Identity and Access Management Terminology

Glossary

By

Magnaquest Solutions Sdn Bhd

Cyberjaya

www.magnaquest.com

Version 1.0

4th October 2010

Identity and Access Management - Glossary

Revision History

Date
Version Author Reviewed By Changes
(DD/MM/YYYY)
1.0 Oct 04, 2010 Shince Thomas Initial draft

Trade Marks

―MQAssureTM‖ is registered trademarks of Magnaquest Solutions Sdn Bhd

Company Titles

Within this document, the following shortened forms of company titles may be used:

Magnaquest Solutions Sdn Bhd - ‗Magnaquest‘

2
Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

Access Certification Over time, users may accumulate entitlements which are no longer
needed or appropriate for their job function. Access certification is a
process by which appropriate business stake-holders, such as
users' managers or application owners, can periodically review
entitlements and identify those that should be removed.

Access Control An access control limits the use of a resource. Only those people,
programs or devices that are specifically permitted to use the
resource will have access. In addition, an access control will usually
limit use to specific types of access; someone can read a file but not
change it, for example.

An access control may be physical, for example, a lock on a door; or

it may be software or hardware based, for example, in a computer
system. It can also be a combination of the two.

Access Control Access control is the mechanism by which you define access. When
Instruction (ACI) the server receives a request, it uses the authentication information
provided by the user in the bind operation, and the access control
instructions (ACI‘s) defined in the server to allow or deny access to
directory information. The server can allow or deny permissions
such as read, write, search, and compare. The permission level
granted to a user may be dependent on the authentication
information provided.

Access Control List A list of Access Control Instructions (ACI‘s) constitutes an Access
(ACL) Control List.

Access Deactivation When termination happens, user access rights relating to an

organization's systems and applications must be removed. This
removal is called access deactivation.

Access In an organization, access management is the sum of all of the

Management practices, policies, procedures, and technical access control
mechanisms that are used to appropriately control access to the
assets, or a subset of the assets, of the company.

Account Expiry An account has a termination date if logins will not be possible after
Date a given time/date

Administrator An administrator lockout is a flag set by an administrator to disable

Lockout logins on an account.
3

Administrator lockouts normally precede permanent deletion of the

Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

account, and provide an opportunity to retrieve data from the

account before it is removed.

Note that on some systems and applications, intruder lockouts and

administrator lockouts are entangled (they use the same flag). This
is a poor but common design.

Alert A robust network-security monitoring application should include an

alerting service. When an event that requires attention occurs, this
service will send a notice by e-mail, page, instant messaging or
other urgent method to a security expert.

Alias An alias is a local ID that a user has on a given system which is

different from the user's global ID

Application Vendors release new versions of their software all the time. When
Migration this happens, customers often choose to upgrade. Upgrades may
require data from the old system, including data about users, to be
migrated to the new system. An identity management system can be
used to aid in this migration process.

Application Owner An application‘s owner is a person in a business organization who

may have authorized purchase of the application and is in any case
responsible for the use of that system. This is a business rather than
technical role.

Approval Workflow An approval workflow is a business process where human actors

may enter, review, approve, reject and/or implement a change
request

Approved Exception An approved exception is a role violation which has been flagged
as acceptable, and which consequently may be removed from
violation reports and/or not corrected

Assertion When an Identity Provider authenticates a user and directs them

back to the referring Service Provider, it includes as part of the
message an assertion to prove that the user authenticated.

Assisted Password An assisted password reset is a password reset (reset)

Reset accomplished by interaction between the user and a support
analyst, typically over a telephone. Assisted password resets are
similar to self-service password resets (self-service-reset), but with
the intervention of a support analyst.
4
Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

Attestation Attestation is synonymous with access certification. This term

highlights the aspect of certification where stake-holders attest to
the appropriateness of entitlements, rather than flagging those that
should be removed. Both signing off on appropriate entitlements and
flagging inappropriate ones should be done in tandem.

Attribute A single piece of information associated with an electronic identity

database record. Some attributes are general; others are personal.
Some subset of all attributes defines a unique individual. Examples
of an attribute are name, phone number, group affiliation, etc

Attribute Assertion A mechanism for associating specific attributes with a user

Attribute Authority The service that asserts the requester‘s attributes by creating an
(AA) attribute assertion and then signing it. The sites must be able to
validate this signature

Audit An independent review and examination of a system‘s records and

activities to determine the adequacy of system controls, ensure
compliance with established security policy and procedures, detect
breaches in security services and recommend any changes that are
indicated for countermeasures.

Audit Trail A list of all recorded activity, which resources are being accessed,
when and by whom and what actions are being performed. Audit
trails are one of the requirements of system accountability, enabling
any system action or event to be traced back to the user responsible
for it. Audit trails are also used to investigate cyber crimes. They are
indispensable for incident response and the follow-up aspect of
digital forensics. The audit trail enables the person investigating the
incident to follow the trail that was left.

Authentication Authentication is a process where a person or a computer program

proves their identity in order to access information. The person‘s
identity is a simple assertion, the login ID for a particular computer
application, for example. Proof is the most important part of the
concept and that proof is generally something known, like a
password; something possessed, like your ATM card; or something
unique about your appearance or person, like a fingerprint

Authentication An authentication factor is something a user presents to a system in

Factor order to prove his identity. It may be something he (and hopefully
5

only he) knows, or proof of possession of a physical object, or a

Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

measurement of some physical characteristic (biometric) of the

living human user. In other words, something the user knows, or
something he has, or something he is.

Authorization Authorization is the act of granting a person or other entity

permission to use resources in a secured environment. This is
usually tightly linked to authentication. A person or other identity first
authenticates and then is given pre-determined access rights. They
now have the authority to take specific actions.

The process of deciding what permissions are given begins with

policies—decisions made and documented by the owners of the
resources. The policies may be based on a user‘s identity or on the
user‘s role within the organization, or a combination of the two.

Authorization Authorizers in an approvals process may not respond to invitations

Reminders to review a change request in a timely manner. When this happens,
automatic reminders may be sent to them, asking them again to
review change requests

Authorizer Changes to user profiles or entitlements may be subject to approval

before they are acted on. In cases where approval is required, one
or more authorizers are assigned that responsibility

Automated Automated provisioning systems typically operate on a data feed

Provisioning from a system of record, such as a human relations (HR) system
and automatically create login IDs and related logical access rights
for newly hired employees or contractors.

It should be noted that automated provisioning normally operates

without a user interface -- i.e., data flows in from one system and out
to one or more other systems, without any further user input in
between.

