View
221
Download
0
Category
Preview:
Citation preview
8/8/2019 Identity Access Management Glossary 1 1
1/35
Identity and Access Management Terminology
Glossary
By
MagnaquestSolutions Sdn Bhd
Cyberjaya
www.magnaquest.com
Version 1.0
4th October 2010
http://www.magnaquest.com/http://www.magnaquest.com/http://www.magnaquest.com/8/8/2019 Identity Access Management Glossary 1 1
2/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
2
Revision History
VersionDate
(DD/MM/YYYY)Author Reviewed By Changes
1.0 Oct 04, 2010 Shince Thomas Initial draft
Trade Marks
MQAssureTM is registered trademarks of Magnaquest Solutions Sdn Bhd
Company Titles
Within this document, the following shortened forms of company titles may be used:
Magnaquest Solutions Sdn Bhd - Magnaquest
8/8/2019 Identity Access Management Glossary 1 1
3/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
3
Access Certification Over time, users may accumulate entitlements which are no longer
needed or appropriate for their job function. Access certification is a
process by which appropriate business stake-holders, such as
users' managers or application owners, can periodically review
entitlements and identify those that should be removed.
Access Control An access control limits the use of a resource. Only those people,
programs or devices that are specifically permitted to use the
resource will have access. In addition, an access control will usually
limit use to specific types of access; someone can read a file but not
change it, for example.
An access control may be physical, for example, a lock on a door; or
it may be software or hardware based, for example, in a computersystem. It can also be a combination of the two.
Access Control
Instruction (ACI)
Access control is the mechanism by which you define access. When
the server receives a request, it uses the authentication information
provided by the user in the bind operation, and the access control
instructions (ACIs) defined in the server to allow or deny access to
directory information. The server can allow or deny permissions
such as read, write, search, and compare. The permission level
granted to a user may be dependent on the authentication
information provided.
Access Control List
(ACL)
A list of Access Control Instructions (ACIs) constitutes an Access
Control List.
Access Deactivation When termination happens, user access rights relating to an
organization's systems and applications must be removed. This
removal is called access deactivation.
Access
Management
In an organization, access management is the sum of all of the
practices, policies, procedures, and technical access control
mechanisms that are used to appropriately control access to the
assets, or a subset of the assets, of the company.
Account Expiry
Date
An account has a termination date if logins will not be possible after
a given time/date
Administrator
Lockout
An administrator lockout is a flag set by an administrator to disable
logins on an account.
Administrator lockouts normally precede permanent deletion of the
8/8/2019 Identity Access Management Glossary 1 1
4/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
4
account, and provide an opportunity to retrieve data from the
account before it is removed.
Note that on some systems and applications, intruder lockouts and
administrator lockouts are entangled (they use the same flag). This
is a poor but common design.
Alert A robust network-security monitoring application should include an
alerting service. When an event that requires attention occurs, this
service will send a notice by e-mail, page, instant messaging or
other urgent method to a security expert.
Alias An alias is a local ID that a user has on a given system which is
different from the user's global ID
Application
Migration
Vendors release new versions of their software all the time. When
this happens, customers often choose to upgrade. Upgrades may
require data from the old system, including data about users, to be
migrated to the new system. An identity management system can be
used to aid in this migration process.
Application Owner An applications owner is a person in a business organization who
may have authorized purchase of the application and is in any case
responsible for the use of that system. This is a business rather thantechnical role.
Approval Workflow An approval workflow is a business process where human actors
may enter, review, approve, reject and/or implement a change
request
Approved Exception An approved exception is a role violation which has been flagged
as acceptable, and which consequently may be removed from
violation reports and/or not corrected
Assertion When an Identity Provider authenticates a user and directs them
back to the referring Service Provider, it includes as part of the
message an assertion to prove that the user authenticated.
Assisted Password
Reset
An assisted password reset is a password reset (reset)
accomplished by interaction between the user and a support
analyst, typically over a telephone. Assisted password resets are
similar to self-service password resets (self-service-reset), but with
the intervention of a support analyst.
8/8/2019 Identity Access Management Glossary 1 1
5/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
5
Attestation Attestation is synonymous with access certification. This term
highlights the aspect of certification where stake-holders attest to
the appropriateness of entitlements, rather than flagging those that
should be removed. Both signing off on appropriate entitlements and
flagging inappropriate ones should be done in tandem.
Attribute A single piece of information associated with an electronic identity
database record. Some attributes are general; others are personal.
Some subset of all attributes defines a unique individual. Examples
of an attribute are name, phone number, group affiliation, etc
Attribute Assertion A mechanism for associating specific attributes with a user
Attribute Authority
(AA)
The service that asserts the requesters attributes by creating an
attribute assertion and then signing it. The sites must be able to
validate this signature
Audit An independent review and examination of a systems records and
activities to determine the adequacy of system controls, ensure
compliance with established security policy and procedures, detect
breaches in security services and recommend any changes that are
indicated for countermeasures.
Audit Trail A list of all recorded activity, which resources are being accessed,when and by whom and what actions are being performed. Audit
trails are one of the requirements of system accountability, enabling
any system action or event to be traced back to the user responsible
for it. Audit trails are also used to investigate cyber crimes. They are
indispensable for incident response and the follow-up aspect of
digital forensics. The audit trail enables the person investigating the
incident to follow the trail that was left.
Authentication Authentication is a process where a person or a computer program
proves their identity in order to access information. The persons
identity is a simple assertion, the login ID for a particular computer
application, for example. Proof is the most important part of the
concept and that proof is generally something known, like a
password; something possessed, like your ATM card; or something
unique about your appearance or person, like a fingerprint
Authentication
Factor
An authentication factor is something a user presents to a system in
order to prove his identity. It may be something he (and hopefully
only he) knows, or proof of possession of a physical object, or a
8/8/2019 Identity Access Management Glossary 1 1
6/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
6
measurement of some physical characteristic (biometric) of the
living human user. In other words, something the user knows, or
something he has, or something he is.
Authorization Authorization is the act of granting a person or other entity
permission to use resources in a secured environment. This is
usually tightly linked to authentication. A person or other identity first
authenticates and then is given pre-determined access rights. They
now have the authority to take specific actions.
The process of deciding what permissions are given begins with
policiesdecisions made and documented by the owners of the
resources. The policies may be based on a users identity or on the
users role within the organization, or a combination of the two.
