Principal

From IDESG Wiki
Jump to: navigation, search

Status: Proposed
This concept has been submitted as a new entry to the Concept Catalog. It has not yet been validated or reviewed.

Description

The short term identification of a user as recognized within a computer system.

Rationale

This is defined for IDESG as the subject that is able to control User Private Information in a User Object for the duration of the authenticated transaction.

Value and Context for Use in IDESG

Helps to narrow the concept of interaction or transaction to the duration of an authenticated Principal Identity in a Digital Entity.

Formal Definition

  1. A natural or legal person whose identity has been authenticated.
  2. A Digital Entity whose identity is part of a secure session (e.g. an HTTPS session Identifier).
  3. A digital representation that can accumulate claims and roles for use in an authenticated session.

Source materials used

  • Add list item

Potential problems

  • Some systems allow the Principal Identifier to persist between transactions.
  • Some systems require that the Principal have only a since instance per User Object, others allow multiple sessions per principal, each with a separate identifier.
  • If only a single sigin session is permitted for a User Object and there are multiple tenants, then all current principal identities need to be accessible on every tenant (perhaps by inclusion in the User Object.
  • Whenever any information about a Principle is persisted in a Digital Entity, then that data is subject to Privacy and Security requirements of the IDESG.

Disambiguation

  • A natural or legal person can be a user for security purposes in IDESG documentation. The Principal is the identifier of that user (or user session within a Digital Entity such as a Relying Party for the duration of a transaction or interaction.
  • A User Object is a persistent collection of user information within a single Digital Entity.
  • A subject could be either a user or a principal or even an identifier of a user between an IdP and an RP. It does not have a formal definition in the IDESG.

Same term, different concept?

  • OASIS SAML Glossary 2.0: A system entity whose identity can be authenticated. [X.811]
  • Micrsoft:A principal represents the identity and role of a user and acts on the user's behalf. Role-based security in the .NET Framework supports three kinds of principals:
    • Generic principals represent users and roles that exist independent of Windows users and roles.
    • Windows principals represent Windows users and their roles (or their Windows groups). A Windows principal can impersonate another user, which means that the principal can access a resource on a user's behalf while presenting the identity that belongs to that user.
    • Custom principals can be defined by an application in any way that is needed for that particular application. They can extend the basic notion of the principal's identity and roles.

Different term, same concept?

  • ISO 29100: PII principal [is a] natural person to whom the personally identifiable information (PII) relates. (Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data subject” can also be used instead of the term “PII principal”).
  • User is used in most of the IDESG documents as a less formal term for the principal.