Files
identity-canon/canon/CanonicalGlossary.md

252 lines
7.2 KiB
Markdown

# Canonical Glossary
Status: draft. These definitions are initial candidate canon terms. They are
intended to be challenged by source-note backfill and scenario testing.
## Actor
An entity that can participate in relationships, hold or control accounts, be
represented by another actor, or be projected into downstream systems.
Includes: natural persons, organizations, communities, families, service
accounts, bots, and AI agents.
Excludes: raw identifiers, credentials, claims, and profiles unless they are
being represented as records about an actor.
## Natural Person
A human being. A natural person may have many accounts, profiles, identifiers,
credentials, personas, and relationships.
Excludes: account records, social profiles, legal entities, and artificial
agents.
## Artificial Agent
A non-human actor that performs actions under software, automation, or delegated
control.
Includes: bots, service agents, workloads, and AI agents.
## Collective Actor
An actor composed of or associated with multiple actors.
Includes: organizations, communities, families, households, groups, and teams
when they can participate in relationships or be represented.
## Account
An operational record in a scope that enables access, login, administration, or
system participation.
Includes: human login accounts and service accounts.
Excludes: natural persons, billing accounts, profiles, credentials, and
authorization principals unless a source uses account in that narrower context.
## Service Account
An account intended for software, workload, bot, or automation access rather
than ordinary human interactive use.
## Identity Record
A record that describes, binds, or organizes information about an actor within
a source or scope.
Identity Record is deliberately narrower than bare `identity`; it is a record,
not selfhood, not proof material, and not necessarily a login account.
## Identifier
A value or reference used to distinguish or refer to something within a scope.
Examples: username, email address, LDAP DN, OIDC subject, SAML NameID, DID,
employee number, external source ID.
## Scoped Identifier
An identifier whose meaning is intentionally limited to a relying party,
sector, tenant, realm, application, namespace, or other scope.
## Credential
Evidence or secret material used to prove control, entitlement, or a claim.
Examples: password, passkey, certificate, hardware token, verifiable
credential, recovery code, signed assertion.
## Claim
A statement made by an issuer or source about an actor, account, identifier,
relationship, or attribute.
## Authenticated Subject
The protocol-level representation of an entity after an issuer or identity
provider identifies it for a relying party.
Examples: OIDC subject, SAML subject.
## Authorization Principal
The entity considered by an authorization system when evaluating whether an
action is allowed.
## Profile
A presentation or attribute surface for an actor or account in a scope.
Examples: public social profile, local application profile, directory profile.
## Persona
A deliberate contextual presentation of an actor, often used to separate roles,
audiences, privacy boundaries, or pseudonymous participation.
## Scope
A boundary within which identifiers, meanings, relationships, accounts,
policies, or lifecycle states are valid.
Examples: tenant, realm, relying party, namespace, application, community,
authorization domain.
## Tenant
An administrative or isolation scope for a system, service, platform, or
application.
A tenant may be associated with an organization, customer, vendor, or community,
but it is not automatically identical to any of them.
## Realm
An issuer, security, or administrative namespace used by an identity system.
Candidate status: treat Realm as a Scope specialization unless source analysis
shows it needs a separate canonical role.
## Organization
A collective actor with operational, social, administrative, or structural
continuity.
Excludes: tenant, customer, and legal entity unless those meanings are modeled
as separate relationships or specializations.
## Legal Entity
An organization or other actor recognized by a legal system.
## Customer
An actor in a commercial or service-consumption relationship.
Customer is a relationship role, not automatically a tenant or organization.
## Vendor
An actor in a service-provider relationship.
Vendor is a relationship role, not automatically a tenant or organization.
## Community
A collective actor formed around participation, affiliation, identity, interest,
moderation, or social interaction.
## Family Or Household
A collective actor or relationship network involving family, guardian,
dependent, household, or care relationships.
This concept is privacy-sensitive and may have legal implications outside the
canon's scope.
## Group
A named collection of actors or accounts in a scope.
Group membership may have authorization implications, but a group is not the
same concept as a role, community, team, or organization.
## Role
A named capability bundle, responsibility, or relationship label within a
scope.
Roles may be assigned through memberships or relationships, but role is not
identical to group.
## Relationship
A typed, scoped assertion connecting one actor, account, identifier, group, or
other model element to another.
Recommended fields: source, target, type, scope, evidence, issuer or source,
confidence when relevant, lifecycle state, and authorization implications.
## Membership Relationship
A relationship indicating that an actor or account belongs to, participates in,
or is accepted by a collective actor or scope.
## Affiliation Relationship
A relationship indicating association without necessarily implying membership,
control, employment, or authorization.
## Following Relationship
A directed social relationship where one actor subscribes to, follows, or
observes another actor or profile.
## Representation Relationship
A relationship where one actor acts or speaks on behalf of another actor within
a scope.
## Delegation Relationship
A relationship where one actor grants bounded authority to another actor.
## Administration Relationship
A relationship where one actor has management authority over accounts,
relationships, policies, or configuration in a scope.
## Trust Relationship
A relationship where one actor, issuer, verifier, system, or scope relies on
another for claims, identifiers, credentials, or decisions.
## Synonymity Assertion
A scoped, evidenced assertion that two or more identifiers, records, accounts,
profiles, or actors refer to the same target for a stated purpose.
Synonymity assertions may be weak, strong, verified, inferred, revoked,
privacy-limited, or source-specific.
## Evidence Source
A source, document, event, issuer, import, observation, or verification process
supporting a claim, relationship, or synonymity assertion.
## Lifecycle State
The current state of a record, account, relationship, credential, claim, or
assertion.
Examples: proposed, active, suspended, revoked, expired, archived, deleted,
superseded.
## Non-Canonical Convenience Term: User
`User` may be used in prose when quoting or mapping external systems, but it
should not be a canonical root concept. Resolve it to a specific canonical
concept before using it in model definitions.