CUD glossary of terms
Core User Directory (CUD) glossary of terms
Glossary of terms
Access Control List |
a list of rights that a Principal has over Subjects or logical groups of subjects (A common abbreviation for this is ACL) |
Attribute | An individual item of data pertaining to an entity and stored in a record. For example: gender |
Attribute release policy | A definition of what data can be released to what query source (A common abbreviation for this is ARP). Data sources have control over the attribute release policy for attributes they provide to CUD. Attribute release policies are reviewed before they are applied |
Authentication | A process by which an individual proves their identity, particularly electronically. (A common abbreviation for this is AuthN). CUD does not provide an authentication service for Subjects. Principals must authenticate to CUD, but CUD does not itself provide this authentication service |
Authorisation | The process of determining whether an individual is permitted a level of access to a resource or part of a resource. (A common abbreviation for this is AuthZ). CUD does not provide an authorisation service for Subjects |
CUD record | Data pertaining to a real entity (a person in this context) stored within CUD |
CUDID | A unique, immutable identifier assigned to a person record (Subject) in CUD. This will take the form of a GUID in 32-character hexadecimal string format |
Core attributes | a set of common attributes which CUD will derive from data sources and present to query sources as a consolidated set. Any variation between tribute values in different systems will be highlighted in metadata. The attributes are all "owned" by the person: naming attributes, gender, data of birth, address etc. (to be agreed) |
Data | One or more attributes about people |
Data Owner | A data owner is a business role associated with responsibility for a given set of data. Normally this comes with responsibility to decide what users in the organization may access the data in question and for the quality of the data. CUD is only the data owner for the CUD ID. Primary data systems from which it collects data are owners of the data sourced from them. |
Data administrator | A role defined by the organisation which had responsibility for maintaining data stored in a system |
Data authority | A source system which, by organisational agreement, has authority for the value of one or more defined attributes |
Data manager | A role defined by the organisation which has responsibility for the nature, accuracy, usage and appropriate dissemination of data held in a system |
Data validation in data sources | Validation operations taking place within applications, often as checks on data entry. CUD is designed to be non intrusive and does not seek to provide this. It may be possible for CUD to alert validation failures through a defined interface, but the sending of the data to CUD is a required precondition for this |
Derived system | A system or service to which CUD sends data |
Directory service | A directory is a network service which lists participants in the network. In the CUD context these are people who have an association with the University of Oxford |
Entity | A real thing (a person in the context), external to all data systems but represented in them |
GUID | Globally unique identifier. A value guaranteed to be unique in the Universe |
Group | A logical grouping together of multiple subjects, based on one or more common characteristics |
Identity | A synonym for Subject. Subject is the preferred term as Identity is loaded with preconceptions |
LocalId | A local ID is a user's unique, immutable identifier within the context of a single system |
Manual Subject Matching Intervention | a human task to decide whether a possible match with a low satisfaction level should be used or not. Requires communication and human judgement |
Master data management | Centralised management of data, enforcing constraints across a range of systems. Not provided by CUD |
Metadata | Information about data. For each data attribute it stores CUD will also store meta data for: attribute description; data source; added date; last changed date. Metadata will always be returned by CUD with the data in response to queries. |
Minimum attributes | a minimum set of attributes which must be provided by a data source in order to participate in CUD. The minimum set consists of: a LocalId; one or more attributes which can be used for matching |
Password management | A wide-ranging term. CUD does not provide any password management functionality for Subjects. Password management functionality for Principals is provided by external systems |
Primary data system | A system or service which sends data to CUD, or from which CUD obtains data |
Query | A structured definition of criteria to use to search CUD, with an optional list of attributes to return. The result will be sent to the query source. A query can be one-off, scheduled, or persistent with data sent each time a change occurs in CUD. By default, queries asynchronous and require an interface defined for receiving data |
Query source | A system sending a query to CUD and expecting data to be sent in return. This definition is POV dependent |
Reconciliation | The process of addressing differences in values stored for a common attribute in different primary data systems. The process influences how divergent values are reported, and how they may be addressed with the aim of convergence on a single value |
Record | Data pertaining to a real entity (a person in this context) stored within a system |
SPML | Service provisioning Markup Language, a schema definition for communication data between systems in XML. Can be used for provisioning if support is available in a target system. Use internally by CUD and can be sent to target systems |
Secondary data system | A system or service which obtains data from a primary data system |
Security Principal | A definition of en external entity (person or system in this context) with assigned rights to create, read, update, delete subject data in CUD |
Service de-provisioning | Automatic suspension or deletion of service objects (such as accounts) in systems. CUD can provide the data required to do this, but not the logic which determines actions to take. An operation (or series of operations) that CUD does not perform, but may enable |
Service provisioning | Automatic creation of service objects (such as accounts) in systems. CUD can provide the data required to do this, but not the logic which determines actions to take. An operation (or series of operations) that CUD does not perform, but may enable |
Subject | Synonym for CUD record |
Subject Matching | matching of data flowing into CUD against records already present in CUD. One or more attributes which are common to CUD and the source of data will be used for matching, with a satisfaction level assigned according to the quality of the match (ie. the more unique, the higher that satisfaction level) |
Subject Matching Strategy | a definition of a set of attributes to use for matching with a satisfaction level of the resulting match. Multiple Subject Matching Strategies can be attempted in turn in descending order of satisfaction level |
Subject Merge | operation to merge 2 or more subjects within CUD into one where it is satisfactorily established that they represent the same person |
Supported data format | method of packaging data which is supported by CUD either to receive or send data. Delimited file, XML, and JSON are accepted |
Supported transport | a method of communicating data across the network. HTTPS (including web services), SCP, SFTP, CIFS, Mail, Databases supporting JDBC, JMS and XMPP are supported |
Tertiary data system | A system or service which obtains data from a secondary data system |
The pure identity paradigm | The model or creation, management and deletion of identities without regard to access or entitlements assigned to these identities. CUD follows this model |
The service paradigm | A system that delivers personalized, role-based, online, on-demand, multimedia (content), presence-based services to users and their devices |
The user access (log-on) paradigm | A collection of processes which result in a customer being able to log on to a service or services. See also: service provisioning; authentication; authorisation |
UID | Unique ID. A value guaranteed to be unique in a defined context, such as a system. See also: LocalId |
Unit attributes | other attributes provided by source systems which are not part of the core attribute set. When CUD is queried for these attributes it will always include metadata in the response |
Validation | The process of applying rules to attribute values to ensure that they are fit into pre-defined constraints. CUD validates attributes before storing them. Validation does not guarantee that the data is correct, simply that it fits constraints |
XML schema | a definition of what an XML document should or could contain. CUD uses XML schemas to validate data |
Get support
If you cannot find the solution you need here then we have other ways to get IT support
Submit a suggestion, compliment or complaint