Auto-provisioning reduces IT support costs and can shorten the time

required to provision new users with requisite access rights.

Automated Automated termination systems typically operate on a data feed

Termination from a system of record, such as a human relations (HR) system
and automatically disable access rights for existing users when they
have left an organization.

It should be noted that automated termination normally operates

6

without a user interface -- i.e., data flows in from one system and out
Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

to one or more other systems, without any further user input in

between.

Auto-termination reduces IT support costs and can make access

deactivation both faster and more reliable than manual processes.

Automatic In the event that an authorizer has been invited to review a change
Escalation request, has not responded, has been sent reminders, has
nonetheless not responded, and has not delegated his authority, an
identity management system may automatically select an alternate
authorizer, rather than allow the approvals process to stall.
Automatically rerouting requests to alternate authorizers is called
escalation.

Baseline An effective method for identifying security attacks on a network,

baselining starts by measuring normal activity on a network or
network device. That measurement is used as threshold, or
baseline, to detect unusual patterns or changes in levels of activity.
With this method, the security expert can focus efforts on evaluating
anomalies instead of looking for them by reviewing huge log files.

Some commonly baselined security events are:

• initiation and termination of network sessions,

• bandwidth use,

• user logins and logouts,

• failed logins, and

• rates and types of network traffic.

The term is also used to refer to other security practices. A baseline,

or security baseline often refers to an organizational standard for
securely configuring network devices.

It can also refer to the results of an organization‘s first security

assessment. This becomes the baseline against which the
organization measures improvements and changes.

Biometrics In a security context, biometrics and biometric authentication refer to

using a person‘s physical characteristic in order to authenticate
them for access to a resource.
7
Page

Some of the characteristics commonly used include those of the

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

eye, face, voice, fingerprints or the shape of a hand. Since these

characteristics are unique and change very little over time, they offer
strong proof of the person‘s identity. Since these authentication
systems are much more expensive to acquire and maintain, they are
often used for access to very sensitive or classified information.

Card Management Card Management Systems (CMS) provide support for the use of
Systems (CMS) cryptographic cards, often called smart cards, in an organization.
While the specific functions may vary depending on the vendor, in
general, CMS provide the software and hardware mechanisms to
create cards and bind them to the identity of the person who will use
the card to authenticate to various systems.

Most products include the ability to manage USB or hardware

tokens as well as PKI certificates. Tools that make it possible to
share identity and credentials with a centralized directory that
provides authorization for the authenticated user are also an
important feature that‘s frequently a part of the system.

It‘s important that the cryptographic modules and interfaces are

standards based to ensure interoperability with access controls to
many kinds of resources. FIPS compliance adds an additional level
of assurance.

Certificate Authority A certification authority, or CA, holds a trusted position because the
(CA) certificate that it issues binds the identity of a person or business to
the public and private keys (asymmetric cryptography) that are used
to secure most internet transactions.

Certificate A Certificate Revocation List (CRL) is a signed data structure that

Revocation List contains information about revoked certificates.
(CRL)

Coarse-Grained Coarse grained user provisioning is a process where new accounts

User Provisioning are created for new users, with basic entitlements rather than all of
the required entitlements.

This may be easier to automate and faster to deploy, but requires

further, manual intervention before a new user can be fully
productive.

Consensus Approval by consensus is a form of parallel authorization where not

8

Authorization all authorizers must respond before a change request is

Page

implemented. For example, any two of three authorizers may be

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

sufficient to approve a request.

Consensus authorization is implemented in order to expedite the

approvals process and make sure that it is completed even in cases
where some authorizers are unavailable to respond.

Credentials, Credentials are sets of information that the owner presents in order
Credential Store to prove identity to a computer-based application. Although this is a
general term and can be used for many kinds of credentials, the
problem of storing credentials is most commonly discussed in the
context of asymmetric cryptography where credentials consist of
certified public keys. Common credential stores include databases,
directories and smart cards.

Most enterprise SSO systems work by storing the various login IDs
and passwords for a user in a database of some form and retrieving
this information when the time comes to auto-populate a login
prompt. This database should be protected, as it contains sensitive
information. It may be physically local to the user's workstation, or
stored in a directory, or in an enterprise relational database (ERDB).
The credential database should definitely be encrypted.

Credential Provider An organization that manages and operates an identity

(CP) management system and offers information about members of its
community to other participants.

Change Request A change request consists of one or more proposed changes to

user profiles , such as creating new profiles, adding new accounts to
existing profiles, changing identity attributes , Requests may be
subject to authorization before being implemented

Data Owner A data owner is a business role associated with responsibility for a
given set of data. Normally this comes with responsibility to decide
what users in the organization may access the data in question and
for the quality of the data

Data The ability for data in different databases to be kept up-to-date so

Synchronization that each repository contains the same information.

Deactivation Deactivation is the process of disabling a user‘s accounts, so that

the user can no longer authenticate to those systems or access their
resources or functions. Deactivation does not necessarily imply that
the accounts are deleted – simply that they are made inoperative.
9
Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

Delegated A given authorizer may not always be available. For example,

Authorizer authorizers may take holidays, be ill, be too busy to respond, etc. In
these cases, an authorizer may wish to delegate his authority to
another user – temporarily or permanent. The new authorizer is a
delegated one.

Delegated User As the number of accounts in a system grows, central user

Administration administration becomes impractical. Delegated user administration
is a feature found in some systems to enable designated users to
create new users and manage existing users in just a segment of
the user directory.

Dial Back Dial back validates a user‘s physical location using the telephone
system. In its original form, when users connected their PCs to the
network with telephone modems, a user would connect to a
corporate network, identify himself, hang-up and wait for a corporate
server to call him back at home.

With more modern technology, a user may sign into a corporate

network, identify himself and wait for a single-use random PIN to be
phoned or text messaged to his home or cellular telephone. This
PIN is subsequently used to authenticate to a network service.

Digital Certificate In general use, a certificate is a document issued by some authority

to attest to a truth or to offer certain evidence. A digital certificate is
commonly used to offer evidence in electronic form about the holder
of the certificate. In PKI it comes from a trusted third party, called a
certification authority (CA) and it bears the digital signature of that
authority.

Digital Identity The representation of a human identity that is used in a distributed

network interaction with other machines or people. The purpose of
the digital identity is to establish the level of comfort and confidence
associated with face to face human interactions in a digital
environment.

