Why 'Principal' is an 'authenticated user'

Many computer systems, related to authorization and permissions uses word 'principal' as term to describe 'user' or 'member'.

I can't get connotation here. Principal is a 'school boss', or 'body of the credit', etc. Why user (entity to get permission) is named 'principal'?

Example of use, if someone is not familiar with IT:

In IAM [Identity and Access Management, f.e. in Amazon Web Services and Google Cloud Platform], permission to access a resource isn't granted directly to the end user. Instead, permissions are grouped into roles, and roles are granted to authenticated principals. (In the past, IAM often referred to principals as members. Some APIs still use this term.)

What's the origin of this meaning (the user)? What it should reference to in the mind of the reader?


Solution 1:

This is something of a tech-jargony usage, but I think it is a natural extension of other meanings the word has. For instance, Dictionary.com Unabridged has these senses:

  1. Law. a person who authorizes another, as an agent, to represent him or her.

a. a person directly responsible for a crime, either as an actual perpetrator or

b. as an abettor present at its commission.Compare accessory (def. 3).

  1. a person primarily liable for an obligation, in contrast with an endorser, or the like.

Oxford, as quoted by Google, has these:

a person for whom another acts as an agent or representative.

"stockbrokers in Tokyo act as agents rather than as principals"

I think if we squint at these, we can come to a general understanding that "principal" can be understood to be a person who is responsible for taking actions -- so in the IAM case, it's the user who is responsible for whatever actions are taken in AWS, who may or may not actually be taking those actions himself/herself.

For instance, if I give my credentials to a script and let it run periodically, I am not the agent -- the script is. But I am the principal, because it is my name that will show up in the logs if someone asks "who did this?"

As explained in DjinTonic's answer, in a technical context, the principal is not necessarily a person, but I see that as a semantic expansion from this meaning.

Solution 2:

Principal in this sense is a term of art and not limited to people:

Principal (computer security)

A principal in computer security is an entity that can be authenticated by a computer system or network. It is referred to as a security principal in Java and Microsoft literature.

Principals can be individual people, computers, services, computational entities such as processes and threads, or any group of such things.(1) They need to be identified and authenticated before they can be assigned rights and privileges over resources in the network. A principal typically has an associated identifier (such as a security identifier) that allows it to be referenced for identification or assignment of properties and permissions. Wiki

Reference (1) above is this Microsoft webpage

Understanding Active Directory Security Principal Accounts

A security principal is a user account, computer account, or group account. Security principals are assigned security identifiers (SIDs) when they are created, which are used to control access to resources, and used by internal processes to identify security principals. ScienceDirect