Authorization
Reminders
Authorizers in an approvals process may not respond to invitations
to review a change request in a timely manner. When this happens,
automatic reminders may be sent to them, asking them again to
review change requests
Authorizer Changes to user profiles or entitlements may be subject to approval
before they are acted on. In cases where approval is required, one
or more authorizers are assigned that responsibility
Automated
Provisioning
Automated provisioning systems typically operate on a data feed
from a system of record, such as a human relations (HR) system
and automatically create login IDs and related logical access rights
for newly hired employees or contractors.
It should be noted that automated provisioning normally operates
without a user interface -- i.e., data flows in from one system and out
to one or more other systems, without any further user input in
between.
Auto-provisioning reduces IT support costs and can shorten the time
required to provision new users with requisite access rights.
Automated
Termination
Automated termination systems typically operate on a data feed
from a system of record, such as a human relations (HR) system
and automatically disable access rights for existing users when they
have left an organization.
It should be noted that automated termination normally operates
without a user interface -- i.e., data flows in from one system and out
8/8/2019 Identity Access Management Glossary 1 1
7/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
7
to one or more other systems, without any further user input in
between.
Auto-termination reduces IT support costs and can make access
deactivation both faster and more reliable than manual processes.
Automatic
Escalation
In the event that an authorizer has been invited to review a change
request, has not responded, has been sent reminders, has
nonetheless not responded, and has not delegated his authority, an
identity management system may automatically select an alternate
authorizer, rather than allow the approvals process to stall.
Automatically rerouting requests to alternate authorizers is called
escalation.
Baseline An effective method for identifying security attacks on a network,
baselining starts by measuring normal activity on a network or
network device. That measurement is used as threshold, or
baseline, to detect unusual patterns or changes in levels of activity.
With this method, the security expert can focus efforts on evaluating
anomalies instead of looking for them by reviewing huge log files.
Some commonly baselined security events are:
initiation and termination of network sessions,
bandwidth use,
user logins and logouts,
failed logins, and
rates and types of network traffic.
The term is also used to refer to other security practices. A baseline,
or security baseline often refers to an organizational standard forsecurely configuring network devices.
It can also refer to the results of an organizations first security
assessment. This becomes the baseline against which the
organization measures improvements and changes.
Biometrics In a security context, biometrics and biometric authentication refer to
using a persons physical characteristic in order to authenticate
them for access to a resource.
Some of the characteristics commonly used include those of the
8/8/2019 Identity Access Management Glossary 1 1
8/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
8
eye, face, voice, fingerprints or the shape of a hand. Since these
characteristics are unique and change very little over time, they offer
strong proof of the persons identity. Since these authentication
systems are much more expensive to acquire and maintain, they are
often used for access to very sensitive or classified information.
Card Management
Systems (CMS)
Card Management Systems (CMS) provide support for the use of
cryptographic cards, often called smart cards, in an organization.
While the specific functions may vary depending on the vendor, in
general, CMS provide the software and hardware mechanisms to
create cards and bind them to the identity of the person who will use
the card to authenticate to various systems.
Most products include the ability to manage USB or hardwaretokens as well as PKI certificates. Tools that make it possible to
share identity and credentials with a centralized directory that
provides authorization for the authenticated user are also an
important feature thats frequently a part of the system.
Its important that the cryptographic modules and interfaces are
standards based to ensure interoperability with access controls to
many kinds of resources. FIPS compliance adds an additional level
of assurance.
Certificate Authority
(CA)
A certification authority, or CA, holds a trusted position because the
certificate that it issues binds the identity of a person or business to
the public and private keys (asymmetric cryptography) that are used
to secure most internet transactions.
Certificate
Revocation List
(CRL)
A Certificate Revocation List (CRL) is a signed data structure that
contains information about revoked certificates.
Coarse-Grained
User Provisioning
Coarse grained user provisioning is a process where new accounts
are created for new users, with basic entitlements rather than all of
the required entitlements.
This may be easier to automate and faster to deploy, but requires
further, manual intervention before a new user can be fully
productive.
Consensus
Authorization
Approval by consensus is a form of parallel authorization where not
all authorizers must respond before a change request is
implemented. For example, any two of three authorizers may be
8/8/2019 Identity Access Management Glossary 1 1
9/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
9
sufficient to approve a request.
Consensus authorization is implemented in order to expedite the
approvals process and make sure that it is completed even in cases
where some authorizers are unavailable to respond.
Credentials,
Credential Store
Credentials are sets of information that the owner presents in order
to prove identity to a computer-based application. Although this is a
general term and can be used for many kinds of credentials, the
problem of storing credentials is most commonly discussed in the
context of asymmetric cryptography where credentials consist of
certified public keys. Common credential stores include databases,
directories and smart cards.
Most enterprise SSO systems work by storing the various login IDs
and passwords for a user in a database of some form and retrieving
this information when the time comes to auto-populate a login
prompt. This database should be protected, as it contains sensitive
information. It may be physically local to the user's workstation, or
stored in a directory, or in an enterprise relational database (ERDB).
The credential database should definitely be encrypted.
Credential Provider
(CP)
An organization that manages and operates an identity
management system and offers information about members of itscommunity to other participants.
Change Request A change request consists of one or more proposed changes to
user profiles , such as creating new profiles, adding new accounts to
existing profiles, changing identity attributes , Requests may be
subject to authorization before being implemented
Data Owner A data owner is a business role associated with responsibility for a
given set of data. Normally this comes with responsibility to decide
what users in the organization may access the data in question and
for the quality of the data
Data
Synchronization
The ability for data in different databases to be kept up-to-date so
that each repository contains the same information.
Deactivation Deactivation is the process of disabling a users accounts, so that
the user can no longer authenticate to those systems or access their
resources or functions. Deactivation does not necessarily imply that
the accounts are deleted simply that they are made inoperative.
8/8/2019 Identity Access Management Glossary 1 1
10/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
10
Delegated
Authorizer
A given authorizer may not always be available. For example,
authorizers may take holidays, be ill, be too busy to respond, etc. In
these cases, an authorizer may wish to delegate his authority to
another user temporarily or permanent. The new authorizer is a
delegated one.
