{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-guides/machine/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"type":"markdown"},"seo":{"title":"Basic concepts","description":"Everything about Mosaic Journeys, SDKs, and APIs","siteUrl":"https://developer.transmitsecurity.com/","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"basic-concepts","__idx":0},"children":["Basic concepts"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This describes some basic concepts related to Mosaic Machine Identity Management services."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"ticket","__idx":1},"children":["Ticket"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Also referred to as an “invite code”, this is an entity in MIM used for enrollment and establishing a Workload identity. Tickets can be generated manually in the Admin console or programmatically using a Ticket Factory. A ticket can be marked as an Orchestrator giving its workload privileges to use a Ticket Factory. In addition, for an extra layer of security a Ticket may be assigned with a set of Restrictions (see below)."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"ticket-factory","__idx":2},"children":["Ticket Factory"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Automation layer for Ticket generation. Used by control plane to generate Tickets programmatically."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"orchestrator","__idx":3},"children":["Orchestrator"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A privileged Workload role that can be assigned in Ticket creation menu. Allowing the Workload to use a Ticket Factory. Often these privileged Tickets will be created manually by authenticated admins."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"access-controls","__idx":4},"children":["Access controls"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["An entity (Ticket, Workload or Secret) may be assigned a set of attributes which restrict its access/usage for added security. Restrictions are set upon creation but can be modified at any later point (including post expiration, but will only take affect if the entity's expiration is extended). For more, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/machine/manage_access_controls"},"children":["Manage access controls"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"services","__idx":5},"children":["Services"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Service - A service is an abstraction layer of authorization claims that a service supports. It consists of a unique name and a list of Service Actions . It is used to facilitate authorization for Workloads."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Service Actions - are arbitrary strings that can be assigned to a Ticket. Any Workload that has used the Ticket for authentication, will have the Service Actions included into its JWT based authorization header."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Enforcement of the Service Actions is optional and is handled by the JWT receiver service"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"inventory","__idx":6},"children":["Inventory"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Workload - An authenticated identity for a piece of software, associated with the specific Ticket it used during authentication. May contain metadata about its execution environment, additional secondary identities it is associated with, and liveliness."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Secret - A Secret is an arbitrary piece of data that’s considered sensitive. Secrets can be strings or binary data. Secrets are automatically populated from Secret Stores or created manually in the Admin Console. Secrets can be assigned with Restrictions for additional security (see Restrictions). If allowed authenticated Workloads can be granted access to specific secrets."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Secret Stores (Experimental) - Allow onboarding of external Secret Managers via the Admin Console."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"activity","__idx":7},"children":["Activity"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Acts as both audit trail of Machine Identity related changes in the Admin Console, as well as workload events such as authentications, access to secrets, etc."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"observations-experimental","__idx":8},"children":["Observations (Experimental)"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Metrics of predefined checks of the system both for visibility and future security analysis features."]}]},"headings":[{"value":"Basic concepts","id":"basic-concepts","depth":1},{"value":"Ticket","id":"ticket","depth":2},{"value":"Ticket Factory","id":"ticket-factory","depth":2},{"value":"Orchestrator","id":"orchestrator","depth":2},{"value":"Access controls","id":"access-controls","depth":2},{"value":"Services","id":"services","depth":2},{"value":"Inventory","id":"inventory","depth":2},{"value":"Activity","id":"activity","depth":2},{"value":"Observations (Experimental)","id":"observations-experimental","depth":2}],"frontmatter":{"title":"Basic concepts","excludeFromSearch":true,"seo":{"title":"Basic concepts"}},"lastModified":"2024-08-04T09:54:16.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/machine/basic_concepts","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}