Digital Signature An electronic signature that can be used to authenticate the identity
of the sender of a message, or of the signer of a document. It can
also be used to ensure that the original content of the message or
document that has been conveyed is unchanged.
10

Directory A specialized database that provides a simplified view for easier

access to specific data. A directory is similar to a dictionary. It
Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

enables the look up of a name and information associated with that

name.

Directory Hierarchy A directory can be organized into a hierarchy, in order to make it

easier to browse or manage. Directory hierarchies normally
represent something in the physical world, such as organizational
hierarchies or physical locations. For example, the top level of a
directory may represent a company, the next level down divisions,
the next level down departments, etc. Alternately, the top level may
represent the world, the next level down countries, next states or
provinces, next cities, etc.

Directory Migration Mergers, divestitures, and software changes periodically necessitate

that large numbers of user accounts are moved from one system to
another in a short period of time. User provisioning systems may
provide tools to assist in such migrations: to list and characterize
users on one system, and to automatically create batches of users
on another system.

Directory A directory synchronization process compares users, user groups,

Synchronization and user attributes as they are defined on two or more systems. It
applies business logic to detected differences, and automatically
updates the users, user groups, and/or user attributes on at least
one system to match those found on others.

Disabled Account A disabled account is one where the administrator lockout flag has
been set

Dynamic SoD Policy A dynamic segregation of duties policy is one that prevents one
login account or user profile from performing two or more conflicting
actions relating to the same business transaction. For example,
while it may be appropriate for the same user to have both the
vendor-management and payment-management entitlements, it is
not acceptable for the same user to both create a vendor and
authorize a payment to that vendor

Email Based Applications may defer identification and authentication of a user to

Authentication an e-mail system, essentially eliminating any need to manage or
support the authentication process directly. This is typically as
follows:
11

1. The user identifies himself to an application by typing his e-

mail address.
Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

2. An e-mail containing a randomized URL is sent to that

address.

3. If the user can click on the e-mail, he has demonstrated that

he has access to the e-mail account, and is therefore
authenticated.

This is a weak form of authentication, since it is impossible to say

how secure the user‘s e-mail service is, but it is adequate for many
applications.

Embedded An embedded application password is a password stored in one

Application application and used to connect to another. A common example is a
Password database (ID and) password stored on a web application and used
to connect to the database, to fetch and update database records

Endpoint A security system that verifies the identity of a remotely connected

Authentication device (and its user) such as a PDA or laptop before allowing
access to enterprise network resources or data.

Enterprise Role An enterprise role is a collection of entitlements spanning multiple

systems or applications. Like simple roles, enterprise roles are used
to simplify security administration on systems and applications, by
encapsulating popular sets of entitlements and assigning them as
packages, rather than individually, to users

Enterprise Single A technology which reduces the number of times that a user must
Sign On sign into systems and applications by automatically populating login
ID and password fields when applications ask for user
authentication. This is done by monitoring what is displayed on a
user‘s desktop and – when appropriate – typing keystrokes on
behalf of the user. In short – ―screen scraping‖ the user‘s desktop.

In short, applications are unmodified and continue to perform user

authentication. Reduced sign-on is achieved by auto-populating
rather than removing login prompts.

Entitlement Entitlement management refers to a set of technologies and

Management processes used to coherently manage security rights across an
organization. The objectives are to reduce the cost of administration,
to improve service and to ensure that users get exactly the security
rights they need.
12

These objectives are attained by creating a set of robust, consistent

Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

processes to grant and revoke entitlements across multiple systems

and applications:

1. Create and regularly update a consolidated database of

entitlements.

2. Define roles, so that entitlements can be assigned to users in

sets that are easier for business users to understand.

3. Enable self-service requests and approvals, so that

decisions about entitlements can be made by business users
with contextual knowledge, rather than by IT staff.

4. Synchronize entitlements between systems, where

appropriate.

5. Periodically invite business stake-holders to review

entitlements and roles assigned to users and identify no-
longer-appropriate ones for further examination and removal

Escalated A given authorizer may not always be available. In cases where an

Authorizer authorizer fails to respond to a request to approve or reject a
requested change, and where the authorizer has not named a
delegated authorizer, an automatic escalation process may select a
replacement authorizer after a period of time. This replacement is
the escalated authorizer.

Events Per Second Events Per Second (EPS) is a metric used in evaluating log
(EPS) management and related tools. It represents the total number of
network and security events, accumulated from various network
devices that must be managed per second.

Expired Password An account is said to have an expired password if the user will be
forced to change passwords after the next successful login

Explicit Role A role may be explicitly assigned to a user – i.e., some database will
Assignment include a record of the form ―user X should have role Y.‖

Federated Identity The management of identity information between different

organizations that have separate identity and access management
systems in place.

Federation An association of organizations that come together to exchange

13

information as appropriate about their users and resources in order

Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

to enable collaborations and transactions.

Fine-Grained User Fine-grained user provisioning is a process where new accounts are
Provisioning created for new users, with all of the entitlements that a new user
will require – identity attributes , group memberships and other
objects, such as home directories and mail folders, already created.

This may be more complex to automate and longer to deploy, but

eliminates further, manual intervention before a new user can be
fully productive.

GINA GINA is a generic acronym for the Graphical Identification and

Authentication, the subsystem that handles the logon presentation
to the user. The Microsoft GINA is represented by the logon screen
that pops up on the PC when the user presses Ctrl+Alt+Delete.

Windows 2000 and XP rely on a GINA DLL for Graphical

Identification and Authentication. The Microsoft GINA DLL is called
MSGINA.DLL.

Global ID A global ID is a unique identifier that spans two or more systems. A

truly global ID – one that is guaranteed to be unique among every
system in the world, is a user‘s fully qualified SMTP e-mail address.
Another truly global ID might be a user‘s country code followed by
that country‘s local equivalent of a social security number, social
insurance number or resident number. Global IDs may be global
only over a few systems, rather than every system on Earth.

Global Password A global password policy is a policy designed to combine the

Policy policies of multiple target systems. It the product of combining the
strongest of each type of complexity rule and the most limited
representation capabilities of the systems where passwords will be
synchronized.

Group Membership A group membership is the assignment of a given user to a given

security group

Group Owner Access to data, to applications and to features within applications is

often controlled using security groups. Groups normally have
owners – people in an organization responsible for managing
membership in the group
14

Hardware One of the ways that a person can authenticate to a computer

Authenticator system or application is by using a small, portable hardware device
Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

called a hardware authenticator; sometimes called a security token.

Hijacking Hijacking is used to describe several kinds of attacks where the

attacker takes control of the session between a browser and a web
server.

