# Terminology Inventory Status: draft. Updated after IDENTITY-WP-0003 corpus backfill. Mappings remain candidate until reviewed against `canon/CanonicalGlossary.md` and scenario tests. ## Use Use this file to collect source terms and their current candidate canonical home. Use `terminology/TerminologyConflictMap.md` when a term is overloaded or has incompatible meanings across source families. ## Inventory | Term | Candidate canonical concept | Source families | Notes | | --- | --- | --- | --- | | actor | Actor | ActivityPub, FOAF, Cedar, proposal | Participation root. ActivityPub actor is server-hosted; FOAF Agent includes persons. | | natural person | Natural Person | FOAF, Schema.org, NIST, GDPR | Human being; FOAF Person and Schema.org Person align strongly. | | user | Convenience label only | SCIM, LDAP, Keycloak, ZITADEL, apps | Overloaded. Map by context: SCIM/LDAP User → Identity Record; Keycloak/ZITADEL User → Account. | | account | Account | SCIM, LDAP posixAccount, FOAF OnlineAccount, Keycloak | Operational access record in a scope. FOAF separates account from person explicitly. | | identity | Identity Record or Claim | Kratos, OIDC, DID, VC, apps | Kratos Identity = traits + credentials. Avoid bare `identity` as root noun. | | identifier | Identifier | OIDC sub, SAML NameID, LDAP DN, DID, WebID | Value referring within or across scopes. See Scoped Identifier when correlation is limited. | | scoped identifier | Scoped Identifier | OIDC pairwise, SAML transient, pseudonyms | Meaning limited to RP, sector, tenant, or session. | | credential | Credential | NIST, Kratos, OIDC token, VC, DID keys | Proof material. Distinguish VC (claim container) from password/WebAuthn. | | subject | Authenticated Subject | OIDC, SAML, SSF events | Protocol/security view after issuer identification. Not Actor or Principal. | | principal | Authorization Principal | Cedar, Cerbos, Zanzibar, OpenFGA | Decision-engine participant. OpenFGA `user:` prefix is not a human user. | | end-user | Natural Person (inferred) | OIDC | OIDC names the human implicitly; does not model as entity. | | profile | Profile | FOAF, WebID/Solid, SCIM attrs, ActivityPub | Presentation or attribute surface. Solid profile is user-controlled data. | | persona | Persona | proposal, privacy patterns | Contextual presentation; pairwise/pseudonymous profiles map here. | | agent | Actor or Artificial Agent | FOAF, ActivityPub, WebID | FOAF Agent includes humans; ActivityPub Service = Artificial Agent. | | bot | Artificial Agent | ActivityPub Service, apps | Automated actor; may use Service Account. | | service account | Service Account | Keycloak, ZITADEL machine user, Kratos | Non-human login or API identity. ZITADEL machine user, Kratos service patterns. | | machine user | Service Account | ZITADEL | Product term for non-human org identity. | | organization | Organization | Schema.org, Keycloak Orgs, ZITADEL, SCIM ext | Collective actor. SCIM `organization` attribute is not an Organization actor. | | legal entity | Legal Entity | business, compliance | Organization recognized under law; separate from tenant. | | customer | Customer (relationship role) | SaaS, vendor models | B2B subscriber org → Organization + Customer role + Tenant. Not Stripe Customer. | | vendor | Vendor (relationship role) | SaaS, multi-vendor | Provider role; not realm or tenant. | | subscriber | Organization + Customer role | Auth0 B2B SaaS | Convenience label only; not canonical. | | stripe customer | Commercial Record | Stripe, billing | Billing object; link to Tenant via metadata. Not Account. | | payment method / pm_xxx | Payment Instrument Reference | Stripe, Adyen | Tokenized provider reference; not Credential; not CHD in canon. | | payment mandate / setup intent | Payment Mandate (Commercial Commitment) | Stripe, SEPA | Authorization to charge; commitment_type payment_mandate. | | pan / cvv / chd | Out of canon | PCI DSS | Downstream PCI vault only. | | opportunity (crm) | Pipeline Pursuit | Salesforce, HubSpot | In-flight deal; not Commercial Commitment until binding trigger. | | forecast commit (salesforce) | Pipeline Pursuit metadata | Salesforce | Sales forecast category; not Commercial Commitment. | | closed won | Pipeline Pursuit lifecycle + optional commitment | CRM | Won stage alone does not auto-create active commitment. | | quote accepted / loi signed | Commercial Commitment (proposed) | CPQ, sales | Binding trigger with document evidence. | | crm account | Commercial Record | Salesforce, CRM | Commercial record; not login Account. | | customer account | Resolve by layer | billing, IAM, CRM | Not canonical — see TerminologyConflictMap. | | commercial record | Commercial Record | Stripe, CRM, billing | Record layer; payment/subscription/commerce state. | | commercial relationship | Commercial Relationship | vendor/customer SaaS | Vendor-to-customer typed relationship. | | commercial commitment | Commercial Commitment | contracts, subscriptions, KYC | Binding obligation raising identity stakes. | | beneficial owner | Beneficial Owner + Beneficial Ownership Relationship | KYC/AML, FinCEN CDD, FATF R24 | Natural person behind legal entity customer; dedicated relationship type with ownership/control prongs. | | beneficial ownership | Beneficial Ownership Relationship | FinCEN CDD, BOI, Open Ownership | Regulated Natural Person → Organization/Legal Entity linkage; not Ownership subtype. | | lei | Registry Identifier (regulatory_global) | GLEIF, ISO 17442, ICD 0199 | Legal entity identifier with annual renewal. | | duns | Proxy Commercial Identifier | D&B, ICD 0060 | Commercial-proxy registry identifier. | | uei | Registry Identifier (government_registry) | SAM.gov | US federal entity identifier. | | company registration number | Registry Identifier (government_registry) | national registers, ALEI | Authoritative incorporating-register identifier. | | alei / ibrn | Registry Identifier (government_registry) | ISO 8000-116 | Authoritative legal entity identifier from government register. | | iso 6523 / icd | Registry Identifier scheme | ISO/IEC 6523, PEPPOL | ICD + organization identifier encoding. | | legal person | Legal Person | eIDAS, civil law, agency | Natural or juridical person under law. | | paydex | Performance Evidence | D&B | Observed-tier payment performance metric. | | reputation | Resolve by assurance tier | marketplaces, credit | Not canonical — see Counterparty Assurance Gradient. | | star rating / review | Reputation Signal | Yelp, Amazon, App Store | Opinion-tier Evidence Source; weak, gamable. | | feedback score | Reputation Signal | eBay, Uber | Platform-local opinion tier. | | credit score | Performance Evidence | bureaus, D&B | Observed-tier counterparty metric. | | performance bond / surety | Commercial Commitment | construction, procurement | Committed-tier financial assurance. | | escrow | Commercial Commitment | marketplaces, Stripe | Committed-tier funds segregation. | | arbitration award | Adjudication Outcome | AAA, ICC, JAMS | Adjudicated-tier dispute result. | | court judgment | Adjudication Outcome | courts | Adjudicated-tier enforcement outcome. | | assurance gradient | Counterparty Assurance Gradient | commercial identity | Four-tier reliance model (opinion → adjudicated). | | control_basis | Beneficial Ownership Relationship metadata | FinCEN CDD, EU AMLD | Settled role enum (chief_executive, managing_member, …). | | binding_trigger | Pipeline Pursuit promotion | CRM adapters | Settled enum (quote_accepted, contract_executed, …). | | fincen id | Registry Identifier (government_registry) | BOI | Natural person government registry ID. | | person account | Natural Person + Commercial Record | Salesforce B2C | Adapter projection_mode person_account_combined only. | | ncage / cage | Registry Identifier (industry_association) | defense procurement | Industry association authority class. | | network token | Payment Instrument Reference | Visa VTS, MDES | instrument_type network_token. | | escrow (platform) | Commercial Commitment (escrow) | marketplaces | Committed tier when funds segregated. | | kyc / cip | Evidence Source + Assurance | FinCEN, FATF | Regulated commercial identity onboarding. | | crm account | Commercial Record | Salesforce | Company/household commercial record. | | fluid identity | Persona / weak binding | theory | Low commercial stake; intentional mutability. | | bound identity | Commercial Commitment present | theory | High counterparty reliance; stable identifiers. | | tenant | Tenant | ZITADEL org, SaaS, Keycloak (informal) | Administrative/isolation scope. Keycloak realm sometimes called tenant. | | realm | Realm | Keycloak | Hard identity/admin namespace. Candidate Scope specialization. | | scope | Scope | OIDC, Cerbos, OpenFGA store, proposal | Boundary for meaning, policy, or correlation. | | namespace | Scope | LDAP dc, Keto/OpenFGA, DID method | Naming or authorization partition. | | instance | Scope | ZITADEL | Deployment-level boundary above organizations. | | project | Application Scope | ZITADEL | Application/product container within org. | | community | Community | ActivityPub Group, proposal | Participation-oriented collective. ActivityPub Group may be Community or Group. | | family | Family or Household | proposal, GDPR-sensitive | Guardian/dependent semantics; privacy-sensitive. | | household | Family or Household | family accounts | Co-residence unit; may differ from legal family. | | group | Group | LDAP, SCIM, FOAF, ActivityPub, Cedar | Named collection. LDAP/SCIM group ≠ social community without context. | | team | Group or Organization Unit | Schema.org, collaboration | Collaboration unit; may be org sub-unit. | | role | Role | Keycloak, ZITADEL, Cedar, Cerbos, Schema.org OrganizationRole | Capability bundle or relationship label. Cerbos derived role may hide Ownership. | | grant | Role assignment | ZITADEL | Project role assignment; map to Delegation-like relationship. | | member | Membership Relationship | SCIM, LDAP, FOAF, Schema.org, Zanzibar | Relationship edge, not a noun for the participant. | | affiliation | Affiliation Relationship | Schema.org, FOAF knows | Looser than membership. FOAF knows is weak social affiliation. | | follower | Following Relationship | ActivityPub | Directed social subscription; not membership or authz. | | follow | Following Relationship | ActivityPub | Activity establishing follower edge. | | owner | Ownership Relationship | Zanzibar, Cerbos derived | Control/responsibility. Cerbos may encode as attribute not relationship. | | administrator | Administration Relationship | IAM, ZITADEL grants | Delegated management in scope. | | delegation | Delegation Relationship | Cedar context, agents | Bounded authority grant. Cedar context may carry delegatedBy. | | representation | Representation Relationship | SCIM manager, DID controller | Acting on behalf of another. DID controller may differ from subject. | | trust | Trust Relationship | federation, VC, DID | Reliance on issuer/verifier; federation metadata trust. | | claim | Claim | OIDC, SAML attributes, VC | Statement by issuer. SAML AttributeStatement → Claim. | | evidence | Evidence Source | NIST proofing, entity resolution, SSF | Supports claims and synonymity. SSF SET = event Evidence Source. | | assurance | Assurance Level | NIST IAL/AAL/FAL | Orthogonal identity, authentication, federation confidence. | | identifier binding | Identifier Binding | OIDC iss+sub, WebID-OIDC, SAML | Assertion that identifier refers to target in scope. | | synonymity | Synonymity Assertion | entity resolution, OIDC linking, schema.org sameAs | Scoped evidenced equivalence. sameAs is weak by default. | | weak match | Weak Synonymity Assertion | probabilistic matching | Probabilistic link; never destructive merge. | | strong link | Strong Synonymity Assertion | deterministic match, verified linking | Authoritative or