Previous section.

Authorization (AZN) API
Copyright © 2000 The Open Group

Glossary

Access control

The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner (ISO 7498-2).

Access request

the operations and operands that form part of an attempted access (ISO 10181-3).

ACI

Any information used for access control purposes, including contextual information (ISO 10181-3).

ADF

A specialized function that makes access control decisions by applying access control policy rules to an access request, ADI (of initiators, targets, access requests, or that retained from prior decisions), and the context in which the access request is made (ISO 10181-3).

ADI

The portion (possibly all) of the ACI made available to the ADF in making a particular access control decision (ISO 10181-3).

AEF

A specialized function that is part of the access path between an initiator and a target on each access control request and enforces the decision made by the ADF (ISO 10181-3).

Attribute list

A data structure through which applications and aznAPI implementations can exchange lists of name-value pairs.

Audit id

An identity attribute containing an identity used only for accountability purposes (ECMA 219).

Authentication

The process of verifying an identity claimed by or for a system entity.

Authority

An identified computer-based entity which implements a security service (e.g. creation of PACs).

Authorization

The granting of access rights to a subject (for example, a user, or program).

Buffer

A data structure through which applications and aznAPI implementations can exchange opaque data.

Capability

A token that gives its holder the right to access a system resource. Possession of the token is accepted by the access control mechanism as proof that the holder has been authorized to access the resource named or indicated by the token.

Clearance

Initiator-bound ACI that can be compared with security labels of targets (ISO 10181-3).

Context

Information about or derived from the context in which an access request is made (e.g. time of day). This is identical to the ISO 10181-3 definition of "contextual information", with which term this specification uses "context" interchangeably).

Credential handle

A handle to a credentials chain.

Credentials chain

A structure maintained by an aznAPI implementation which contains its internal representation of an initiator's privilege attributes.

Combined creds chain

A credentials chain consisting of an ordered list of elements. Each element in the ordered list represents the privilege attributes of a subject which initiated or passed on an access request. The first element in the ordered list is the credentials chain of the initiator of the access request. The remaining elements in the ordered list are a sequence of (zero or more) credentials chains belonging to intermediaries through which the initiator's access request has passed.

Decision

The response of an ADF to a decision request.

Decision request

The message an AEF sends to an ADF to ask it whether a particular access request should be granted or denied.

Entitlement

A data structure containing ADI and/or access control policy rule information in a form which can be used by applications to customize their behavior based on access control policy or to make access control decisions in their own code.

Identity

Initiator ACI passed to the aznAPI. This specification uses the term to describe anything used as initiator ACI, including names, identity certificates, and capabilities. Note that this usage is unique to this specification and should not be confused with other uses of the term "identity" in other systems.

Initiator

An entity (e.g. human user or computer-based entity) that attempts to access other entities (ISO 10181-3).

Intermediary

An entity which, after receiving an access request from an initiator, issues another access request on that initiator's behalf.

Label

A marking that is bound to a protected resource and that names or designates the security-relevant attributes of that resource (derived from the ISO 7498-2 definition).

Operation

The action that an initiator's access request asks to have performed on a protected resource.

PAC

A data structure containing privilege attributes. May be signed by the authority which generated it.

Privilege attribute

An attribute associated with an initiator that, when matched against control attributes of a protected resource is used to grant or deny access to that protected resource (derived from ECMA TR/46 definition).

Protected resource

A target, access to which is restricted by an access control policy.

Target

An entity to which access may be attempted (ISO 10181-3).
Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy of this publication.

Contents Index