People, machines, and services are principals. Every principal has a UUID, is authenticated, and is granted capabilities by the authorization service.
There is one special principal: NOS root. Each machine has an identity of local root.
Every principal has a password. For non-human principals, the password is stored in a local key table. Every principal has associated demographic information. Managing principals is the basis for account management.
Actions on principals include create, modify, delete, disable, enable, authenticate, and logout.
Actions on passwords include set and randomize.
Actions on key tables include create, modify, and delete.