A security principal is any user or entity that can access a computer and be indentified through use of a username and password or another authentication method. There are two main security principal entities: a human user and another computer system. Aside from making authentication easier, using a principal lets rights be supplied to each principal that allows or denies a user to perform an activity, such as opening and changing a document. To make the act of setting permission levels easier for administrators, many security principals can be grouped together and rights can be granted to or taken away from the entire group.
When someone logs into a computer system, most computers will authenticate the security principal to ensure it is real. The simplest way of doing this is by giving the principal a username and a password, but there can be more advanced authentication methods, such as checking the Internet protocol (IP), public key and digital signature of the principal. By authenticating the principal, the computer understands the principal can be granted access to the system.
Each security principal is granted certain rights, depending on how the administrator sets the system. Basic rights only allow the principal to open documents and, possibly, make simple modifications to documents. More advanced rights enable the principal to perform complex modifications and have access to otherwise restricted sections of the computer system.
The security principal is typically a human user or another computer. Regardless of what rights a human user is granted, whether he or she is a basic user or the administrator, he or she is still considered a security principal. Most computer networks have other computers and digital systems attached to them, because these computers add extra functionality or perform tasks necessary to keep networks going. To authenticate and grant rights to the computers, they must be designated as security principals.
While an administrator can go through each security principal and determine what rights the principal has, this can take hours on large networks. To make this task easier, a principal can be added to a certain group that has default rights. For example, if a new user is given a principal and assigned to the managers' group, then he or she will automatically have all the rights associated with being a manager. Grouping does not help much with authentication; it is mainly to assist the administrator with handing out rights.