Delegated User
Administration
As the number of accounts in a system grows, central user
administration becomes impractical. Delegated user administration
is a feature found in some systems to enable designated users to
create new users and manage existing users in just a segment of
the user directory.
Dial Back Dial back validates a users physical location using the telephone
system. In its original form, when users connected their PCs to thenetwork with telephone modems, a user would connect to a
corporate network, identify himself, hang-up and wait for a corporate
server to call him back at home.
With more modern technology, a user may sign into a corporate
network, identify himself and wait for a single-use random PIN to be
phoned or text messaged to his home or cellular telephone. This
PIN is subsequently used to authenticate to a network service.
Digital Certificate In general use, a certificate is a document issued by some authorityto attest to a truth or to offer certain evidence. A digital certificate is
commonly used to offer evidence in electronic form about the holder
of the certificate. In PKI it comes from a trusted third party, called a
certification authority (CA) and it bears the digital signature of that
authority.
Digital Identity The representation of a human identity that is used in a distributed
network interaction with other machines or people. The purpose of
the digital identity is to establish the level of comfort and confidenceassociated with face to face human interactions in a digital
environment.
Digital Signature An electronic signature that can be used to authenticate the identity
of the sender of a message, or of the signer of a document. It can
also be used to ensure that the original content of the message or
document that has been conveyed is unchanged.
Directory A specialized database that provides a simplified view for easier
access to specific data. A directory is similar to a dictionary. It
8/8/2019 Identity Access Management Glossary 1 1
11/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
11
enables the look up of a name and information associated with that
name.
Directory Hierarchy A directory can be organized into a hierarchy, in order to make it
easier to browse or manage. Directory hierarchies normally
represent something in the physical world, such as organizational
hierarchies or physical locations. For example, the top level of a
directory may represent a company, the next level down divisions,
the next level down departments, etc. Alternately, the top level may
represent the world, the next level down countries, next states or
provinces, next cities, etc.
Directory Migration Mergers, divestitures, and software changes periodically necessitate
that large numbers of user accounts are moved from one system toanother in a short period of time. User provisioning systems may
provide tools to assist in such migrations: to list and characterize
users on one system, and to automatically create batches of users
on another system.
Directory
Synchronization
A directory synchronization process compares users, user groups,
and user attributes as they are defined on two or more systems. It
applies business logic to detected differences, and automatically
updates the users, user groups, and/or user attributes on at least
one system to match those found on others.
Disabled Account A disabled account is one where the administrator lockout flag has
been set
Dynamic SoD Policy A dynamic segregation of duties policy is one that prevents one
login account or user profile from performing two or more conflicting
actions relating to the same business transaction. For example,
while it may be appropriate for the same user to have both the
vendor-management and payment-management entitlements, it isnot acceptable for the same user to both create a vendor and
authorize a payment to that vendor
Email Based
Authentication
Applications may defer identification and authentication of a user to
an e-mail system, essentially eliminating any need to manage or
support the authentication process directly. This is typically as
follows:
1. The user identifies himself to an application by typing his e-
mail address.
8/8/2019 Identity Access Management Glossary 1 1
12/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
12
2. An e-mail containing a randomized URL is sent to that
address.
3. If the user can click on the e-mail, he has demonstrated that
he has access to the e-mail account, and is therefore
authenticated.
This is a weak form of authentication, since it is impossible to say
how secure the users e-mail service is, but it is adequate for many
applications.
Embedded
Application
Password
An embedded application password is a password stored in one
application and used to connect to another. A common example is a
database (ID and) password stored on a web application and used
to connect to the database, to fetch and update database records
Endpoint
Authentication
A security system that verifies the identity of a remotely connected
device (and its user) such as a PDA or laptop before allowing
access to enterprise network resources or data.
Enterprise Role An enterprise role is a collection of entitlements spanning multiple
systems or applications. Like simple roles, enterprise roles are used
to simplify security administration on systems and applications, by
encapsulating popular sets of entitlements and assigning them aspackages, rather than individually, to users
Enterprise Single
Sign On
A technology which reduces the number of times that a user must
sign into systems and applications by automatically populating login
ID and password fields when applications ask for user
authentication. This is done by monitoring what is displayed on a
users desktop and when appropriate typing keystrokes on
behalf of the user. In shortscreen scraping the users desktop.
In short, applications are unmodified and continue to perform userauthentication. Reduced sign-on is achieved by auto-populating
rather than removing login prompts.
Entitlement
Management
Entitlement management refers to a set of technologies and
processes used to coherently manage security rights across an
organization. The objectives are to reduce the cost of administration,
to improve service and to ensure that users get exactly the security
rights they need.
These objectives are attained by creating a set of robust, consistent
8/8/2019 Identity Access Management Glossary 1 1
13/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
13
processes to grant and revoke entitlements across multiple systems
and applications:
1. Create and regularly update a consolidated database of
entitlements.
2. Define roles, so that entitlements can be assigned to users in
sets that are easier for business users to understand.
3. Enable self-service requests and approvals, so that
decisions about entitlements can be made by business users
with contextual knowledge, rather than by IT staff.
4. Synchronize entitlements between systems, where
appropriate.
5. Periodically invite business stake-holders to review
entitlements and roles assigned to users and identify no-
longer-appropriate ones for further examination and removal
Escalated
Authorizer
A given authorizer may not always be available. In cases where an
authorizer fails to respond to a request to approve or reject a
requested change, and where the authorizer has not named a
delegated authorizer, an automatic escalation process may select a
replacement authorizer after a period of time. This replacement is
the escalated authorizer.
Events Per Second
(EPS)
Events Per Second (EPS) is a metric used in evaluating log
management and related tools. It represents the total number of
network and security events, accumulated from various network
devices that must be managed per second.
Expired Password An account is said to have an expired password if the user will be
forced to change passwords after the next successful login
Explicit Role
Assignment
A role may be explicitly assigned to a user i.e., some database will
include a record of the form user X should have role Y.
Federated Identity The management of identity information between different
organizations that have separate identity and access management
systems in place.
Federation An association of organizations that come together to exchange
information as appropriate about their users and resources in order
8/8/2019 Identity Access Management Glossary 1 1
14/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
14
to enable collaborations and transactions.
Fine-Grained User
Provisioning
Fine-grained user provisioning is a process where new accounts are
created for new users, with all of the entitlements that a new user
will require identity attributes , group memberships and other
objects, such as home directories and mail folders, already created.