Identification The process by which information about a person is gathered and

used to provide some level of assurance that the person is who they
claim to be. Generally, this identity verification takes place within the
office (e.g. Human Resources or Student Services) or self-service
application that first encounters the individual and creates their
record within the institutional system(s) of record.

Identity Identity is the set of information associated with a specific physical

person or other entity. Typically a Credential Provider will be
authoritative for only a subset of a person‘s identity information.
What identity attributes might be relevant in any situation depend on
the context in which it is being questioned.

Identity Attributes Each piece of identifying information about a user can be thought of
as an attribute of that user. Users have identity attributes, each of
which may be stored on one or more target systems.

Identity Change User identity information may change for time to time. For example,
people change their names after marriage or divorce, their phone
number and address changes periodically, etc. Where systems and
applications track this data, it must be changed whenever the real-
world information changes. Such changes are called identity
changes

Identity ID reconciliation is a process by which an organization maps local

Reconciliation / ID IDs in different name spaces to one-another, and to the global
reconciliation profile IDs of the users that own them. For example, ID
reconciliation may be required to map IDs such as ―smithj‖ on a
mainframe system to IDs such as ―john.w.smith‖ on an Active
Directory domain

Identity and Access Sometimes abbreviated to IAM, identity and access management
Management (IAM) refers to all of the policies, processes, procedures and applications
that help an organization manage access to information.

Specific concepts, standards and applications that help with identity

15

and access management include authentication, user life-cycle

Page

maintenance, federated identity, single sign-on, provisioning and

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

Role Based Access Control (RBAC).

Identity Identity synchronization systems map identity attributes between

Synchronization different systems and automatically propagate changes from one
system to another.

It should be noted that identity synchronization normally operates

without a user interface – i.e., data flows in from one system and out
to one or more other systems, without any further user input in
between.

For example, an e-mail system may be authoritative for each user‘s

SMTP e-mail address, an HR system for the same users‘ employee
number and department code, a white pages application for each
user‘s phone number and so on. An identity synchronization system
makes sure that all of these systems have correct and up-to-date
information in each of these fields.

Identity Theft Identity theft is the theft of the credentials that we use to do
business. When access controls are inadequate, the credentials that
people use to authenticate to their credit card companies, banks or
shopping sites may be disclosed to the wrong people. In addition,
thieves have developed many ways to use e-mail and the Internet to
collect this information.

Once perpetrators have the information they can use it as if they

were the victim, running up credit card debt, or taking money out of
bank accounts or investment savings.

Identity Vetting The process used to establish the identity of the individual to whom
the credential was issued. This is typically done during credentialing.

Implicit Role A role may be implicitly assigned to a user – i.e., some database will
Assignment include a rule of the form ―users matching requirements X should be
automatically assigned role Y.‖

Intruder Lockout An intruder lockout is a flag set on a login account when too many
consecutive, failed login attempts have been made in too short a
time period. Intruder lockouts are intended to prevent attackers from
carrying out brute force password guessing attacks.

On some systems, intruder lockouts are cleared automatically, after

16

a period of time has elapsed. On others, administrative intervention

is required to clear a lockout.
Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

Note that on some systems and applications, intruder lockouts and

administrator lockouts are entangled (they use the same flag). This
is a poor but common design.

ID Namespace A name space for unique identifiers is a system or domain within

which no two users may have the same ID. Every system has its
own namespace. Another example is mail domains (i.e., the part of
an SMTP e-mail address following the @ sign), where the part of
each user ID preceding the @ sign must be unique within its
domain.

Key Logging Key logging software runs in the background, in a stealth mode that
isn‘t easy to detect on a PC. It collects every keystroke and hides
that information in a file.

Key Management A collection of procedures involved with the generation, exchange,

storage, safeguarding, use, vetting, and replacement of encryption
keys. Key management is essential to the secure ongoing operation
of any cryptosystem.

Layered Layered authentication describes an identity and access

Authentication management architecture that requires varying levels of
authentication proofs based on the risk of the transaction.

Local Administrator A local administrator password is the password to an account used

Password by system administrators to install, configure and manage a system
or application. Examples are Administrator on Windows, root on
Unix/Linux and sa on Microsoft SQL Server

Local Agent A local agent is an agent installed on the target system itself.

Installation of local agents requires change control on the target

system itself – something which may be difficult and/or undesirable
on a production system or application.

Local agents are well positioned to detect changes to user objects

on a target system in real time, forwarding these changes to an
identity management system which may act on them.

Communication between an identity management system and a

local agent can always be protected, even if the native
communication protocols of the target system are insecure.
17

Local ID A local ID is a user‘s unique identifier within the context of a single

Page

system. It may be the same as that user‘s profile ID , or it may be an

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

alias

LDAP An open protocol that provides access to directories. Applications

that use LDAP (known as directory-enabled applications) can use
the directory as a common data store for retrieving information
about people or services, such as email addresses, public keys or
service-specific configuration parameters.

Level of Assurance Refers to the degree of certainty that (1) a person‘s identity has
(LoA) been adequately verified before credentials are issued, and (2) a
user indeed owns the credentials they are subsequently presenting
to access the resource.

Login Accounts Systems and applications where users have the ability to login and
access features and data generally assign a login account to each
user. Login accounts usually include a unique identifier for the user,
some means of authentication , security entitlements and other,
personally identifying information such as the user‘s name, location,
etc.

Login ID A login id is a generic term for a unique electronic identifier used to

control access to applications or services. Logon id may or may not
be a secret shared between the system and the user to identify the
user. Login id is normally combined with other personal secret
information (pin, password, etc).

Management Chain In a business setting, users normally have managers, who in turn
have their own managers. The sequence of managers, starting with
a given user and ending with the highest individual in an
organization is that user‘s management chain. Management chains
are relevant to identity management as they are often used to
authorize security changes

Meta Directory Some organizations deploy a meta directory to synchronize user

and user attributes between multiple user directories. A meta
directory program is software that compares users and user
attributes as defined on multiple systems, and automatically
propagates changes made on an authoritative system to other
systems. For example, if a user‘s HR record is updated with a new
home telephone number, a meta directory might update the
corporate e-mail system and LDAP directory with the same new
18

information. Meta directory software normally implements a directory

Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

synchronization process.

Multifactor Multi-factor authentication means authentication using multiple

Authentication factors. For example, a user might sign into a system with a
combination of two things he knows, or a combination of something
he knows and something he has, or perhaps something he knows,
something he has and something he is.

