Access Management Definitions (comments)

[lachellel]

Received June 2019 - a federal agency comment for updating identity management service definitions

Comments on:

Item	Current Text	Recommended Change	Change	Rationale
Policy Administration	Creating and maintaining the rule sets that govern access to protected resources.	Creating, maintaining and distributing digital policies that govern access to information resources.	1) Add "and distributing" 2) Change "rule sets" to "digital policies" 3) Change 'protected' to 'information'	1) Distribution of policies should also be included here 2) Digital policies is a more inclusive term than rule sets 3) Better word for this level of detail
Entitlement Management	Establishing and maintaining the authoritative access permissions for a person or entity.	Establishing and maintaining the authoritative access permissions for an entity.	Change "a person or entity" to "an entity".	1) Entity covers both persons and non-persons Question [for FICAM]: What's the difference between Entitlement Management and Provisioning? What's the difference between an entitlement and an attribute and an access permission?
Provisioning	Linking and unlinking access permissions for a person or entity to a protected resource.	Opportune associating and dis-associating authorization attributes to entities to provide for access to and use of information resources.	Rewrite	Question [for FICAM]: What's the difference between Entitlement Management and Provisioning? 1) "Opportune" is unnecessary and confusing as to its intent
Authentication	Verifying that a claimed identity is genuine based on valid credentials.	Verifying that a claimed identity's validity based on trusted credentials is genuine with a measurable level of assurance.	1) Change "identity is genuine" to "identity's validity" 2) Change "valid" to "trusted" 3) Add "is genuine with a measurable level of assurance"	1) Subtlety about whether authentication checks the validity of the credential or the claimed identity 2) Credentials must be trusted not only at the point of authentication, but in asserting authentication across boundaries. 3) Credentials must provide a measurable level of assurance so needed levels of trust can be leveraged commensurate with the environment and the activity for which authentication is needed.
Authorization	Granting or denying access requests to protected resources based on a policy determination.	Granting or denying entity access requests to information resources based on determination by a digital policy.	1) Add "entity" 2) Change "protected" to "information" 3) Change "policy determination" to "determination by a digital policy"	1) Attribute the access to an entity 2) Better word 3) Clarity

[lachellel]

addressed during architecture update working sessions - closing