coulomb/identity-canon
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3ccf841095e83fb4859396da06803d82afbf7a8a
identity-canon/terminology/TerminologyConflictMap.md
tegwick 3ccf841095 Resolve Customer Account question; add commercial subscription research 
Record B2B SaaS subscriber tenancy and Stripe billing source notes. Resolve
the Customer Account open question: reject it as canonical, add Commercial
Record and Commercial Relationship to the Record and relationship layers, and
document Subscriber as a convenience term only.
2026-06-21 20:35:36 +02:00

9.0 KiB
Raw Blame History

Terminology Conflict Map

Status: draft. Revised after IDENTITY-WP-0003 corpus backfill. Each conflict includes source-backed examples from populated research notes.

Conflict: User

Problem: user can mean a person, account, login credential holder, application profile, authorization subject, or product-facing actor.

Source evidence:

  • SCIM User = provisionable Identity Record (scim-rfc7643-rfc7644.md)
  • Keycloak/ZITADEL User = Account with credentials (keycloak-organizations.md, zitadel-organizations-projects.md)
  • OpenFGA user: tuple prefix = Authorization Principal id (openfga-modeling.md)
  • OIDC End-User = implied Natural Person, not modeled (oidc-core-subject-identifiers.md)

Canonical stance: do not use user as a root concept.

Current mapping rule:

  • Provisioning record (SCIM/LDAP) → Identity Record
  • Login-enabled product record → Account
  • Public/local display → Profile
  • Access evaluation → Principal or Authenticated Subject
  • Human being → Natural Person

Conflict: Identity

Problem: identity can mean selfhood, a directory record, an issuer-bound subject, a set of claims, a DID, a credential, a profile, or an account.

Source evidence:

  • Kratos Identity = traits + credentials (ory-kratos-keto.md)
  • OIDC developers conflate sub with "identity" (oidc-core-subject-identifiers.md)
  • DID is identifier, not identity record (did-core.md)
  • VC credentialSubject = claims about subject (vc-data-model-2.md)

Canonical stance: avoid bare identity. Prefer Identity Record, Identifier, Claim, Credential, Profile, Persona, or Synonymity Assertion.

Conflict: Account

Problem: account can mean login account, customer billing account, social media handle, service account, or FOAF online presence.

Source evidence:

  • FOAF OnlineAccount is service presence, explicitly not Person (foaf-agent-person-group-onlineaccount.md)
  • LDAP posixAccount is attribute bundle on person entry (ldap-rfc4519-inetorgperson-rfc2798.md)
  • ActivityPub acct: URI suggests account but actor is richer (activitypub-actors-followers.md)
  • ZITADEL machine user = Service Account (zitadel-organizations-projects.md)

Canonical stance: Account is operational access record in a scope. Billing records map to Commercial Record; commercial parties use Customer/Vendor roles and Commercial Relationship.

Conflict: Subject, Principal, Actor

Problem: protocols, authorization engines, and social models overload these terms.

Source evidence:

  • OIDC Subject = issuer-scoped identifier (oidc-core-subject-identifiers.md)
  • SAML Principal = authenticated subject in assertion (saml-nameid-federation.md)
  • Cedar Principal = typed entity in authorization request (cedar-principal-action-resource-context.md)
  • Zanzibar/OpenFGA Subject = opaque authz participant (zanzibar-rebac.md)
  • ActivityPub Actor = server-hosted social entity (activitypub-actors-followers.md)
  • FOAF Agent = actionable entity, includes Person (foaf-agent-person-group-onlineaccount.md)
  • GDPR Data Subject = natural person (gdpr-pseudonymization.md)

Canonical stance:

  • Actor = conceptual participant
  • Authenticated Subject = issuer/protocol view
  • Authorization Principal = decision-engine projection

Conflict: Tenant, Realm, Organization, Customer

Problem: multi-tenant products collapse isolation boundaries and commercial actors.

Source evidence:

  • Keycloak Realm = hard namespace; Organization = B2B overlay (keycloak-organizations.md)
  • ZITADEL Organization = customer boundary + org actor (zitadel-organizations-projects.md)
  • SCIM has no tenant; org is string attribute (scim-rfc7643-rfc7644.md)
  • Schema.org Organization = collective actor (schema-org-person-organization-membership.md)

Canonical stance:

  • Tenant = administrative/isolation scope
  • Realm = issuer/admin namespace (Scope specialization)
  • Organization = collective actor
  • Customer = commercial relationship role

Model relationships among them; do not synonymize.

Conflict: Group, Role, Team, Community

Problem: IAM groups, collaboration teams, social communities, and authz member relations use overlapping labels.