This may be more complex to automate and longer to deploy, but
eliminates further, manual intervention before a new user can be
fully productive.
GINA GINA is a generic acronym for the Graphical Identification and
Authentication, the subsystem that handles the logon presentation
to the user. The Microsoft GINA is represented by the logon screen
that pops up on the PC when the user presses Ctrl+Alt+Delete.
Windows 2000 and XP rely on a GINA DLL for Graphical
Identification and Authentication. The Microsoft GINA DLL is called
MSGINA.DLL.
Global ID A global ID is a unique identifier that spans two or more systems. A
truly global ID one that is guaranteed to be unique among every
system in the world, is a user s fully qualified SMTP e-mail address.
Another truly global ID might be a users country code followed bythat countrys local equivalent of a social security number, social
insurance number or resident number. Global IDs may be global
only over a few systems, rather than every system on Earth.
Global Password
Policy
A global password policy is a policy designed to combine the
policies of multiple target systems. It the product of combining the
strongest of each type of complexity rule and the most limited
representation capabilities of the systems where passwords will be
synchronized.
Group Membership A group membership is the assignment of a given user to a given
security group
Group Owner Access to data, to applications and to features within applications is
often controlled using security groups. Groups normally have
owners people in an organization responsible for managing
membership in the group
Hardware
Authenticator
One of the ways that a person can authenticate to a computer
system or application is by using a small, portable hardware device
8/8/2019 Identity Access Management Glossary 1 1
15/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
15
called a hardware authenticator; sometimes called a security token.
Hijacking Hijacking is used to describe several kinds of attacks where the
attacker takes control of the session between a browser and a web
server.
Identification The process by which information about a person is gathered and
used to provide some level of assurance that the person is who they
claim to be. Generally, this identity verification takes place within the
office (e.g. Human Resources or Student Services) or self-service
application that first encounters the individual and creates their
record within the institutional system(s) of record.
Identity Identity is the set of information associated with a specific physical
person or other entity. Typically a Credential Provider will be
authoritative for only a subset of a persons identity information.
What identity attributes might be relevant in any situation depend on
the context in which it is being questioned.
Identity Attributes Each piece of identifying information about a user can be thought of
as an attribute of that user. Users have identity attributes, each of
which may be stored on one or more target systems.
Identity Change User identity information may change for time to time. For example,people change their names after marriage or divorce, their phone
number and address changes periodically, etc. Where systems and
applications track this data, it must be changed whenever the real-
world information changes. Such changes are called identity
changes
Identity
Reconciliation / ID
reconciliation
ID reconciliation is a process by which an organization maps local
IDs in different name spaces to one-another, and to the global
profile IDs of the users that own them. For example, ID
reconciliation may be required to map IDs such as smithj on a
mainframe system to IDs such as john.w.smith on an Active
Directory domain
Identity and Access
Management (IAM)
Sometimes abbreviated to IAM, identity and access management
refers to all of the policies, processes, procedures and applications
that help an organization manage access to information.
Specific concepts, standards and applications that help with identity
and access management include authentication, user life-cycle
maintenance, federated identity, single sign-on, provisioning and
8/8/2019 Identity Access Management Glossary 1 1
16/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
16
Role Based Access Control (RBAC).
Identity
Synchronization
Identity synchronization systems map identity attributes between
different systems and automatically propagate changes from one
system to another.
It should be noted that identity synchronization normally operates
without a user interface i.e., data flows in from one system and out
to one or more other systems, without any further user input in
between.
For example, an e-mail system may be authoritative for each users
SMTP e-mail address, an HR system for the same users employee
number and department code, a white pages application for each
users phone number and so on. An identity synchronization system
makes sure that all of these systems have correct and up-to-date
information in each of these fields.
Identity Theft Identity theft is the theft of the credentials that we use to do
business. When access controls are inadequate, the credentials that
people use to authenticate to their credit card companies, banks or
shopping sites may be disclosed to the wrong people. In addition,
thieves have developed many ways to use e-mail and the Internet to
collect this information.
Once perpetrators have the information they can use it as if they
were the victim, running up credit card debt, or taking money out of
bank accounts or investment savings.
Identity Vetting The process used to establish the identity of the individual to whom
the credential was issued. This is typically done during credentialing.
Implicit Role
Assignment
A role may be implicitly assigned to a user i.e., some database will
include a rule of the form users matching requirements X should beautomatically assigned role Y.
Intruder Lockout An intruder lockout is a flag set on a login account when too many
consecutive, failed login attempts have been made in too short a
time period. Intruder lockouts are intended to prevent attackers from
carrying out brute force password guessing attacks.
On some systems, intruder lockouts are cleared automatically, after
a period of time has elapsed. On others, administrative intervention
is required to clear a lockout.
8/8/2019 Identity Access Management Glossary 1 1
17/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
17
Note that on some systems and applications, intruder lockouts and
administrator lockouts are entangled (they use the same flag). This
is a poor but common design.
ID Namespace A name space for unique identifiers is a system or domain within
which no two users may have the same ID. Every system has its
own namespace. Another example is mail domains (i.e., the part of
an SMTP e-mail address following the @ sign), where the part of
each user ID preceding the @ sign must be unique within its
domain.
Key Logging Key logging software runs in the background, in a stealth mode that
isnt easy to detect on a PC. It collects every keystroke and hides
that information in a file.
Key Management A collection of procedures involved with the generation, exchange,
storage, safeguarding, use, vetting, and replacement of encryption
keys. Key management is essential to the secure ongoing operation
of any cryptosystem.
Layered
Authentication
Layered authentication describes an identity and access
management architecture that requires varying levels of
authentication proofs based on the risk of the transaction.
Local Administrator
Password
A local administrator password is the password to an account used
by system administrators to install, configure and manage a system
or application. Examples are Administrator on Windows, root on
Unix/Linux and sa on Microsoft SQL Server
Local Agent A local agent is an agent installed on the target system itself.
Installation of local agents requires change control on the target
system itself something which may be difficult and/or undesirable
on a production system or application.
Local agents are well positioned to detect changes to user objects
on a target system in real time, forwarding these changes to an
identity management system which may act on them.
Communication between an identity management system and a
local agent can always be protected, even if the native
communication protocols of the target system are insecure.
