Charles Sturt University
Charles Sturt University


Access - The ability to use a resource or a service. More specifically, the Permissions or Entitlements associated with an Identity.

Access Control - The management and authorisation process of controlling access to Roles, Resources and Services by Identities and Accounts.

Account – An instance of an Identity. An Identity may have multiple Accounts. Usually associated with a single computer application or platform, but also applies to such things as bank accounts, utilities and telephone accounts.

Application - Is made up of components of software, delivers a cohesive unit of functionality, supports a business process or processes, has a fundamental purpose, and is managed as a single 'system'.

Architecture Domain - An area of interest within the organisation that may be strategic, business and/or technology focused.

Assertion - A claim, such as to be a particular Identity or a member of a Group. Usually requires proof via a credential, such as in a user-id and password pair.

Attribute – A type/value pair of information related to an Entity or Identity. It may be shared (eg nationality), or unique (eg DNA). A combination of attributes may be sufficient to satisfy an assertion. Usually a value in an identity repository (directory or database) collected directly or indirectly through registration, enrolment or access control.

Authentication – The process of establishing an Identity to be used in a particular instance, by verifying an assertion (eg claiming to be the owner of a set of credentials).

Authorisation – What the Identity can do, in a given instance, as a result of proving an assertion.

Authoritative Source - This is the approved source of the data to be shared. The authoritative source is generally an information system/application. The description of an authoritative source includes the application name, the precise specification of the data location or identification element within its structure and application custodian. The authoritative source is deemed a reliable and credible source of truth that captures and maintains the particular organisational data in accordance to business rules and operational requirements.

Credential – The private part of a paired Identity assertion (user-id is usually the public part). The thing(s) that an Entity relies upon in an Assertion at any particular time, usually to authenticate a claimed Identity. Credentials can change over time and may be revoked. Examples include; a signature, a password, a drivers licence number (not the card itself), an ATM card number (not the card itself), data stored on a smart-card (not the card itself), a digital certificate, a biometric template.
There is no need to issue a new credential if an Identity already has one that can be used, is trusted and whose currency can be reconfirmed at each authentication such as an existing account, or a digital certificate from a trusted organisation.

(CSU) Architecture Framework - Is identifying the foundation components that have been determined as relevant in an architecture domain to support the delivery of business capability requirements, ongoing management and development.

Data Custodian - Each master data attribute has a trustee accountable for data quality, availability and security according to relevant University business requirements, policy and legislative compliance. A more detailed description of the responsibilities of a Data Custodian and data governance is currently under review, with a reference link available soon.

Directory [1] – a hierarchical repository used for authentication and/or identity management. Usually based on the X.500 standard and LDAP protocol. A directory may be replicated, partitioned and/or filtered. A ‘virtual’ directory may conjoin data from disparate data stores by containing only pointers to the data, rather than the data itself.
Directory [2] – a list of Identities used for inquiring or searching, usually the by-product of identity management. For example; a staff telephone list or White Pages phone directory.

Enterprise - Any collection of organisations that has a common set of goals.

Enterprise Architecture (EA) - The term "enterprise" in the context of "enterprise architecture" can be used to denote both an entire enterprise - encompassing all of its information and technology services, processes, and infrastructure - and a specific domain within the enterprise. In both cases, the architecture crosses multiple systems, and multiple functional groups within the enterprise.

Entity – anyone (a natural or legal ‘person’) or anything with a separate existence that can be characterised through the dimension of its attributes. Usually requires a cognitive ability, such as human cognition, whereas an Identity doesn't. An Entity may not need an Identity to access a ‘free’ service, but needs at least one Identity to access a restricted service.

Federation – A method of linking together the Identities of an Entity, to provide shared services as a matter of convenience, efficiency and trust.

Federated Identity – A shared Identity and/or authentication, as the result of federation by either the Entity or by two or more organisations. In a federated identity management scenario, an organisation may assume the role of an identity provider, or requestor / service provider, or both - they are not mutually exclusive. An identity provider ‘owns’ the relationship, directly manages end users and is the authoritative source for issuing and validating identities and credentials for a set of users. Identity providers "vouch" for the user identity in a federated interaction with service providers. A service provider does not have a vested business interest in managing the user, but acts as a "relying party" to validate credentials issued by a trusted identity partner. Key standards are SAML, Liberty, WS-Federation, WS-Security and WS-Trust.