The premise is that adding authentication factors makes it more

difficult for a would-be attacker to simulate a legitimate
authentication and consequently impersonate a legitimate user.

Multi-Key Password Password disclosure may require authorization. For example,

Release system administrator A may need a password, but might not be
allowed to see the password until other people -- say B and C,
approve the disclosure. Multi-key password disclosure refers to any
process where the actions of more than one person are required to
disclose a password.

Nested Groups Nested groups are groups that contain, among their members, other
groups. This is a powerful construct but it can be complicated for
applications to support and may cause performance problems if not
implemented well. Active Directory is one system that effectively
supports nested groups.

Onboarding This is the process where users join an organization. It may refer to
hiring new employees, bringing in contractors or signing up visitors
to a web portal.

One Time Password A one-time password can only be used once. There are a great
(OTP) many varieties of one-time password systems including time-
synchronous, event-synchronous and challenge-response
technologies, along with multiple underlying cryptographic
algorithms. RSA SecurID® authentication is an example of a one-
time password system.

Organizational An organizational hierarchy is an organization of user profiles that

Hierarchy identifies zero or one managers for each user. This hierarchy may
be useful in the context of access certification , change authorization
or automated escalation

Password A password or its numerical form, sometimes called a passcode or

19

PIN, is one of the simplest authentication methods. It is usually used

Page

with an identifier, as a shared secret between the person who wants

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

access and the system that‘s protected.

If it‘s not encrypted, or if the encryption is easy to break, passwords

and passcodes are vulnerable to eavesdropping and replay. And if it
is encrypted, there are other attacks that are used. A brute force, or
dictionary attack consists of an attack that just tries possibility after
possibility until the right one is found. Utilities to help an attacker
with this kind of attempt are easily found on the Internet. Short
passwords, made of one simple word are the easiest to find with this
kind of attack. So many administrators require pass phrases,
complex combinations of word. Controls will also often require that
numbers or special characters are used with the password or pass
phrase, this makes it more random in nature and harder to guess.

In some environments, users must remember many complex

passwords and pass phrases and end up writing them down near
the computer. This becomes the vulnerability.

Password Age Password age is the number of days since a password was last
changed

Password Change A routine password change is a process where a user authenticates

to a system using his login ID and password, and chooses a new
password – either voluntarily or because the old password has
expired.

The only credentials involved in a routine password change are the

user‘s identifier, old password and new password.

Password Password disclosure is a process where a stored copy of a

Disclosure password, matching a password in a target system‘s security
database, is revealed to a human or machine user. For example, it
might the process of revealing a stored copy of an administrator
password to a system administrator

Password Expiry Password expiry is a process whereby users are forced to

periodically change their passwords. An expiration policy may be
represented as the longest number of days for which a user may
use the same password value.

The reason for password expiry is the notion that, given enough
time, an attacker could guess a given password. To avoid this,
20

passwords should be changed periodically and not reused

Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

Password Expiry An password has an expiry date if the user will be forced to change
Date it on the first successful login after a given time/date

Password History A password history is some representation of one or more

previously used passwords for a given user. These passwords are
stored in order that they may be compared to new passwords
chosen by the user, to prevent the user from reusing old passwords.

The reason for password history is the notion that, given enough
time, an attacker could guess a given password. To avoid this,
passwords should be changed periodically and not reused.

Password Policy A password policy is a set of rules regarding what sequence of

characters constitutes an acceptable password. Acceptable
passwords are generally those that would be too difficult for another
user or an automated program to guess (thereby defeating the
password mechanism).

Password policies may require a minimum length, a mixture of

different types of characters (lowercase, uppercase, digits,
punctuation marks, etc.), avoidance of dictionary words or
passwords based on the user‘s name, etc.

Password policies may also require that users not reuse old
passwords and that users change their passwords regularly.

Password Recovery Many applications offer weak encryption of data, such as office
documents or spreadsheets. Such encryption is susceptible to brute
force to key recovery, and such key recovery is offered by password
recovery applications, most often offered to users who forgot the
passwords they used to protect their own documents.

Password Reset A password reset is a process where a user who has either
forgotten his own password or triggered an intruder lockout on his
own account can authenticate with something other than his
password and have a new password administratively set on his
account.

Password resets may be performed by a support analyst or by the

user himself (self-service)

Password Password synchronization technology helps users to maintain the

21

Synchronization same password on two or more systems. This, in turn, makes it

easier for users to remember their passwords, reducing the need to
Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

write down passwords or to call an IT help desk to request a new

password, to replace a forgotten one

Password A password synchronization trigger is the component of a

Synchronization transparent password synchronization system which detects the
Trigger initial password change event and starts the synchronization
process

Password Wallet A password wallet is an application used by a single user to store

that user‘s various passwords, typically in encrypted form

Parallel Approvals A parallel authorization process is one where multiple authorizers

are invited to comment concurrently – i.e., the identity management
system does not wait for one authorizer to respond before inviting
the next.

Parallel authorization has the advantage of completing more quickly,

as the time required to finish an authorization process is the single
longest response time, rather than the sum of all response times

PKI Public-Key Infrastructure (PKI) is the infrastructure needed to

support asymmetric cryptography. At a minimum, this includes the
structure and services needed to do the following:

• Register and verify identities,

• Build and store credentials,

• Certify the credentials (issue digital certificates),

• Disseminate the public key, and

• Secure the private key and yet make it available for use.

The infrastructure will also need to have the structure and services
to renew keys, recover keys, and to notify others when a key is
revoked.

A set of highly trusted certification authorities must be able to certify

other Cas, this includes being able to make and assert decisions
based on use and policy.

In addition, the elements of the PKI need to be able to interoperate

seamlessly with all of the other elements whether they are within the
22

same organization or not. Since they must provide these services to

Page

a wide variety of applications and entities; use of standards is

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

absolutely required.

Privileged Account A privileged account is a login ID on a system or application which

has more privileges than a normal user. Privileged accounts are
normally used by system administrators to manage the system, or to
run services on that system, or by one application to connect to
another.

Profile ID A profile ID is a globally unique identifier for a human user

Provisioning The process of providing users with access to data and technology
resources. The term typically is used in reference to enterprise-level
resource management. Provisioning can be thought of as a
combination of the duties of the human resources and IT
departments in an enterprise, where (1) users are given access to
data repositories or granted authorization to systems, applications
and databases based on a unique user identity, and (2) users are
appropriated hardware resources, such as computers, mobile
phones and pagers. The process implies that the access rights and
privileges are monitored and tracked to ensure the security of an
enterprise‘s resources.