Source evidence:

  • LDAP/SCIM Group = entry with member references (ldap, scim notes)
  • ActivityPub Group actor = collective social actor (activitypub-actors-followers.md)
  • Zanzibar group#member@user = authz tuple (zanzibar-rebac.md)
  • Cerbos derived role from group attribute (cerbos-abac-derived-roles.md)
  • Schema.org Organization subtypes include SportsTeam (schema-org note)

Canonical stance:

  • Group = named collection with membership
  • Role = capability bundle or relationship label
  • Team = collaboration group or org unit
  • Community = participation-oriented collective actor

Conflict: Member, Follower, Affiliate

Problem: membership, following, affiliation, and authz member relations hide distinct semantics behind member.

Source evidence:

  • ActivityPub Follow ≠ membership (activitypub-actors-followers.md)
  • Schema.org affiliation looser than memberOf (schema-org-person-organization-membership.md)
  • OpenFGA organization#member = authz projection (openfga-modeling.md)
  • FOAF member = group membership; knows = acquaintance (foaf note)

Canonical stance: use typed relationships with scope and evidence.

Conflict: Profile And Persona

Problem: profiles are account records, RDF documents, public pages, or VC subjects.

Source evidence:

  • WebID profile document = RDF at URI (webid-solid-profile.md)
  • Kratos traits often called profile informally (ory-kratos-keto.md)
  • ActivityPub actor profile = public actor representation
  • Persona for pairwise/pseudonymous scoped presentation (OIDC, GDPR notes)

Canonical stance:

  • Profile = presentation surface in scope
  • Persona = deliberate contextual presentation with privacy boundaries

Conflict: Identifier, Credential, Claim

Problem: tokens and documents bundle all three.

Source evidence:

  • OIDC ID Token contains sub (identifier) and claims (oidc-core-subject-identifiers.md)
  • VC = signed claims with proof (vc-data-model-2.md)
  • DID verification method = cryptographic credential (did-core.md)
  • SAML AttributeStatement = claims; NameID = identifier (saml-nameid-federation.md)

Canonical stance: identifier refers; credential proves; claim states.

Conflict: Synonymity, Linking, Matching, Merge

Problem: systems collapse probabilistic matches, verified links, and destructive merges into one feature.

Source evidence:

  • Probabilistic matching → weak assertion (deterministic-vs-probabilistic-matching.md)
  • OIDC iss+sub binding → strong scoped assertion (oidc, synonymity-assertions notes)
  • Schema.org sameAs = weak web equivalence (schema-org note)
  • GDPR cross-linking raises identifiability risk (gdpr-pseudonymization.md)
  • MDM golden record merge = downstream anti-pattern (deterministic note)

Canonical stance: synonymity is scoped, evidenced, revocable assertion.

Conflict: Credential (Auth) vs. Verifiable Credential

Problem: "credential" means password, OIDC token, or W3C VC.

Source evidence:

  • NIST authenticator/credential (nist-800-63-4.md)
  • VC Data Model verifiable credential (vc-data-model-2.md)
  • OpenID4VC bridges OAuth credential terminology with VCs (openid4vc.md)

Canonical stance: use Credential with context. VC maps to Credential containing Claims; login secrets map to Credential (authentication factor).

Conflict: Issuer

Problem: issuer means OIDC OP, VC issuer, SAML IdP, or CSP.

Source evidence:

  • OIDC iss claim defines subject namespace (oidc-core-subject-identifiers.md)
  • VC issuer signs credential (vc-data-model-2.md)
  • NIST CSP performs proofing (nist-800-63-4.md)

Canonical stance: Issuer = Scope authority + Trust Relationship; specify protocol role when mapping.

Conflict: Customer Account

Problem: customer account collapses login account, B2B subscriber organization, Stripe billing customer, and CRM account into one product noun.

Source evidence:

  • Auth0 uses Subscriber for tenant holder, not customer account (b2b-saas-subscriber-tenancy.md)
  • Stytch: organization is the customer (b2b-saas-subscriber-tenancy.md)
  • Stripe Customer is billing object with subscriptions, not login (stripe-customer-billing.md)
  • ZITADEL/Keycloak org-as-tenant has no Customer Account type (zitadel, keycloak notes)

Canonical stance: reject Customer Account as canonical term. Resolve by layer:

  • login/access → Account;
  • subscribing company → Organization + Customer role + Tenant;
  • billing/CRM → Commercial Record;
  • vendor↔customer link → Commercial Relationship.

Review Queue

  • Customer Account — resolved; use Commercial Record + Commercial Relationship.
  • Decide Realm specialization — Keycloak evidence supports Realm as Scope specialization; promote in glossary if scenario review confirms.
  • Split authz member relation from social Membership in downstream adapters.
  • Classify schema.org sameAs default strength — corpus says weak only.
  • Standardize assurance dimensions — NIST IAL/AAL/FAL as orthogonal metadata.
Reference in New Issue View Git Blame Copy Permalink