# Terminology Inventory Status: draft. This inventory is seeded from `ResearchProposal.md`, `INTENT.md`, and the current research corpus index. Mappings are candidate canonical mappings until the individual source notes have been backfilled with real source summaries. ## Use Use this file to collect source terms and their current candidate canonical home. Use `terminology/TerminologyConflictMap.md` when a term is overloaded or has incompatible meanings across source families. ## Inventory | Term | Candidate canonical concept | Source families | Notes | | --- | --- | --- | --- | | actor | Actor | authorization, social graphs, proposal | Participation root for anything that can act or be acted for. | | natural person | Natural Person | identity assurance, social graphs | Human being; never identical to an account or profile. | | user | Convenience label only | SCIM, products, applications | Overloaded; map to Account, Actor, Subject, or Profile by context. | | account | Account | SCIM, LDAP, IAM products | Operational record that enables access in a scope. | | identity | Identity Record or Identity Claim | IAM, federation, DID, VC | Avoid as root noun; clarify whether record, claim, identifier, or social identity is meant. | | identifier | Identifier | OIDC, SAML, DID, directories | A value or reference used to distinguish something in a scope. | | credential | Credential | authentication, VC, DID | Evidence or secret material used to prove control, entitlement, or claim. | | subject | Authenticated Subject | OIDC, SAML, authorization | Security-protocol view of an actor/account after identification by an issuer. | | principal | Authorization Principal | Cedar, IAM, authorization | Entity considered by an authorization decision. | | profile | Profile | social graphs, IAM, applications | Presentation or attribute surface for an actor/account in a scope. | | persona | Persona | social/community systems | Deliberate contextual presentation of an actor, often with limited linkage. | | agent | Artificial Agent | IAM, agentic systems | Non-human actor, including bot, service account, or AI agent. | | bot | Artificial Agent | applications, social graphs | Automated actor; may act through an account and under delegation. | | service account | Service Account | IAM, operations | Account intended for software or workload access rather than human login. | | organization | Organization | SCIM, LDAP, Keycloak, ZITADEL | Collective actor or structure; do not collapse with tenant, legal entity, or customer. | | legal entity | Legal Entity | business, compliance | Organization recognized under a legal system. | | customer | Customer | SaaS, vendor/customer models | Commercial relationship role, not automatically a tenant or organization. | | vendor | Vendor | SaaS, multi-vendor systems | Provider role in a commercial or operational relationship. | | tenant | Tenant | SaaS, IAM products | Administrative or isolation scope; may be owned by or assigned to an organization. | | realm | Realm | Keycloak, federation | Issuer or administrative namespace; candidate mapping is Scope or Tenant depending on use. | | scope | Scope | OIDC, authorization, proposal | Boundary in which identifiers, policies, relationships, or meanings hold. | | namespace | Scope | directories, DID, products | Naming boundary; treat as a kind of scope unless stronger semantics exist. | | community | Community | social graphs, platforms | Collective actor defined by social participation rather than legal or customer status. | | family | Family or Household | family account models | Relationship network with guardian/dependent semantics and privacy sensitivity. | | household | Family or Household | family account models | Co-residence or account-management unit; may not equal legal family. | | group | Group | LDAP, SCIM, social graphs, authz | Container or collective label; must not absorb relationship semantics. | | team | Group or Organization Unit | SaaS, collaboration systems | Usually a collaboration group; sometimes an org sub-unit. | | role | Role | RBAC, IAM products | Named capability set or relationship label; keep separate from group membership. | | member | Membership Relationship | SCIM, groups, communities | Relationship from actor to collective actor or scope. | | affiliation | Affiliation Relationship | enterprise, social | Looser association than membership; may be external or evidenced. | | follower | Following Relationship | ActivityPub, social graphs | Directed social relationship, not a membership or authorization grant by default. | | owner | Ownership Relationship | SaaS, authz | Control or responsibility relationship; needs scope and target. | | administrator | Administration Relationship | IAM, SaaS | Delegated management authority in a scope. | | delegation | Delegation Relationship | IAM, authz, agentic systems | Actor grants another actor authority to act in a bounded way. | | representation | Representation Relationship | legal, org, agent systems | Actor acts on behalf of another actor or organization. | | trust | Trust Relationship | federation, DID, authz | Reliance relationship; must record source, scope, and purpose. | | claim | Claim | VC, OIDC, DID | Statement made by an issuer about a subject, actor, or relationship. | | evidence | Evidence Source | entity resolution, assurance | Material supporting a claim or synonymity assertion. | | assurance | Assurance Level | NIST, federation | Confidence about identity proofing, authentication, or binding. | | identifier binding | Identifier Binding | federation, entity resolution | Assertion that an identifier refers to a target within a scope. | | synonymity | Synonymity Assertion | entity resolution, proposal | Assertion that two records or identifiers refer to the same target under stated conditions. | | weak match | Weak Synonymity Assertion | entity resolution | Probabilistic or low-confidence link; never a destructive merge. | | strong link | Strong Synonymity Assertion | account linking, identity proofing | Verified or authoritative link; still scoped and evidenced. | | pseudonym | Pseudonymous Identifier | privacy, OIDC, DID | Identifier designed to limit cross-scope correlation. | | pairwise subject | Scoped Identifier | OIDC | Subject identifier scoped to relying party or sector; map to Identifier plus Scope. | | relationship tuple | Relationship Assertion | Zanzibar, OpenFGA | Authorization-oriented representation of actor-object-relation facts. | | policy | Authorization Projection | Cedar, IAM, authz | Rule artifact; not part of the canonical identity object model except as mapping. | | lifecycle state | Lifecycle State | SCIM, IAM, directories | Activation, suspension, deletion, revocation, or archival state of a record or relationship. | ## Backfill Needs - Add source-specific definitions from each file in `research/*/*.md`. - Split terms that hide multiple meanings after source review. - Add citation pointers once source notes contain stable references. - Move mature canonical definitions to `canon/CanonicalGlossary.md`.