Local ID A local ID is a users unique identifier within the context of a singlesystem. It may be the same as that users profile ID , or it may be an
8/8/2019 Identity Access Management Glossary 1 1
18/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
18
alias
LDAP An open protocol that provides access to directories. Applications
that use LDAP (known as directory-enabled applications) can use
the directory as a common data store for retrieving information
about people or services, such as email addresses, public keys or
service-specific configuration parameters.
Level of Assurance
(LoA)
Refers to the degree of certainty that (1) a persons identity has
been adequately verified before credentials are issued, and (2) a
user indeed owns the credentials they are subsequently presenting
to access the resource.
Login Accounts Systems and applications where users have the ability to login and
access features and data generally assign a login account to each
user. Login accounts usually include a unique identifier for the user,
some means of authentication , security entitlements and other,
personally identifying information such as the users name, location,
etc.
Login ID A login id is a generic term for a unique electronic identifier used to
control access to applications or services. Logon id may or may not
be a secret shared between the system and the user to identify the
user. Login id is normally combined with other personal secret
information (pin, password, etc).
Management Chain In a business setting, users normally have managers, who in turn
have their own managers. The sequence of managers, starting with
a given user and ending with the highest individual in an
organization is that users management chain. Management chains
are relevant to identity management as they are often used to
authorize security changes
Meta Directory Some organizations deploy a meta directory to synchronize user
and user attributes between multiple user directories. A meta
directory program is software that compares users and user
attributes as defined on multiple systems, and automatically
propagates changes made on an authoritative system to other
systems. For example, if a users HR record is updated with a new
home telephone number, a meta directory might update the
corporate e-mail system and LDAP directory with the same new
information. Meta directory software normally implements a directory
8/8/2019 Identity Access Management Glossary 1 1
19/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
19
synchronization process.
Multifactor
Authentication
Multi-factor authentication means authentication using multiple
factors. For example, a user might sign into a system with a
combination of two things he knows, or a combination of something
he knows and something he has, or perhaps something he knows,
something he has and something he is.
The premise is that adding authentication factors makes it more
difficult for a would-be attacker to simulate a legitimate
authentication and consequently impersonate a legitimate user.
Multi-Key Password
Release
Password disclosure may require authorization. For example,
system administrator A may need a password, but might not be
allowed to see the password until other people -- say B and C,
approve the disclosure. Multi-key password disclosure refers to any
process where the actions of more than one person are required to
disclose a password.
Nested Groups Nested groups are groups that contain, among their members, other
groups. This is a powerful construct but it can be complicated for
applications to support and may cause performance problems if not
implemented well. Active Directory is one system that effectively
supports nested groups.
Onboarding This is the process where users join an organization. It may refer to
hiring new employees, bringing in contractors or signing up visitors
to a web portal.
One Time Password
(OTP)
A one-time password can only be used once. There are a great
many varieties of one-time password systems including time-
synchronous, event-synchronous and challenge-response
technologies, along with multiple underlying cryptographic
algorithms. RSA SecurID authentication is an example of a one-
time password system.
Organizational
Hierarchy
An organizational hierarchy is an organization of user profiles that
identifies zero or one managers for each user. This hierarchy may
be useful in the context of access certification , change authorization
or automated escalation
Password A password or its numerical form, sometimes called a passcode or
PIN, is one of the simplest authentication methods. It is usually used
with an identifier, as a shared secret between the person who wants
8/8/2019 Identity Access Management Glossary 1 1
20/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
20
access and the system thats protected.
If its not encrypted, or if the encryption is easy to break, passwords
and passcodes are vulnerable to eavesdropping and replay. And if it
is encrypted, there are other attacks that are used. A brute force, or
dictionary attack consists of an attack that just tries possibility after
possibility until the right one is found. Utilities to help an attacker
with this kind of attempt are easily found on the Internet. Short
passwords, made of one simple word are the easiest to find with this
kind of attack. So many administrators require pass phrases,
complex combinations of word. Controls will also often require that
numbers or special characters are used with the password or pass
phrase, this makes it more random in nature and harder to guess.
In some environments, users must remember many complex
passwords and pass phrases and end up writing them down near
the computer. This becomes the vulnerability.
Password Age Password age is the number of days since a password was last
changed
Password Change A routine password change is a process where a user authenticates
to a system using his login ID and password, and chooses a new
password either voluntarily or because the old password hasexpired.
The only credentials involved in a routine password change are the
users identifier, old password and new password.
Password
Disclosure
Password disclosure is a process where a stored copy of a
password, matching a password in a target system s security
database, is revealed to a human or machine user. For example, it
might the process of revealing a stored copy of an administrator
password to a system administrator
Password Expiry Password expiry is a process whereby users are forced to
periodically change their passwords. An expiration policy may be
represented as the longest number of days for which a user may
use the same password value.
The reason for password expiry is the notion that, given enough
time, an attacker could guess a given password. To avoid this,
passwords should be changed periodically and not reused
8/8/2019 Identity Access Management Glossary 1 1
21/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
21
Password Expiry
Date
An password has an expiry date if the user will be forced to change
it on the first successful login after a given time/date
Password History A password history is some representation of one or more
previously used passwords for a given user. These passwords are
stored in order that they may be compared to new passwords
chosen by the user, to prevent the user from reusing old passwords.
The reason for password history is the notion that, given enough
time, an attacker could guess a given password. To avoid this,
passwords should be changed periodically and not reused.
Password Policy A password policy is a set of rules regarding what sequence of
characters constitutes an acceptable password. Acceptable
passwords are generally those that would be too difficult for another
user or an automated program to guess (thereby defeating the
password mechanism).
Password policies may require a minimum length, a mixture of
different types of characters (lowercase, uppercase, digits,
punctuation marks, etc.), avoidance of dictionary words or
passwords based on the users name, etc.
Password policies may also require that users not reuse oldpasswords and that users change their passwords regularly.
Password Recovery Many applications offer weak encryption of data, such as office
documents or spreadsheets. Such encryption is susceptible to brute
force to key recovery, and such key recovery is offered by password
recovery applications, most often offered to users who forgot the
passwords they used to protect their own documents.
Password Reset A password reset is a process where a user who has either
forgotten his own password or triggered an intruder lockout on hisown account can authenticate with something other than his
password and have a new password administratively set on his
account.