Framework - Provides a structure or list of things you need to think about for a specific area of interest.

Group – A set of one or more Identities that can be authorised under one Rule. An Identity may belong to zero, one or more groups. Grouping is usually done for ease of management.

Identification – The process of establishing an Entity, rather than an Identity.

Identity [1] - the established relationship between an Entity and a particular Registration (eg a registered user's EOI details). An Entity can have multiple Identities, usually one per Registration. An Identity may have multiple Accounts, usually one per environment or platform.
Identity [2] - an instance of an Entity. A user (username and password), an account.
Identity [3][lesser usage] - the identifier (username, customer number) used as a means of identifying an Entity. If this usage is adopted, then ‘Digital Identity’ is the term to be used to mean the relationship between an Entity and a particular Registration, or the instance of an Entity (ie Identity [1] or [2] above). But this is regarded as a clumsy invocation that does not add to understanding or communication.

Identity Management – Formal standardised enterprise-wide or community-wide processes for managing multitudes of Identities.

Master Data - Data that is shared across the organization to support the daily operational and strategic activities of the University. The classification and description of master data identifies the authoritative source of truth and allows for appropriate sharing across the organization.

Master Data Catalogue - A detailed description of master data to support the ability to accurately select and access required data. Also referred to as Master Data Definitions.

Master Data Domains - Used to describe an area of activity within the organisation that contains related business processes, eg. Student Administration Domain. Master data is classified as belonging to a particular master data domain to assist understanding and context of data.

Master Data Repository (MDR) - This is a database that stores master data. The available data is described in the Master Data Catalogue. The database is populated with data extracted from applications that are the authoritative source for master data. For applications that need access to master data, it will be obtained from this repository.

Methodology - Describes a set of actions used to deliver outcomes in a particular area of work.

Principle - General rules and guidelines, intended to be enduring and seldom amended, that inform and support the way in which an organisation sets about fulfilling its mission.

Provisioning – This is automatically providing an Identity with access to a role, resource or service, or automatically changing or removing that access, based on the life cycle of events or work requests or changed attributes.

Registration – The process of an entity (re)establishing an Identity with a service provider. For example; a bank’s 100-point check, an employment background check, an RA process for generating a Digital Certificate. Usually results in the issuing of a Credential that is associated with the Identity. Registration strength also has a ‘time value’, in that recent registrations may provide a greater assurance than old registrations (re-registration will uncover any errors, expiries and changes).

Role – The dynamic or logical associations, privileges or capabilities applying to multiple Identities, based on a set of one or more current Attributes. A role may have multiple identities, and an identity may have multiple roles.
Roles are a pre-packaging of resources and services. If the role names (or descriptions) are based on one or more attributes directly related to the roles of an identity (e.g. a position title, location, function) it will enable dynamic role provisioning as a by-product of existing business processes - for example LAN access, email, building access. If the role names are not based on identity attributes (e.g. a particular software package, internet access), they are a static role that is provisioned on a discretionary basis (i.e. an identity must request them in addition to the dynamic roles). The assigning of access rights may be permanent or temporary, and may only be valid for a single session.

Same Sign-on– The process whereby infrastructure presents the same authentication credentials (or some other predetermined information or token) to a subsequent application, without the user re-entering it, or even being aware of it. This enables those third-party packaged applications that have their own built-in authentication that is not able to be detached, to behave as though they are participating in a Single Sign-on solution.

Single Sign-On - once-only assertion / authentication per session, per credential.

Standard - A written definition, limit, or rule, approved and monitored for compliance by an authoritative agency or professional or recognised body as a minimum acceptable benchmark.

Token – A thing, a device, a physical item or software used to store attributes and credentials. For example; a drivers licence, a birth certificate, a door key, a plastic card, a smart-card, a OTP calculator, a digital certificate.

WebMethods - Also known as middleware, this is the software that manages the passing of data into and out of the Master Data Repository (MDR). It is the system that provides the ability to share master data out to applications. It provides a number of ways data can be shared, as described within the IT Data Integration Standard.