Previous section.
Authorization (AZN) API
Copyright © 2000 The Open Group
Glossary
Access control
The prevention of unauthorized use of a resource, including the
prevention of use of a resource in an unauthorized manner (ISO 7498-2).
Access request
the operations and operands that form part of an attempted access
(ISO 10181-3).
ACI
Any information used for access control purposes, including contextual
information (ISO 10181-3).
ADF
A specialized function that makes access control decisions
by applying access control
policy rules to an access request, ADI (of initiators, targets,
access requests, or that retained from
prior decisions), and the context in which the access request is
made (ISO 10181-3).
ADI
The portion (possibly all) of the ACI made available to the ADF in making
a particular access control decision (ISO 10181-3).
AEF
A specialized function that is part of the access path between an initiator
and a target on
each access control request and enforces the decision made by the
ADF (ISO 10181-3).
Attribute list
A data structure through which applications and aznAPI implementations
can exchange lists of name-value pairs.
Audit id
An identity attribute containing an identity used only for accountability
purposes (ECMA 219).
Authentication
The process of verifying an identity claimed by or for a system entity.
Authority
An identified computer-based entity which implements a security service
(e.g. creation of PACs).
Authorization
The granting of access rights to a subject (for example, a user, or program).
Buffer
A data structure through which applications and aznAPI implementations
can exchange opaque data.
Capability
A token that gives its holder the right to access a system resource.
Possession of the token is accepted by the access control mechanism
as proof that the holder has been authorized to
access the resource named or indicated by the token.
Clearance
Initiator-bound ACI that can be compared with security labels of targets
(ISO 10181-3).
Context
Information about or derived from the context in which an access
request is made (e.g. time of day). This is identical to the
ISO 10181-3 definition of "contextual information", with
which term this specification uses "context" interchangeably).
Credential handle
A handle to a credentials chain.
Credentials chain
A structure maintained by an aznAPI implementation which contains its
internal representation of an initiator's privilege attributes.
Combined creds chain
A credentials chain consisting of an ordered list of elements. Each
element in the ordered list represents the privilege attributes
of a subject which initiated or passed
on an access request. The first element in the ordered list is
the credentials chain of the initiator of
the access request. The remaining elements in the ordered list
are a sequence of (zero or more) credentials chains belonging
to intermediaries through which the initiator's access request has
passed.
Decision
The response of an ADF to a decision request.
Decision request
The message an AEF sends to an ADF to ask it whether a particular access
request should be granted or denied.
Entitlement
A data structure containing ADI and/or access control policy rule
information in a form which can be used by applications to customize
their behavior based on access control policy
or to make access control decisions in their own code.
Identity
Initiator ACI passed to the aznAPI. This specification uses the term
to describe anything used as initiator ACI, including names,
identity certificates, and capabilities. Note that
this usage is unique to this specification and should not be
confused with other uses of the term "identity" in other systems.
Initiator
An entity (e.g. human user or computer-based entity) that attempts
to access other entities (ISO 10181-3).
Intermediary
An entity which, after receiving an access request from an initiator,
issues another access request on that initiator's behalf.
Label
A marking that is bound to a protected resource and that names or
designates the security-relevant attributes of that resource
(derived from the ISO 7498-2 definition).
Operation
The action that an initiator's access request asks to have performed
on a protected resource.
PAC
A data structure containing privilege attributes. May be signed by
the authority which generated it.
Privilege attribute
An attribute associated with an initiator that, when matched
against control attributes of a protected resource is used to grant
or deny access to that protected resource (derived
from ECMA TR/46 definition).
Protected resource
A target, access to which is restricted by an access control policy.
Target
An entity to which access may be attempted (ISO 10181-3).
Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy
of this publication.