Password resets may be performed by a support analyst or by the
user himself (self-service)
Password
Synchronization
Password synchronization technology helps users to maintain the
same password on two or more systems. This, in turn, makes it
easier for users to remember their passwords, reducing the need to
8/8/2019 Identity Access Management Glossary 1 1
22/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
22
write down passwords or to call an IT help desk to request a new
password, to replace a forgotten one
Password
Synchronization
Trigger
A password synchronization trigger is the component of a
transparent password synchronization system which detects the
initial password change event and starts the synchronization
process
Password Wallet A password wallet is an application used by a single user to store
that users various passwords, typically in encrypted form
Parallel Approvals A parallel authorization process is one where multiple authorizers
are invited to comment concurrently i.e., the identity management
system does not wait for one authorizer to respond before inviting
the next.
Parallel authorization has the advantage of completing more quickly,
as the time required to finish an authorization process is the single
longest response time, rather than the sum of all response times
PKI Public-Key Infrastructure (PKI) is the infrastructure needed to
support asymmetric cryptography. At a minimum, this includes the
structure and services needed to do the following:
Register and verify identities,
Build and store credentials,
Certify the credentials (issue digital certificates),
Disseminate the public key, and
Secure the private key and yet make it available for use.
The infrastructure will also need to have the structure and services
to renew keys, recover keys, and to notify others when a key is
revoked.
A set of highly trusted certification authorities must be able to certify
other Cas, this includes being able to make and assert decisions
based on use and policy.
In addition, the elements of the PKI need to be able to interoperate
seamlessly with all of the other elements whether they are within the
same organization or not. Since they must provide these services to
a wide variety of applications and entities; use of standards is
8/8/2019 Identity Access Management Glossary 1 1
23/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
23
absolutely required.
Privileged Account A privileged account is a login ID on a system or application which
has more privileges than a normal user. Privileged accounts are
normally used by system administrators to manage the system, or to
run services on that system, or by one application to connect to
another.
Profile ID A profile ID is a globally unique identifier for a human user
Provisioning The process of providing users with access to data and technology
resources. The term typically is used in reference to enterprise-level
resource management. Provisioning can be thought of as a
combination of the duties of the human resources and IT
departments in an enterprise, where (1) users are given access to
data repositories or granted authorization to systems, applications
and databases based on a unique user identity, and (2) users are
appropriated hardware resources, such as computers, mobile
phones and pagers. The process implies that the access rights and
privileges are monitored and tracked to ensure the security of an
enterprises resources.
Account provisioning describes the tasks and framework for
authorizing and documenting access. Its the first step in user life-cycle management.
As people join an organization, or change responsibilities, someone
needs to make decisions about the information resources that they
need to do their job and these policies must be enforced with the
appropriate applications. De-provisioning must be done efficiently
when people leave the organization or no longer need certain rights.
RADIUS Remote Authentication Dial-In User Service (RADIUS), also known
as RADIUS Authentication Server, was originally developed to
provide centralized authentication, authorization, and accounting for
dial-up access to a network. Now it supports many kinds of remote,
authenticated access including VPNs, wireless and DSL.
Recipient Changes to user profiles or entitlements always have a recipient
that user profile which will be created, modified or deleted
Requester Changes to user profiles or entitlements are often initiated by a
requester literally a person who makes a change request. In other
cases they may be initiated by an automated process, which may or
8/8/2019 Identity Access Management Glossary 1 1
24/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
24
may not have a virtual (i.e., non-human) ID.
Reduced Sign On A synonym for single sign-on which recognizes that authentication is
normally reduced but often not to just one step
Remote Agent A remote agent is an agent installed on an identity management
server, rather than on the target system.
Installation of remote agents requires no change control on the
target system itself, making them easier to deploy and possibly
more scalable, when hundreds or thousands or target systems are
involved.
Local agents normally cannot detect changes to user objects on a
target system in real time, so must poll target systems for changesperiodically.
Communication between an identity management system and a
local agent may not be secure, since it relies on the native
communication protocols of the target system, which in some cases
may be vulnerable to eavesdropping or data injection.
Reverse Web Proxy A reverse web proxy intercepts user attempts to access one or more
web applications, may modify the HTTP or HTTPS requests (for
instance, inserting credentials), and requests web pages on behalf
of the user.
Reverse web proxies act on behalf of one or more web servers.
WebSSO systems may be implemented using a reverse web proxy
architecture, which insert user application credentials into each
HTTP stream.
The reverse web proxy architecture has the advantage of not
requiring software to be installed on each web application attractive when a WebSSO system is integrated with a large number
of web applications.
Role The specific right and duties and activities that a person or
organisation (an identity) has/does within a certain context. A role is
usually characterised by a subset of an identitys attributes. An
identity can have multiple roles, and each role should have a unique
identifier.
8/8/2019 Identity Access Management Glossary 1 1
25/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
25
Role Change A role change is a business process where a user s job function
changes and consequently the set of roles and entitlements that the
user is assigned should also change. Some old entitlements should
be removed (immediately or after a period of time), some old
entitlements should be retained, and some new entitlements should
be added.
Role Based Access
Control (RBAC)
Role Based Access Control (RBAC) is the establishment of access
rights based on a users role in the organization. When an
organization looks at the job of provisioning thousands of users and
thousands of network devices for hundreds of applications, it can be
daunting. One of the ways to simplify this task is to implement
access controls for a limited number of roles instead of for each
individual.
Role Management Roles and role assignment are unlikely to remain static for any
length of time. Because of this, they must be managed the
entitlements associated with a role must be reviewed and updated
and the users assigned the role, implicitly or explicitly, must be
reviewed and changed. The business processes used to effect
these reviews and changes are collectively referred to as role
management (sometimes enterprise role management).
Role Policy
Enforcement
Where entitlements on multiple systems are modelled with
enterprise roles, an enforcement process can periodically compare
actual entitlements with those predicted by the model and respond
to variances by automatically making corrections, asking for
deviations to be approved, etc. This periodic checking process is
called role policy enforcement
Role Violation A role violation is a situation where a user is assigned an entitlement
that contradicts a users role assignment. The entitlement may be
excessive i.e., not predicted by the role, or it may be inadequate i.e., the role assignment predicts that the user should have an
entitlement, but the user does not
Risk Based
Authentication
Similar to layered authentication, risk-based authentication requires
various levels of proofs, depending on the risk level of the
transaction.
