Customer Identity & Access Management (CIAM)
Authentication and Authorisation
This page provides an overview for developers to create applications that interact with humans and for the development of applications that interact machine-to-machine.
Types of Accounts
Human Accounts (HA)
This type of account identifies a human user authenticating and interacting with an application. It will typically be a combination of an email and a password.
Application Accounts (AA)
Application Accounts are API keys used for applications to interact with an end user, so specifically the user is authenticating with a human account (HA) and LSEG has line of sight to the end user and controls end user entitlements.
Service Accounts (SA)
A service account is an account that a service on a server uses to run under and access resources. This MUST NOT be a user’s personal account. While they may look the same, the separation of users, and especially those with admin privileged accounts from services is very important for both tracking and security.
A service account can also be an account that is used for a scheduled task (sometimes referred to as a batch job), or an account that is used in a script that is run outside of a specific user’s context. A scheduled task account MUST NOT be a normal user’s account for the same reasons that a service should not run under a normal user’s account.
Security Implications
These accounts are a favourite target of many malicious actors, mainly because they are often implemented in such a way that they have a higher level of access than a user account. Historically, they also have not changed passwords as often (if ever) as user accounts. There will also be several users who are using these service accounts in order to log into systems as these accounts will have been granted the interactive logon right.
Services are also often installed under the built-in Local System account, which gives what are essentially local administrator privileges, so they are more predictable in how they will be able to be used if compromised. While local administrator privileges may seem somewhat harmless since they are not usually useable on other computers on your network, the local administrator privileges can end up granting access to domain username/password combinations and or lead to account changes that allow for easier connections to other parts of our network.
Adherence to coherent Naming Standards is essential to the establishment and maintenance of a coordinated Active Directory and infrastructure. Each Service Account is created uniquely in the Domain for one application. A Service Account is assigned permissions and/or group memberships only to allow it to support the needs of the application. Service Accounts cannot be used for interactive logon.
SUBSCRIBE TO THIS API UPDATES
Request Free Trial
Call your local sales team
Americas
All countries (toll free): +1 800 427 7570
Brazil: +55 11 47009629
Argentina: +54 11 53546700
Chile: +56 2 24838932
Mexico: +52 55 80005740
Colombia: +57 1 4419404
Europe, Middle East, Africa
Europe: +442045302020
Africa: +27 11 775 3188
Middle East & North Africa: 800035704182
Asia Pacific (Sub-Regional)
Australia & Pacific Islands: +612 8066 2494
China mainland: +86 10 6627 1095
Hong Kong & Macau: +852 3077 5499
India, Bangladesh, Nepal, Maldives & Sri Lanka:
+91 22 6180 7525
Indonesia: +622150960350
Japan: +813 6743 6515
Korea: +822 3478 4303
Malaysia & Brunei: +603 7 724 0502
New Zealand: +64 9913 6203
Philippines: 180 089 094 050 (Globe) or
180 014 410 639 (PLDT)
Singapore and all non-listed ASEAN Countries:
+65 6415 5484
Taiwan: +886 2 7734 4677
Thailand & Laos: +662 844 9576