|
|
|
Identity is simply a computer's representation of an entity.
Definition 14–1. A principal is a unique entity. An identity specifies a principal.
Authentication binds a principal to a representation of identity internal to the computer. Each system has its own way of expressing this representation, but all decisions of access and resource allocation assume that the binding is correct.
Identities are used for several purposes. The two main ones are for accountability and for access control. Accountability requires an identity that tracks principals across actions and changes of other identities, so that the principal taking any action can be unambiguously identified. Access control requires an identity that the access control mechanisms can use to determine if a specific access (or type of access) should be allowed.
Accountability is tied to logging and auditing. It requires an unambiguous identification of the principal involved. On many systems, this is not possible. Instead, the logged identity maps to a user account, to a group, or to a role.
Most systems base access rights on the identity of the principal executing the process. That is, all processes executed by user bishop have some set of rights. All processes executed by user holly have a set of rights that may differ from those that bishop's processes have. However, a process may have fewer rights than the principal executing it, and in fact there are substantial reasons to reduce privileges. Chapter 15, "Access Control Mechanisms," discusses this topic in more depth.
|
|
|
| Top |