verified; still scoped. | | same_as | Synonymity Assertion (strong) | synonymity model | High-confidence equivalence relation type. | | probably_same_as | Synonymity Assertion (weak) | probabilistic matching | Probabilistic equivalence relation type. | | linked_to | Synonymity Assertion (operational) | account linking | Convenience link without semantic sameness claim. | | pseudonym | Pseudonymous Identifier | GDPR, OIDC pairwise | Limits cross-scope correlation. | | pairwise subject | Scoped Identifier | OIDC | RP-specific sub preventing global correlation. | | relationship tuple | Relationship Tuple | Zanzibar, OpenFGA, Keto | Authz projection: subject#relation@object. | | policy | Authorization Projection | Cedar, Cerbos | Rule artifact; downstream of canon model. | | lifecycle state | Lifecycle State | SCIM active, SSF/RISC events, VC status | Applies to records, credentials, relationships, assertions. | | subscriber | Account / Identity Record | NIST | Enrolled party at CSP; not synonymous with Natural Person until IAL binding. | | issuer | Scope + Trust Relationship | OIDC iss, VC issuer, SAML IdP | Namespace authority for identifiers and claims. | | relying party | Scope | OIDC RP, SAML SP, NIST | Consumer of assertions; RP-local account binding. | | nameid | Identifier | SAML | Format attribute determines persistence and privacy semantics. | | distinguished name | Identifier | LDAP | Compound locator in directory namespace. | | externalid | Identifier | SCIM | Client-supplied cross-system correlation key. | | traits | Profile attributes | Kratos | Schema-validated identity attributes. | | verification method | Credential | DID Core | Cryptographic key in DID document. | | verifiable credential | Credential + Claim | VC Data Model | Signed claim set; distinct from login credential. | | holder | Actor (custody role) | VC, OpenID4VC | Party possessing VC; may differ from subject. | | verifier | Scope (evaluation role) | VC, OpenID4VC | Validates presentations. | | did | Identifier | DID Core | Decentralized identifier with method-specific resolution. | | webid | Identifier | WebID/Solid | HTTP URI identifying agent with dereferenceable profile. | | data subject | Natural Person | GDPR | Identifiable natural person for privacy regulation. | | pseudonymization | Processing pattern | GDPR | Technique; maps to Scoped Identifier + separated re-id key. | | controller | Organization (legal role) | GDPR | Downstream legal role; not canonical identity root. | | tuple (authz) | Relationship Tuple | Zanzibar | Authorization fact, not social relationship. | | userset | Authorization Principal (indirect) | Zanzibar, OpenFGA | Subject referenced via relation chain. | | derived role | Role (computed) | Cerbos | Role from attributes; should trace to Relationship when possible. | | contextual tuple | Delegation context | OpenFGA | Ephemeral authz fact at check time. | | sameas | Weak Synonymity Assertion | Schema.org | Informal web equivalence; not strong link without evidence. | | organizationrole | Role + Membership | Schema.org | Temporal role with start/end dates. | | assurance level change | Assurance Level update | SSF/CAEP | Event affecting IAL/AAL/FAL metadata. | ## Source Note Citations Terms above are grounded in backfilled notes under: - `research/identity-provisioning/` (5 notes) - `research/authentication-federation/` (4 notes) - `research/authorization-relationships/` (4 notes) - `research/social-community-graphs/` (4 notes) - `research/verifiable-claims/` (3 notes) - `research/entity-resolution-privacy/` (3 notes) - `research/commercial-subscription/` (2 notes) - `research/commercial-identity/` (8 notes) ## Remaining Backfill Needs - Split `group` into authorization group vs. social collective where sources disagree (OpenFGA member vs. ActivityPub follower). - Add product-version qualifiers when Keycloak/ZITADEL models evolve. - Promote stable mappings to `canon/CanonicalGlossary.md` after scenario review.