Account provisioning describes the tasks and framework for

authorizing and documenting access. It‘s the first step in user life-
cycle management.

As people join an organization, or change responsibilities, someone

needs to make decisions about the information resources that they
need to do their job and these policies must be enforced with the
appropriate applications. De-provisioning must be done efficiently
when people leave the organization or no longer need certain rights.

RADIUS Remote Authentication Dial-In User Service (RADIUS), also known

as RADIUS Authentication Server, was originally developed to
provide centralized authentication, authorization, and accounting for
dial-up access to a network. Now it supports many kinds of remote,
authenticated access including VPNs, wireless and DSL.

Recipient Changes to user profiles or entitlements always have a recipient –

that user profile which will be created, modified or deleted

Requester Changes to user profiles or entitlements are often initiated by a

23

requester – literally a person who makes a change request. In other

Page

cases they may be initiated by an automated process, which may or

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

may not have a ―virtual‖ (i.e., non-human) ID.

Reduced Sign On A synonym for single sign-on which recognizes that authentication is
normally reduced but often not to just one step

Remote Agent A remote agent is an agent installed on an identity management

server, rather than on the target system.

Installation of remote agents requires no change control on the

target system itself, making them easier to deploy and possibly
more scalable, when hundreds or thousands or target systems are
involved.

Local agents normally cannot detect changes to user objects on a

target system in real time, so must poll target systems for changes
periodically.

Communication between an identity management system and a

local agent may not be secure, since it relies on the native
communication protocols of the target system, which in some cases
may be vulnerable to eavesdropping or data injection.

Reverse Web Proxy A reverse web proxy intercepts user attempts to access one or more
web applications, may modify the HTTP or HTTPS requests (for
instance, inserting credentials), and requests web pages on behalf
of the user.

Reverse web proxies act on behalf of one or more web servers.

WebSSO systems may be implemented using a reverse web proxy

architecture, which insert user application credentials into each
HTTP stream.

The reverse web proxy architecture has the advantage of not

requiring software to be installed on each web application –
attractive when a WebSSO system is integrated with a large number
of web applications.

Role The specific right and duties and activities that a person or
organisation (an identity) has/does within a certain context. A role is
usually characterised by a subset of an identity‘s attributes. An
identity can have multiple roles, and each role should have a unique
identifier.
24
Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

Role Change A role change is a business process where a user‘s job function
changes and consequently the set of roles and entitlements that the
user is assigned should also change. Some old entitlements should
be removed (immediately or after a period of time), some old
entitlements should be retained, and some new entitlements should
be added.

Role Based Access Role Based Access Control (RBAC) is the establishment of access
Control (RBAC) rights based on a user‘s role in the organization. When an
organization looks at the job of provisioning thousands of users and
thousands of network devices for hundreds of applications, it can be
daunting. One of the ways to simplify this task is to implement
access controls for a limited number of roles instead of for each
individual.

Role Management Roles and role assignment are unlikely to remain static for any
length of time. Because of this, they must be managed – the
entitlements associated with a role must be reviewed and updated
and the users assigned the role, implicitly or explicitly, must be
reviewed and changed. The business processes used to effect
these reviews and changes are collectively referred to as role
management (sometimes enterprise role management).

Role Policy Where entitlements on multiple systems are modelled with

Enforcement enterprise roles, an enforcement process can periodically compare
actual entitlements with those predicted by the model and respond
to variances – by automatically making corrections, asking for
deviations to be approved, etc. This periodic checking process is
called role policy enforcement

Role Violation A role violation is a situation where a user is assigned an entitlement

that contradicts a user‘s role assignment. The entitlement may be
excessive – i.e., not predicted by the role, or it may be inadequate –
i.e., the role assignment predicts that the user should have an
entitlement, but the user does not

Risk Based Similar to layered authentication, risk-based authentication requires

Authentication various levels of proofs, depending on the risk level of the
transaction.

This term is used interchangeably for systems where risk

25

assessment is used in two different ways. In some systems, risk

Page

assessment is used to determine the stringency of the processes

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

and procedures to 26nrol and use a particular set of resources. The

same credentials will be used in every session but people who need
different kinds of resources may use different credentials. A user
name and password will be sufficient for some people where others
with more access to sensitive information may need a two-factor
hardware token, for example.

The second way that risk-based authentication is used is where

systems actually require different authentication levels for the same
user, based on the specific transaction, not identity. For example,
many web services will use a cookie, placed on the browser from an
earlier session as a proof of identity for browsing catalogue pages
but will ask for a user name and password to make a purchase.

S/MIME S/MIME (Secure/Multipurpose Internet Mail Extensions) is a protocol

that adds digital signatures and encryption to Internet MIME
(Multipurpose Internet Mail Extensions) messages.

MIME is the standard for Internet mail that makes it possible to send
more than text. A mail message is splits into two parts, the header,
which contains the information needed to move the mail from the
source to its destination and the body. The MIME structure allows
an e-mail body to contain graphics, audio and many other features
that improve communication over simple text. Almost all modern e-
mail systems support it.

SAML The Security Assertion Markup Language (SAML), was developed

by the OASIS Security Services Technical Committee (SSTC). It
provides an XML-based framework—both structures and
processes—for authorities to exchange authentication, attribute and
authorization information about a subject. The subject is usually a
person, but may be a computer or other entity, as long as it exists in
some security domain. SAML provides a standard way to do single
sign-on (SSO) that works independently of the underlying business
systems and therefore can be an integral part of Federated Identity
Management (FIM).

The previous browser-based methods for maintaining identity during

a session had serious deficiencies which the designers wanted to
address, including the issues associated with using cookies to
establish authenticated sessions. Cookies do not let one
26

organization vouch for an entity that they‘ve already authenticated,

Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

but SAML assertions support this.

Secure Kiosk A secure kiosk account is a special Windows login ID and password,
Account (SKA) which is well known to users (for example, it may be advertised on
the wallpaper image of the login screen). Special security policies
are applied to this account, so that when it signs into a Windows
workstation, a locked down (kiosk-mode) web browser is launched
instead of the normal Windows desktop.

A SKA is a mechanism that allows users to access a self-service

password reset web application despite being locked out of the
initial workstation login screen.

Security A security administrator is a person responsible for maintaining a list

Administrator of users, their identity attributes, their passwords or other
authentication factors and their security privileges on one or more
target systems. The security administrator may not have the
responsibility or ability to reconfigure or otherwise manage the
system itself – that is the job of a system administrator

Security Credentials Credentials are the data used to both identify and authenticate a
user. The most common credentials are login IDs and passwords.
Other credentials refer to other types of authentication factors,
including biometric samples of the user, public key certificates, etc.