This term is used interchangeably for systems where risk
assessment is used in two different ways. In some systems, risk
assessment is used to determine the stringency of the processes
8/8/2019 Identity Access Management Glossary 1 1
26/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
26
and procedures to 26nrol and use a particular set of resources. The
same credentials will be used in every session but people who need
different kinds of resources may use different credentials. A user
name and password will be sufficient for some people where others
with more access to sensitive information may need a two-factor
hardware token, for example.
The second way that risk-based authentication is used is where
systems actually require different authentication levels for the same
user, based on the specific transaction, not identity. For example,
many web services will use a cookie, placed on the browser from an
earlier session as a proof of identity for browsing catalogue pages
but will ask for a user name and password to make a purchase.
S/MIME S/MIME (Secure/Multipurpose Internet Mail Extensions) is a protocol
that adds digital signatures and encryption to Internet MIME
(Multipurpose Internet Mail Extensions) messages.
MIME is the standard for Internet mail that makes it possible to send
more than text. A mail message is splits into two parts, the header,
which contains the information needed to move the mail from the
source to its destination and the body. The MIME structure allows
an e-mail body to contain graphics, audio and many other features
that improve communication over simple text. Almost all modern e-
mail systems support it.
SAML The Security Assertion Markup Language (SAML), was developed
by the OASIS Security Services Technical Committee (SSTC). It
provides an XML-based frameworkboth structures and
processesfor authorities to exchange authentication, attribute and
authorization information about a subject. The subject is usually a
person, but may be a computer or other entity, as long as it exists in
some security domain. SAML provides a standard way to do singlesign-on (SSO) that works independently of the underlying business
systems and therefore can be an integral part of Federated Identity
Management (FIM).
The previous browser-based methods for maintaining identity during
a session had serious deficiencies which the designers wanted to
address, including the issues associated with using cookies to
establish authenticated sessions. Cookies do not let one
organization vouch for an entity that theyve already authenticated,
8/8/2019 Identity Access Management Glossary 1 1
27/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
27
but SAML assertions support this.
Secure Kiosk
Account (SKA)
A secure kiosk account is a special Windows login ID and password,
which is well known to users (for example, it may be advertised on
the wallpaper image of the login screen). Special security policies
are applied to this account, so that when it signs into a Windows
workstation, a locked down (kiosk-mode) web browser is launched
instead of the normal Windows desktop.
A SKA is a mechanism that allows users to access a self-service
password reset web application despite being locked out of the
initial workstation login screen.
Security
Administrator
A security administrator is a person responsible for maintaining a list
of users, their identity attributes, their passwords or other
authentication factors and their security privileges on one or more
target systems. The security administrator may not have the
responsibility or ability to reconfigure or otherwise manage the
system itself that is the job of a system administrator
Security Credentials Credentials are the data used to both identify and authenticate a
user. The most common credentials are login IDs and passwords.
Other credentials refer to other types of authentication factors,
including biometric samples of the user, public key certificates, etc.
Security Database A security database is the native storage used by a system or
application to house records about users, passwords and privileges.
Examples are the SAM database in Windows, passwd file on
Unix/Linux and RACF on mainframes
Security Entitlement An entitlement is the object in a systems security model that can be
granted or associated to a user account to enable that account to
perform (or in some cases prevent the performance of) some set of
actions in that system. It was commonly accepted that this definition
of entitlement referred to the highest-order grantable object in a
systems security model, such as an Active Directory group
membership or SAP role, and not lower-order objects such as
single-file permission setting
Security Entitlement
Audit
In many organizations, security entitlements have to be reviewed
from time to time. This is done because business processes relating
to changing needs are often reliable with respect to granting new
entitlements, but less reliable with respect to deactivating old,
8/8/2019 Identity Access Management Glossary 1 1
28/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
28
unneeded entitlements. A periodic audit can be used to find and
remove such old, unneeded entitlements.
Security Entitlement
Change
Users needs to access sensitive resources may change for time to
time. For example, an employee may join a new project, finish an
old one or change roles. When this happens, new security
entitlements are often needed and old ones should be removed.
Security
Equivalence
Two authentication processes are considered to be equivalent if (a)
they are about equally difficult to defeat or (b) by defeating one of
them, an intruder can subsequently defeat the other.
An example of the latter is a PIN-based 28nrolment of
challenge/response data. In this scenario, users are e-mailed a PIN,
which they use to authenticate and complete a personal
challenge/response profile. This profile may later be used in the
context of self-service password reset. In this scenario, the PINs are
equivalent to the challenge/response data, and that is equivalent to
user login passwords so ultimately 28nrolment PINs are security-
equivalent to login passwords (a bad thing!).
Security Group A security group is a named collection of users, which has been
defined in order to simplify the assignment of entitlements. The idea
is to assign multiple entitlements to the group, rather than assigningentitlements, again and again, to every user that belongs to the
group.
Self Service
Password Reset
Self-service password reset (SSPR) is a self-service password reset
process. Users normally authenticate using challenge/response,
hardware token or a biometric.
SSPR is normally deployed to reduce IT support cost, by diverting
the resolution of password problems away from the (expensive,
human) help desk.
Segregation of
Duties Policy
A segregation of duties (SoD) policy is a rule regarding user
entitlements intended to prevent fraud. It stipulates that one user
may not concurrently be assigned two or more key functions in a
sensitive business process
Sequential
Approvals
A sequential authorization process is one where multiple authorizers
are invited to comment, one after another.
Sequential (or serial) authorization has the advantage of minimizing
8/8/2019 Identity Access Management Glossary 1 1
29/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
29
the nuisance to authorizers in the event that an early authorizer
rejects a change request
Service Account
Password
A service account password is used on Windows systems to start a
service program which runs in a context other than that of the
SYSTEM user. The service control manager uses a login ID and
password (of the service account) to start the service program
Shared Account A shared account is a login ID on a system or application that is
used by more than one human or machine user. Privileged accounts
are often shared: for example, root, sa or Administrator by
system administrators
Simple Role A simple role is a collection of entitlements defined within the
context of a single system. Roles are used to simplify security
administration on systems and applications, by encapsulating
popular sets of entitlements and assigning them as packages, rather
than individually, to users.
