Home

securityprincipal

A security principal is an entity that can be authenticated by a computer system and that may be granted access to resources. In security architectures, the principal represents the subject in authorization decisions. The term is distinct from identity in that the identity is the factual person or entity, while the principal denotes the security context used during access checks. Principals can be humans, services, computers, or other devices.

Principals are authenticated and then held in a security context, often as a token or credential. This

Types of principals include: user accounts, groups (or role memberships), service accounts, and computer or device

In Windows, for example, an access token contains the user’s security identifier (SID) and the SIDs of

Security design emphasizes proper management of principals, including least privilege, careful token handling, and clear separation

context
is
used
to
determine
what
resources
the
entity
may
access
and
what
operations
it
may
perform.
Access
control
mechanisms
compare
the
principal’s
identity
and
associated
attributes
against
access
control
lists,
policies,
or
claims
to
decide
whether
access
should
be
allowed.
accounts.
In
cloud
and
enterprise
environments,
principals
can
also
be
represented
by
service
principals
or
application
identities,
including
claims-based
identities
where
a
set
of
claims
defines
the
principal’s
attributes.
groups
the
user
belongs
to.
Resources
have
access
control
lists
that
reference
SIDs,
and
access
checks
use
the
token
to
determine
whether
the
principal
is
permitted
to
perform
an
action.
In
other
systems,
principals
may
be
represented
by
certificates,
Kerberos
principals,
or
claims
in
a
token.
of
duties,
to
minimize
the
risk
of
unauthorized
access
or
privilege
escalation.