Customer Identity & Access Management (CIAM)
Authentication and Authorisation
This page provides an overview for developers to create applications that interact with humans and for the development of applications that interact machine-to-machine.
Types of Accounts
Human Accounts (HA)
This type of account identifies a human user authenticating and interacting with an application. It will typically be a combination of an email and a password.
Application Accounts (AA)
Application Accounts are API keys used for applications to interact with an end user, so specifically the user is authenticating with a human account (HA) and LSEG has line of sight to the end user and controls end user entitlements.
Service Accounts (SA)
A service account is an account that a service on a server uses to run under and access resources. This MUST NOT be a user’s personal account. While they may look the same, the separation of users, and especially those with admin privileged accounts from services is very important for both tracking and security.
A service account can also be an account that is used for a scheduled task (sometimes referred to as a batch job), or an account that is used in a script that is run outside of a specific user’s context. A scheduled task account MUST NOT be a normal user’s account for the same reasons that a service should not run under a normal user’s account.
Security Implications
These accounts are a favourite target of many malicious actors, mainly because they are often implemented in such a way that they have a higher level of access than a user account. Historically, they also have not changed passwords as often (if ever) as user accounts. There will also be several users who are using these service accounts in order to log into systems as these accounts will have been granted the interactive logon right.
Services are also often installed under the built-in Local System account, which gives what are essentially local administrator privileges, so they are more predictable in how they will be able to be used if compromised. While local administrator privileges may seem somewhat harmless since they are not usually useable on other computers on your network, the local administrator privileges can end up granting access to domain username/password combinations and or lead to account changes that allow for easier connections to other parts of our network.
Adherence to coherent Naming Standards is essential to the establishment and maintenance of a coordinated Active Directory and infrastructure. Each Service Account is created uniquely in the Domain for one application. A Service Account is assigned permissions and/or group memberships only to allow it to support the needs of the application. Service Accounts cannot be used for interactive logon.