[cloudauthz] Gartner's definitions for Entitlements

["Marian, Radu" <radu.marian@baml.com>]

"Entitlements" term has been popularized by Gartner (Identity and Access Management Defined in 100 Tweets (and Change) as follows:

 

- IAM can be viewed as a set of complex functions that manipulate or consume three kinds of

data: identity, entitlement and activity data.

- Entitlement data describes entitlements (permissions and so on) — expressions of the ways that

users are allowed to interact with resources.

 

More About Entitlements

Within different applications and OSs, entitlements are specified in different, often proprietary,

ways.

Entitlement data is typically associated with a specific resource or an intermediate construct that

maps to one or more resources.

Entitlements may be assigned directly to individual user identities or to an intermediate construct,

such as a group or a role.

Current entitlement life cycle management (ELCM) tools specify entitlements in an abstract policy

and can support ABAC.

In current Gartner terminology, PAPs perform entitlement administration, and together, PDPs

and PEPs perform entitlement resolution.

ELCM tools can abstract PAP

and PDP functions from target systems, which typically retain PEP

functions.

 

In addition, "authorization" is sometimes given as a synonym for an "entitlement" (see entitlement).

Some writers (see, for example, the Wikipedia entry for "access control") passionately deprecate the

way in which we use "authorization." Nevertheless, all these meanings can be found in any number

of canonical security and IAM glossaries, and we follow the sense of OASIS SAML and XACML

usage. To avoid ambiguity, we believe an organization's IAM architecture should use the term in

only one clearly documented sense and use equally clearly documented synonyms for the others —

for example, "approval," "entitlement assignment" and "entitlement." We're not specifically

advocating the use of those terms, only the consistent use of a set of distinct and unambiguous

terms.

 

Gartner’s Glossary Definitions

permission: See entitlement.

privilege: See entitlement.

right: See entitlement.

rule: See entitlement.

 

entitlement: An _expression_ of the ways in which users can interact with resources. Entitlements are

also called "access permissions," "access rights," "authorizations," "permissions," "privileges,"

"rights" or "rules." Within some systems, more than one of these terms may be used, with different

shades of meaning attached to each, but by and large, these terms tend to be used

interchangeably. Gartner research aims to use "entitlements" consistently, but sometimes uses

"privileges" to distinguish the special high-level entitlements linked with system administrators and

the like (see "Best Practices for Managing SuperUser Privileges").

 

 

Radu Marian,

Bank of America -

 

---

This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.