- Clustered application:
Represents an application that is composed of a number of identical nodes. Examples include server farms, Active Directory domains, Hitachi ID Identity and Access Management Suite replicated nodes, etc.
- Application node:
Individual systems or applications that are members of a clustered application. Examples include individual servers, Active Directory domain controllers, individual Hitachi ID Suite server nodes, etc.
- Primary security database:
A repository of login accounts that contains (at least) an ID and password for each account. In the Windows environment, this may be either a local SAM account database or Active Directory. On other platforms, they may include /etc/passwd and /etc/shadow on Unix/Linux, the security database in RAC/F and various system tables in SQL Server, Oracle and other databases.
- Security context:
Processes executing on any multi-user operating system, including Windows, Unix, Linux, z/OS, etc. have a security context. This context always includes the identity of the user whose permissions determine what the process is and is not allowed to do.
On Windows systems, processes may either run as Local Service, Local System or Network Service -- all of which are unauthenticated, privileged users that are fundamental parts of the operating system or in the security context of a named user. Example named users, used to run services on Windows, include:
- IUSR_machinename -- retrieves web content inside IIS on behalf of unauthenticated web browsers.
- IWAM_machinename -- launches external processes from IIS.
- BESAdmin -- used to run Blackberry Enterprise Services application components.
On Unix/Linux systems, typical accounts include nobody or apache to run the Apache web server, mysql to run the MySQL database, bind to run the BIND DNS resolver, etc.
An entity that stores a password used to authenticate to a primary security database. For example, Windows Service Control Manager may be a subscriber, where it runs a service in the security context of a named account and in this case the primary security database may be either the local Windows SAM database or Active Directory.
- Service account:
An account in a primary security database, in whose security context at least one service is run. A subscriber is that which authenticates to the primary security database, in order to establish a security context for a process which it wishes to run.
- Managed process:
The service or task started by the subscriber, which runs in the security context of a service account.
- Application account:
Application accounts are used by one application to sign into another application, either locally on the same system or across a network. They are not used to establish an operating-system-level security context. Examples are accounts used to connect a client to a database server, to bind a client to an LDAP(S) directory server, to authenticate to API services, to attach to network file systems, etc.
- Service account password change:
The act of changing a password in the primary security database. On the Windows platform, service account password changes must be accompanied by notification of the new password value to every subscriber that uses that service account (see below).
The act of informing subscribers of a new password value for a service account that it uses. The notification process may involve additional steps, the most common being the stopping and restarting of services.
A coordinated process involving exactly one service account password change and one or more related notifications. For example, if a service account is used by multiple subscribers, orchestration is required to notify all of them of a new password value.
- Privileged access management system:
A system that can (among other things) effect service account password changes and orchestrate subscriber notification.
- Credential vault:
A secure database maintained within a privileged access management system that contains (among other things) the passwords to service accounts.