisions to appropriate IA mechanisms. [ESM]102 End User: A system entity (usually a human individual) that makes use of resources for103 application purposes. [SAML]104 Enterprise:105 o A unit of economic organization or activity; especially: a business organization.106 [WEB]107 o For the purposes of the DoD/Intelligence Community AATT, the enterprise108 consists of the Intelligence Community, DoD and their partners. [AATT, 24 June109 08]110 Environment: Aggregate of external procedures, conditions, and objects affecting the111 development, operation, and maintenance of an IS. [CNSSI-4009]112 Extended Authorization Attribute: An attribute available via an attribute service that113 is accessible and understandable across the enterprise but may not be populated or114 managed according to enterprise guidance. Typically an Extended Authorization115 Attribute has an agreed-upon meaning and agreed-upon values between two or more116 organizational entities. [AATT, 1 July 08 and 9 September 08]117 Federated: Belonging to a federation. [WEB]118 Federation: A union of organizations. [WEB]119 Federated Authorization Service (FAS): A collection of individual organization-owned120 authorization services used within a defined and administered operational environment.121 [AATT]122 Identifier: A representation mapped to a system entity that uniquely refers to it.123 [SAML]124 Identity: A representation (e.g., a string) uniquely identifying an authorized user, which125 can either be the full or abbreviated name of that user or a pseudonym. [PP] Version 16, 7 October 2008 3
  • 4. Authorization & Attributes Glossary126 Identity Management: The act of registering identities and issuing, maintaining, and127 revoking globally unambiguous, assured identifiers for human and non-human subjects128 (e.g. individuals, organizations, work roles, COIs, devices, and automated processes).129 Identity management is performed in a federated manner. Subjects will exchange and130 must reliably interpret federated identifiers; therefore, identifiers must be defined and131 communicated according to open standards. Identity Management is fundamentally132 integrated with Credential Management, the ESM capability where identity proofing is133 performed. [ESM]134 Local Authorization Attribute: An attribute available via a local attribute service,135 accessible and understandable within the domain, but not populated or managed136 according to enterprise guidance. [AATT, 1 July 08]137 Policy: Definite course or method of action selected from among alternatives and in light138 of given conditions to guide and determine present and future decisions. [WEB]139 Policy Decision Point (PDP): A system entity that makes authorization decisions for140 itself or for other system entities that request such decisions. [SAML]141 Policy Decision: An authorization decision accomplished by applying an entity’s142 attributes and entitlements against the PP of the PR. [AATT]143 Policy Enforcement Point (PEP): A system entity that requests and subsequently144 enforces authorization decisions. Typically the PEP is located on the server hosting the145 PR. [SAML]146 Principal: A system entity whose identity can be authenticated. [SAML]147 Principal Identifier: A representation of a principal’s identity, typically an identifier.148 [SAML]149 Protected Resource (PR): An information resource that is being protected by a Policy150 Enforcement Point. [AATT]151 Protection Policy (PP): A set of access control logic that represents the data owner’s152 requirements for access to the protected data or service. [AATT]153 Proxy:154 o An entity authorized to act for another. [SAML]155 o Software agent that performs a function or operation on behalf of another156 application or system while hiding the details involved. [CNSSI-4009]157 Relying Party (RP):158 o A system entity that uses the SAML protocol to request services from another159 system entity (a SAML authority, a responder). [SAML]160 o A system entity that decides to take action based on information from another161 system entity. [AATT, 24 June 08]162 Requester, SAML Requester: A system entity that uses the SAML protocol to request163 services from another system entity (a SAML authority, a responder). [SAML]164 Resource:165 o An IS166 o An application167 o Data contained in an IS or168 o A service provided by a system. [AATT] Version 16, 7 October 2008 4
  • 5. Authorization & Attributes Glossary169 Responder, SAML Responder: A system entity that uses the SAML protocol to respond170 to a request for services from another system entity (a requester). [SAML]171 SAML Attribute Assertion: An assertion that contains an Intelligence Community set172 of approved, shareable user authorization attributes associated with a specific subject of a173 received query that is in a specific SAML construct and is generated by the AP. [AATT]174 SAML Authority: An abstract system entity in the SAML domain model that issues175 assertions. [SAML]176 Security Domain: An environment or context that is defined by security models and177 security architecture, including a set of resources and set of system entities that are178 authorized to access the resources. One or more security domains may reside in a single179 administrative domain. [SAML]180 Security Policy: A set of rules and practices that specify or regulate how a system or181 organization provides security services to protect resources. [RFC 2828]182 Service: A mechanism to enable access to one or more capabilities. [AATT]183 Session: A lasting interaction between system entities, often involving a user, typified by184 the maintenance of some state of the interaction for the duration of the interaction.185 [SAML]186 Source of Record: A Data Asset that satisfies the following business rule: the data187 contained within it is designated by the owning organization as having been generated by188 policy compliant business processes that ensures its integrity. [FEA]189 Source of Reference: A Data Asset containing data that may replicate the data from a190 data source of record. [AATT]191 Subject:192 o A system entity that causes information to flow among objects or changes the193 system state. [RFC 2828]194 o An individual, process, or device causing information to flow among objects or195 change to the system state. [CNSSI-4009]196 System Entity: An active element of a system that incorporates a specific set of197 capabilities. [RFC 2828]198 System of Records Notice (SORN): Notice of Establishment of a New System of199 Records, published in the United States Federal Register, which is the official daily200 publication for rules, proposed rules, and notices of Federal agencies and organizations,201 as well as executive orders and other presidential documents. Notice is required by the202 Privacy Act of 1974. [5 U.S.C. § 552a ]203 User:204 o A person, organization entity, or automated process that accesses a system,205 whether authorized to do so or not. [RFC 2828]206 o Individual or process authorized to access an IS. [CNSSI-4009] or207 o (PKI) Individual defined, registered, and bound to a public key structure by a208 certification authority. [CNSSI-4009]209210 Version 16, 7 October 2008 5
  • 6. Authorization & Attributes Glossary211 Sources:212213 AATT – Authorization and Attribute Services Tiger Team214215 CNSSI-4009 – CNSSI 4009, The National Information Assurance Glossary216 http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf217218 DoD – DoD Net-Centric Data Strategy219220 ESM – Enterprise Security Management terms extracted from the221 GIG IA Architecture, and map back to the DoD Joint Capabilities Documents.222223 FEA – The Federal Enterprise Architecture - Data Reference Model (FEA-DRM) Version 2.0224 dated November 17, 2005225226 ICAS – ICAS Concept of Operations227228 PP – Protection Profile229 http://niap.bahialab.com/cc-scheme/pp/pp.cfm/id/pp_authsrv_br_v1.1/230231 RFC 2828 – IETF RFC 2828 – Internet Security Glossary232233 SAML – SAML Glossary: http://docs.oasis-open.org/security/saml/v2.0/saml-glossary-2.0-234 os.pdf235236 WEB – Webster’s Online Dictionary - http://www.merriam-webster.com/dictionary237238 5 U.S.C. § 552a – The Privacy Act of 1974: http://www.usdoj.gov/oip/privstat.htm239240241 Version 16, 7 October 2008 6