Glossary#

actor#

A user or machine account that wants to access a target in an app in some way. For example, a user actor may want to read the email of another target user.

app#

An application installed into a UCS system from the App Center, or a third-party service provider that integrates with the UCS system. Specifically, applications or service providers that integrate with the Guardian.

app developer#

A person, company, or organization that develops software that is used with a UCS system, that integrates with the Guardian. This includes UCS App Center applications, as well as third-party service providers using a service connector.

app infrastructure maintainer#

A person who installs and manages UCS systems.

authentication#

Confirmation of a user’s identity. The Guardian does not handle authentication.

authorization#

Confirmation of the access that a user has. The Guardian’s job is to handle authorization after a user is authenticated.

Authorization API#

A REST interface that allows an app to authorize an actor to use features of the app.

capability#

One or more permissions, optionally combined with one or more conditions that are joined by either an “AND” or “OR” relationship.

condition#

A criterion under which a permission applies.

context#

An optional tag that modifies when a role applies.

guardian admin#

A user with the guardian:builtin:super-admin role, who can manage all aspects of the Guardian and any app using the Guardian, including capabilities for users and groups.

guardian app admin#

A user with a role ending in app-admin, who can manage most aspects of an app, including which capabilities a user has for that app.

Management API#

A REST interface that allows an app or guardian admin to manage the Guardian.

Management UI#

A limited web interface that allows an guardian admin or guardian app admin to manage the Guardian.

namespace#

A categorization of Guardian elements within an app. For example, an office suite might create an email namespace in which to store roles and permissions related to email.

permission#

An action that an actor can take in a specific app.

role#

A string assigned to a user group, or object in order to use a capability. In a UCS domain this is usually done in UDM and currently supported for user objects only.

target#

A resource in an app that an actor wants to access. Used in determining which permissions an actor has.