Security Database A security database is the native storage used by a system or

application to house records about users, passwords and privileges.
Examples are the SAM database in Windows, passwd file on
Unix/Linux and RACF on mainframes

Security Entitlement An entitlement is the object in a system‘s security model that can be
granted or associated to a user account to enable that account to
perform (or in some cases prevent the performance of) some set of
actions in that system. It was commonly accepted that this definition
of entitlement referred to the highest-order grantable object in a
system‘s security model, such as an Active Directory group
membership or SAP role, and not lower-order objects such as
single-file permission setting

Security Entitlement In many organizations, security entitlements have to be reviewed

Audit from time to time. This is done because business processes relating
27

to changing needs are often reliable with respect to granting new

entitlements, but less reliable with respect to deactivating old,
Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

unneeded entitlements. A periodic audit can be used to find and

remove such old, unneeded entitlements.

Security Entitlement Users‘ needs to access sensitive resources may change for time to
Change time. For example, an employee may join a new project, finish an
old one or change roles. When this happens, new security
entitlements are often needed and old ones should be removed.

Security Two authentication processes are considered to be equivalent if (a)

Equivalence they are about equally difficult to defeat or (b) by defeating one of
them, an intruder can subsequently defeat the other.

An example of the latter is a PIN-based 28nrolment of

challenge/response data. In this scenario, users are e-mailed a PIN,
which they use to authenticate and complete a personal
challenge/response profile. This profile may later be used in the
context of self-service password reset. In this scenario, the PINs are
equivalent to the challenge/response data, and that is equivalent to
user login passwords – so ultimately 28nrolment PINs are security-
equivalent to login passwords (a bad thing!).

Security Group A security group is a named collection of users, which has been
defined in order to simplify the assignment of entitlements. The idea
is to assign multiple entitlements to the group, rather than assigning
entitlements, again and again, to every user that belongs to the
group.

Self Service Self-service password reset (SSPR) is a self-service password reset

Password Reset process. Users normally authenticate using challenge/response,
hardware token or a biometric.

SSPR is normally deployed to reduce IT support cost, by diverting

the resolution of password problems away from the (expensive,
human) help desk.

Segregation of A segregation of duties (SoD) policy is a rule regarding user

Duties Policy entitlements intended to prevent fraud. It stipulates that one user
may not concurrently be assigned two or more key functions in a
sensitive business process

Sequential A sequential authorization process is one where multiple authorizers

Approvals are invited to comment, one after another.
28

Sequential (or serial) authorization has the advantage of minimizing

Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

the nuisance to authorizers in the event that an early authorizer

rejects a change request

Service Account A service account password is used on Windows systems to start a

Password service program which runs in a context other than that of the
SYSTEM user. The service control manager uses a login ID and
password (of the service account) to start the service program

Shared Account A shared account is a login ID on a system or application that is

used by more than one human or machine user. Privileged accounts
are often shared: for example, root, sa or Administrator by
system administrators

Simple Role A simple role is a collection of entitlements defined within the

context of a single system. Roles are used to simplify security
administration on systems and applications, by encapsulating
popular sets of entitlements and assigning them as packages, rather
than individually, to users.

Single Sign On Single sign-on (SSO) describes the ability to use one set of
(SSO) credentials, an ID and password or a passcode for example, to
authenticate and access information across a system, application
and even organizational boundaries. It may be called Web SSO
when everything is accessed through a browser.

With SSO a person authenticates only one time for a particular

working session regardless of where the information that they want
to access is located. This process offers enhanced security over a
simple synchronization of passwords.

Smart Card A smart card is a credit card sized device that contains a tamper
proof computer chip. When it is used for security, this chip can hold
and protect various types of credentials that the bearer can use for
authentication. Smart card authentication requires a card reader.

Smart cards, like tokens, were developed for strong or two-factor

authentication. So in addition to swiping the card to prove ownership
of the credentials contained on it—something he has—the owner
usually has to enter a PIN or password—something he knows.

The infrastructure to support smart cards must include a method to

securely write the credentials to the card, usually a dedicated a
29

computer and an application with administrator-only access to the

Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

server. Administrator access is often supplied with a ―mother card‖.

The advantage that smart cards have over tokens is that the
memory chip can hold more information: separate credentials for
multiple applications or for different authentication methods, for
example.

SSL-VPN Although the Secure Sockets Layer (SSL) is a protocol designed

specifically for web browsers to securely access web-based
applications, the fact that it encrypts information and that it
authenticates at least one of the parties, also makes it a Virtual
Private Network (VPN). One of the best things about this protocol is
that most computers have a browser; that means that no new
software needs to be added to the client in order to use this method.

Static SoD Policy A static segregation of duties policy is one that prevents one login
account or user profile from having two or more conflicting
entitlements. These entitlements may be thought of as a toxic
combination. For example, the same user may not both authorize an
expense and print the cheque to pay for it.

Strong Strong authentication refers to an authentication process which is

Authentication difficult to simulate. It may be based on use of multiple
authentication factors or use of a single but hard-to-spoof
authentication factor.

Support Analyst An IT support analyst is a user with special privileges, which allow
him to assist other users, for example by resetting their forgotten
passwords.

Target Connector A connector is a piece of software used to integrate an identity

management system with a given type of target system

Target Platform A target platform is a type of target system. For example, it might be
an operating system (e.g., Unix, Windows), a type of database (e.g.,
Oracle, Microsoft SQL) or a type of application (e.g., SAP R/3,
PeopleSoft). An identity management system typically needs a
different connector for each type of integrated target platform.

Target System Systems and applications where information about users resides
and which are integrated into an identity management infrastructure
are called target systems. They may include directories, operating
30

systems, databases, application programs, mainframes, e-mail

Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

systems, etc.

Target System A system administrator is a user with absolute control over a target
Administrator system. The system administrator may install any or all software on
the managed system, can create or delete other users on that
system, etc.

Termination All users eventually leave an organization. Likewise, customers may

terminate their relationship with vendors. Generically, these events
are called termination.

Token A token (sometimes called a security token) is an object that

controls access to a digital asset. Traditionally, this term has been
used to describe a hardware authenticator, a small device used in a
networked environment to create a one-time password that the
owner enters into a login screen along with an ID and a PIN.
However, in the context of web services and with the emerging need
for devices and processes to authenticate to each other over open
networks, the term token has been expanded to include software
mechanisms, too.

