IT Services



Core User Directory Glossary of Terms




1. Core User Directory Glossary of Terms

Table 1. Glossary of Terms
Access Control List a list of rights that a Principal has over Subjects or logical groups of subjects (A common abbreviation for this is ACL)
Attribute An individual item of data pertaining to an entity and stored in a record. For example: gender
Attribute release policy A definition of what data can be released to what query source (A common abbreviation for this is ARP). Data sources have control over the attribute release policy for attributes they provide to CUD. Attribute release policies are reviewed before they are applied
Authentication A process by which an individual proves their identity, particularly electronically. (A common abbreviation for this is AuthN). CUD does not provide an authentication service for Subjects. Principals must authenticate to CUD, but CUD does not itself provide this authentication service
Authorisation The process of determining whether an individual is permitted a level of access to a resource or part of a resource. (A common abbreviation for this is AuthZ). CUD does not provide an authorisation service for Subjects
CUD record Data pertaining to a real entity (a person in this context) stored within CUD
CUDID A unique, immutable identifier assigned to a person record (Subject) in CUD. This will take the form of a GUID in 32-character hexadecimal string format
Core attributes a set of common attributes which CUD will derive from data sources and present to query sources as a consolidated set. Any variation between tribute values in different systems will be highlighted in metadata. The attributes are all "owned" by the person: naming attributes, gender, data of birth, address etc. (to be agreed)
Data One or more attributes about people
Data Owner A data owner is a business role associated with responsibility for a given set of data. Normally this comes with responsibility to decide what users in the organization may access the data in question and for the quality of the data. CUD is only the data owner for the CUD ID. Primary data systems from which it collects data are owners of the data sourced from them.
Data administrator A role defined by the organisation which had responsibility for maintaining data stored in a system
Data authority A source system which, by organisational agreement, has authority for the value of one or more defined attributes
Data manager A role defined by the organisation which has responsibility for the nature, accuracy, usage and appropriate dissemination of data held in a system
Data validation in data sources Validation operations taking place within applications, often as checks on data entry. CUD is designed to be non intrusive and does not seek to provide this. It may be possible for CUD to alert validation failures through a defined interface, but the sending of the data to CUD is a required precondition for this
Derived system A system or service to which CUD sends data
Directory service A directory is a network service which lists participants in the network. In the CUD context these are people who have an association with the University of Oxford
Entity A real thing (a person in the context), external to all data systems but represented in them
GUID Globally unique identifier. A value guaranteed to be unique in the Universe
Group A logical grouping together of multiple subjects, based on one or more common characteristics
Identity A synonym for Subject. Subject is the preferred term as Identity is loaded with preconceptions
LocalId A local ID is a user's unique, immutable identifier within the context of a single system
Manual Subject Matching Intervention a human task to decide whether a possible match with a low satisfaction level should be used or not. Requires communication and human judgement
Master data management Centralised management of data, enforcing constraints across a range of systems. Not provided by CUD
Metadata Information about data. For each data attribute it stores CUD will also store meta data for: attribute description; data source; added date; last changed date. Metadata will always be returned by CUD with the data in response to queries.
Minimum attributes a minimum set of attributes which must be provided by a data source in order to participate in CUD. The minimum set consists of: a LocalId; one or more attributes which can be used for matching
Password management A wide-ranging term. CUD does not provide any password management functionality for Subjects. Password management functionality for Principals is provided by external systems
Primary data system A system or service which sends data to CUD, or from which CUD obtains data
Query A structured definition of criteria to use to search CUD, with an optional list of attributes to return. The result will be sent to the query source. A query can be one-off, scheduled, or persistent with data sent each time a change occurs in CUD. By default, queries asynchronous and require an interface defined for receiving data
Query source A system sending a query to CUD and expecting data to be sent in return. This definition is POV dependent
Reconciliation The process of addressing differences in values stored for a common attribute in different primary data systems. The process influences how divergent values are reported, and how they may be addressed with the aim of convergence on a single value
Record Data pertaining to a real entity (a person in this context) stored within a system
SPML Service provisioning Markup Language, a schema definition for communication data between systems in XML. Can be used for provisioning if support is available in a target system. Use internally by CUD and can be sent to target systems
Secondary data system A system or service which obtains data from a primary data system
Security Principal A definition of en external entity (person or system in this context) with assigned rights to create, read, update, delete subject data in CUD
Service de-provisioning Automatic suspension or deletion of service objects (such as accounts) in systems. CUD can provide the data required to do this, but not the logic which determines actions to take. An operation (or series of operations) that CUD does not perform, but may enable
Service provisioning Automatic creation of service objects (such as accounts) in systems. CUD can provide the data required to do this, but not the logic which determines actions to take. An operation (or series of operations) that CUD does not perform, but may enable
Subject Synonym for CUD record
Subject Matching matching of data flowing into CUD against records already present in CUD. One or more attributes which are common to CUD and the source of data will be used for matching, with a satisfaction level assigned according to the quality of the match (ie. the more unique, the higher that satisfaction level)
Subject Matching Strategy a definition of a set of attributes to use for matching with a satisfaction level of the resulting match. Multiple Subject Matching Strategies can be attempted in turn in descending order of satisfaction level
Subject Merge operation to merge 2 or more subjects within CUD into one where it is satisfactorily established that they represent the same person
Supported data format method of packaging data which is supported by CUD either to receive or send data. Delimited file, XML, and JSON are accepted
Supported transport a method of communicating data across the network. HTTPS (including web services), SCP, SFTP, CIFS, Mail, Databases supporting JDBC, JMS and XMPP are supported
Tertiary data system A system or service which obtains data from a secondary data system
The pure identity paradigm The model or creation, management and deletion of identities without regard to access or entitlements assigned to these identities. CUD follows this model
The service paradigm A system that delivers personalized, role-based, online, on-demand, multimedia (content), presence-based services to users and their devices
The user access (log-on) paradigm A collection of processes which result in a customer being able to log on to a service or services. See also: service provisioning; authentication; authorisation
UID Unique ID. A value guaranteed to be unique in a defined context, such as a system. See also: LocalId
Unit attributes other attributes provided by source systems which are not part of the core attribute set. When CUD is queried for these attributes it will always include metadata in the response
Validation The process of applying rules to attribute values to ensure that they are fit into pre-defined constraints. CUD validates attributes before storing them. Validation does not guarantee that the data is correct, simply that it fits constraints
XML schema a definition of what an XML document should or could contain. CUD uses XML schemas to validate data