# Canonical Glossary Status: draft. These definitions are initial candidate canon terms. They are intended to be challenged by source-note backfill and scenario testing. ## Actor An entity that can participate in relationships, hold or control accounts, be represented by another actor, or be projected into downstream systems. Includes: natural persons, organizations, communities, families, service accounts, bots, and AI agents. Excludes: raw identifiers, credentials, claims, and profiles unless they are being represented as records about an actor. ## Natural Person A human being. A natural person may have many accounts, profiles, identifiers, credentials, personas, and relationships. Excludes: account records, social profiles, legal entities, and artificial agents. ## Artificial Agent A non-human actor that performs actions under software, automation, or delegated control. Includes: bots, service agents, workloads, and AI agents. ## Collective Actor An actor composed of or associated with multiple actors. Includes: organizations, communities, families, households, groups, and teams when they can participate in relationships or be represented. ## Account An operational record in a scope that enables access, login, administration, or system participation. Includes: human login accounts and service accounts. Excludes: natural persons, billing accounts, profiles, credentials, and authorization principals unless a source uses account in that narrower context. ## Service Account An account intended for software, workload, bot, or automation access rather than ordinary human interactive use. ## Identity Record A record that describes, binds, or organizes information about an actor within a source or scope. Identity Record is deliberately narrower than bare `identity`; it is a record, not selfhood, not proof material, and not necessarily a login account. ## Identifier A value or reference used to distinguish or refer to something within a scope. Examples: username, email address, LDAP DN, OIDC subject, SAML NameID, DID, employee number, external source ID. ## Scoped Identifier An identifier whose meaning is intentionally limited to a relying party, sector, tenant, realm, application, namespace, or other scope. ## Credential Evidence or secret material used to prove control, entitlement, or a claim. Examples: password, passkey, certificate, hardware token, verifiable credential, recovery code, signed assertion. ## Claim A statement made by an issuer or source about an actor, account, identifier, relationship, or attribute. ## Authenticated Subject The protocol-level representation of an entity after an issuer or identity provider identifies it for a relying party. Examples: OIDC subject, SAML subject. ## Authorization Principal The entity considered by an authorization system when evaluating whether an action is allowed. ## Profile A presentation or attribute surface for an actor or account in a scope. Examples: public social profile, local application profile, directory profile. ## Persona A deliberate contextual presentation of an actor, often used to separate roles, audiences, privacy boundaries, or pseudonymous participation. ## Scope A boundary within which identifiers, meanings, relationships, accounts, policies, or lifecycle states are valid. Examples: tenant, realm, relying party, namespace, application, community, authorization domain. ## Tenant An administrative or isolation scope for a system, service, platform, or application. A tenant may be associated with an organization, customer, vendor, or community, but it is not automatically identical to any of them. ## Realm An issuer, security, or administrative namespace used by an identity system. Candidate status: treat Realm as a Scope specialization unless source analysis shows it needs a separate canonical role. ## Organization A collective actor with operational, social, administrative, or structural continuity. Excludes: tenant, customer, and legal entity unless those meanings are modeled as separate relationships or specializations. ## Legal Entity An organization or other actor recognized by a legal system. ## Customer An actor in a commercial or service-consumption relationship. Customer is a relationship role, not automatically a tenant or organization. ## Vendor An actor in a service-provider relationship. Vendor is a relationship role, not automatically a tenant or organization. ## Community A collective actor formed around participation, affiliation, identity, interest, moderation, or social interaction. ## Family Or Household A collective actor or relationship network involving family, guardian, dependent, household, or care relationships. This concept is privacy-sensitive and may have legal implications outside the canon's scope. ## Group A named collection of actors or accounts in a scope. Group membership may have authorization implications, but a group is not the same concept as a role, community, team, or organization. ## Role A named capability bundle, responsibility, or relationship label within a scope. Roles may be assigned through memberships or relationships, but role is not identical to group. ## Relationship A typed, scoped assertion connecting one actor, account, identifier, group, or other model element to another. Recommended fields: source, target, type, scope, evidence, issuer or source, confidence when relevant, lifecycle state, and authorization implications. ## Membership Relationship A relationship indicating that an actor or account belongs to, participates in, or is accepted by a collective actor or scope. ## Affiliation Relationship A relationship indicating association without necessarily implying membership, control, employment, or authorization. ## Following Relationship A directed social relationship where one actor subscribes to, follows, or observes another actor or profile. ## Representation Relationship A relationship where one actor acts or speaks on behalf of another actor within a scope. ## Delegation Relationship A relationship where one actor grants bounded authority to another actor. ## Administration Relationship A relationship where one actor has management authority over accounts, relationships, policies, or configuration in a scope. ## Trust Relationship A relationship where one actor, issuer, verifier, system, or scope relies on another for claims, identifiers, credentials, or decisions. ## Synonymity Assertion A scoped, evidenced assertion that two or more identifiers, records, accounts, profiles, or actors refer to the same target for a stated purpose. Synonymity assertions may be weak, strong, verified, inferred, revoked, privacy-limited, or source-specific. ## Evidence Source A source, document, event, issuer, import, observation, or verification process supporting a claim, relationship, or synonymity assertion. ## Lifecycle State The current state of a record, account, relationship, credential, claim, or assertion. Examples: proposed, active, suspended, revoked, expired, archived, deleted, superseded. ## Non-Canonical Convenience Term: User `User` may be used in prose when quoting or mapping external systems, but it should not be a canonical root concept. Resolve it to a specific canonical concept before using it in model definitions.