Transparent Transparent password synchronization works by intercepting native

(Automatic) password changes on an existing system or application and
Password automatically forwarding the user‘s chosen new password to other
Synchronization systems. It is called transparent since the user is not presented with
any new user interface.

Transparent password synchronization typically must enforce a

multi-system password policy in addition to the native policy of the
system where synchronization is initiated. This policy should be at
least as strong as the policies in each of the target applications

Trust Relationship A trust relationship is a codified arrangement between two domains

where users and/or services exist. One domain (A) trusts the other
(B) to identify, authenticate and authorizer B‘s users to access A‘s
resources.

Simple trust relationships are two-way, while complex ones may

have groups of multi-way trust (i.e., any organization in a group
trusts any other to make assertions about its own users).

Two-Factor Two-factor authentication is also called strong authentication. It is

31

Authentication defined as two out of the following three proofs:

Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

Something known, like a password,

Something possessed, like your ATM card, or

Something unique about your appearance or person, like a

fingerprint.

User Creation When users join an organization, they are normally granted access
to systems and applications. This is called user creation.

User Life Cycle User life-cycle management covers the entire process of identity
Management management over time. It includes the technologies used for
provisioning and password resets but it also includes the processes
and policies associated with these technologies.

Who decides what access a user needs; how easy should it be for a
user to reset a password; do we need different levels of
authentication for highly sensitive information; and when do we
disable a user‘s account or delete it? These are all policy issues.
The security architecture and tools that a company chooses need to
support the policies in a way that‘s consistent with the organization‘s
goals.

An organization needs to analyze the policies and tasks associated

with provisioning access to information resources—this is highly
visible to new customers, employees, or partners. But it also needs
to look at frequently repeated tasks like password resets, moves
and changes; to save time and reduce costs. A way to efficiently de-
provision must be built into the architecture because un-used
accounts, and accounts that are linked to people who no longer
need access continue to be a major source of security breaches in
the enterprise.

User Provisioning A user provisioning system is shared IT infrastructure which is used

to externalize the management of users, identity attributes and
entitlements from individual systems and applications.

User provisioning is intended to make the creation, management

and deactivation of login accounts and other user objects, which are
spread across multiple systems, faster, cheaper and more reliable.
This is done by automating and codifying business processes such
32

as onboarding and termination and connecting these processes to

multiple systems.
Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

User provisioning systems work by automating one or more

processes:

Identity synchronization:
Detect changes to personal data, such as phone numbers or
department codes, on one system and automatically make
matching changes on other systems for the same user.
Auto-provisioning:
Detect new user records on a system of record (such as HR)
and automatically provision those users with appropriate
access on other systems and applications.
Auto-deactivation:
Detect deleted or deactivated users on an authoritative
system and automatically deactivate those users on all other
systems and applications.
Self-service requests:
Enable users to update their own profiles (e.g., new home
phone number) and to request new entitlements (e.g.,
access to an application or share).
Delegated administration:
Enable managers, application owners and other stake-
holders to modify users and entitlements within their scope
of authority.
Authorization workflow:
Validate all proposed changes, regardless of their origin and
invite business stake-holders to approve them before they
are applied to integrated systems and applications.
Consolidated reporting:
Provide data about what users have what entitlements, what
accounts are dormant or orphaned, change history, etc.
across multiple systems and applications.

As well, a user provisioning system must be able to connect these

processes to systems and applications, using connectors that can:

List existing accounts and groups.

Create new and delete existing accounts.
Read and write identity attributes associated with a user
object.
33

Read and set flags, such as "account enabled/disabled,"

"account locked," and "intruder lockout."
Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

Change the login ID of an existing account (rename user).

Read a user's group memberships.
Read a list of a group's member users.
Add an account to or remove an account from a group.
Create, delete and set the attributes of a group.
Move a user between directory organizational units (OUs)

User Profile The set of login accounts, identity attributes and security
entitlements associated with a single (human) user.

Verification During a Knowledge Based Authentication session, the process that

ensures that the data provided for an individual exists and matches
(name, address, social security number, date of birth, driver‘s
license).

Veto Power Veto power is a right assigned to authorizers in an approvals

process whereby rejection of a change request by the authorizer
who has veto power cancels the request, regardless of any
approvals previously received from other authorizers

Vetting The process of thorough examination and evaluation

Virtual Directory A virtual directory is an application that exposes a consolidated view

of multiple physical directories over an LDAP interface. Consumers
of the directory information connect to the virtual directory‘s LDAP
service and ―behind the scenes‖ requests for information and
updates to the directory are sent to one or more physical directories,
where the actual information resides. Virtual directories enable
organizations to create a consolidated view of information that – for
legal or technical reasons – cannot be consolidated into a single
physical copy.

Web Access Web access management enables organizations to carefully

Management manage access rights to web-based resources on intranets,
extranets, portals and exchange infrastructures. With growing
numbers of internal and external users, and more and more
enterprise resources being made available online, it is critical to
ensure that qualified users can access only those resources to
which they are entitled. Web access management does just that: it
offers business rule-based access management that is easy to
deploy and monitor for compliance.
34

Web Based Web-based password synchronization works by having a user sign

Page

IAM Glossary 1.0 – Confidential

Identity and Access Management - Glossary

Password into a consolidated web page to change multiple passwords, rather

Synchronization than waiting for each system or application to prompt the user to
change just one password.

Users typically sign into the password synchronization web page

using a primary login ID and password and can then specify a new
password, which will be applied to multiple systems and
applications.

A password synchronization web application typically must enforce

a password policy, which should be at least as strong as the policies
in each of the target applications.

Web Proxy A web proxy acts on behalf of one or more web browsers, fetching
web pages for users and possibly adding capabilities such as
caching (to reduce an organization's bandwidth usage), filtering (to
block unwanted content) and monitoring (to record user activity).

Web proxies act on behalf of one or more users.

Web Server Agent An agent installed on a web server may be used to implement a
WebSSO system by injecting user identification, authentication and
authorization data into the requests sent from a user's browser to
the web server. more web applications, may modify the HTTP or
HTTPS requests (for instance, inserting credentials), and requests
web pages on behalf of the user.

The server agent architecture has the advantage of not requiring

new hardware to be deployed when implementing a WebSSO
system.

Web SSO In a WebSSO system, one or more servers are dedicated to the
Authentication function of authenticating users and determining what operations
Server they will be permitted to perform. These are called authentication
servers
35
Page

IAM Glossary 1.0 – Confidential