Single Sign On
(SSO)
Single sign-on (SSO) describes the ability to use one set of
credentials, an ID and password or a passcode for example, to
authenticate and access information across a system, application
and even organizational boundaries. It may be called Web SSO
when everything is accessed through a browser.
With SSO a person authenticates only one time for a particular
working session regardless of where the information that they want
to access is located. This process offers enhanced security over a
simple synchronization of passwords.
Smart Card A smart card is a credit card sized device that contains a tamper
proof computer chip. When it is used for security, this chip can hold
and protect various types of credentials that the bearer can use for
authentication. Smart card authentication requires a card reader.
Smart cards, like tokens, were developed for strong or two-factor
authentication. So in addition to swiping the card to prove ownership
of the credentials contained on itsomething he hasthe owner
usually has to enter a PIN or passwordsomething he knows.
The infrastructure to support smart cards must include a method to
securely write the credentials to the card, usually a dedicated a
computer and an application with administrator-only access to the
8/8/2019 Identity Access Management Glossary 1 1
30/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
30
server. Administrator access is often supplied with a mother card.
The advantage that smart cards have over tokens is that the
memory chip can hold more information: separate credentials for
multiple applications or for different authentication methods, for
example.
SSL-VPN Although the Secure Sockets Layer (SSL) is a protocol designed
specifically for web browsers to securely access web-based
applications, the fact that it encrypts information and that it
authenticates at least one of the parties, also makes it a Virtual
Private Network (VPN). One of the best things about this protocol is
that most computers have a browser; that means that no new
software needs to be added to the client in order to use this method.
Static SoD Policy A static segregation of duties policy is one that prevents one login
account or user profile from having two or more conflicting
entitlements. These entitlements may be thought of as a toxic
combination. For example, the same user may not both authorize an
expense and print the cheque to pay for it.
Strong
Authentication
Strong authentication refers to an authentication process which is
difficult to simulate. It may be based on use of multiple
authentication factors or use of a single but hard-to-spoofauthentication factor.
Support Analyst An IT support analyst is a user with special privileges, which allow
him to assist other users, for example by resetting their forgotten
passwords.
Target Connector A connector is a piece of software used to integrate an identity
management system with a given type of target system
Target Platform A target platform is a type of target system. For example, it might bean operating system (e.g., Unix, Windows), a type of database (e.g.,
Oracle, Microsoft SQL) or a type of application (e.g., SAP R/3,
PeopleSoft). An identity management system typically needs a
different connector for each type of integrated target platform.
Target System Systems and applications where information about users resides
and which are integrated into an identity management infrastructure
are called target systems. They may include directories, operating
systems, databases, application programs, mainframes, e-mail
8/8/2019 Identity Access Management Glossary 1 1
31/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
31
systems, etc.
Target System
Administrator
A system administrator is a user with absolute control over a target
system. The system administrator may install any or all software on
the managed system, can create or delete other users on that
system, etc.
Termination All users eventually leave an organization. Likewise, customers may
terminate their relationship with vendors. Generically, these events
are called termination.
Token A token (sometimes called a security token) is an object that
controls access to a digital asset. Traditionally, this term has been
used to describe a hardware authenticator, a small device used in a
networked environment to create a one-time password that the
owner enters into a login screen along with an ID and a PIN.
However, in the context of web services and with the emerging need
for devices and processes to authenticate to each other over open
networks, the term token has been expanded to include software
mechanisms, too.
Transparent
(Automatic)
PasswordSynchronization
Transparent password synchronization works by intercepting native
password changes on an existing system or application and
automatically forwarding the users chosen new password to other
systems. It is called transparent since the user is not presented with
any new user interface.
Transparent password synchronization typically must enforce a
multi-system password policy in addition to the native policy of the
system where synchronization is initiated. This policy should be at
least as strong as the policies in each of the target applications
Trust Relationship A trust relationship is a codified arrangement between two domains
where users and/or services exist. One domain (A) trusts the other
(B) to identify, authenticate and authorizer Bs users to access As
resources.
Simple trust relationships are two-way, while complex ones may
have groups of multi-way trust (i.e., any organization in a group
trusts any other to make assertions about its own users).
Two-Factor
Authentication
Two-factor authentication is also called strong authentication. It is
defined as two out of the following three proofs:
8/8/2019 Identity Access Management Glossary 1 1
32/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
32
Something known, like a password,
Something possessed, like your ATM card, or
Something unique about your appearance or person, like afingerprint.
User Creation When users join an organization, they are normally granted access
to systems and applications. This is called user creation.
User Life Cycle
Management
User life-cycle management covers the entire process of identity
management over time. It includes the technologies used for
provisioning and password resets but it also includes the processes
and policies associated with these technologies.
Who decides what access a user needs; how easy should it be for a
user to reset a password; do we need different levels of
authentication for highly sensitive information; and when do we
disable a users account or delete it? These are all policy issues.
The security architecture and tools that a company chooses need to
support the policies in a way thats consistent with the organizations
goals.
An organization needs to analyze the policies and tasks associated
with provisioning access to information resourcesthis is highly
visible to new customers, employees, or partners. But it also needs
to look at frequently repeated tasks like password resets, moves
and changes; to save time and reduce costs. A way to efficiently de-
provision must be built into the architecture because un-used
accounts, and accounts that are linked to people who no longer
need access continue to be a major source of security breaches in
the enterprise.
User Provisioning A user provisioning system is shared IT infrastructure which is usedto externalize the management of users, identity attributes and
entitlements from individual systems and applications.
User provisioning is intended to make the creation, management
and deactivation of login accounts and other user objects, which are
spread across multiple systems, faster, cheaper and more reliable.
This is done by automating and codifying business processes such
as onboarding and termination and connecting these processes to
multiple systems.
8/8/2019 Identity Access Management Glossary 1 1
33/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
33
User provisioning systems work by automating one or more
processes:
Identity synchronization:
Detect changes to personal data, such as phone numbers or
department codes, on one system and automatically make
matching changes on other systems for the same user.
Auto-provisioning:
Detect new user records on a system of record (such as HR)
and automatically provision those users with appropriate
access on other systems and applications.
Auto-deactivation:
Detect deleted or deactivated users on an authoritative
system and automatically deactivate those users on all other
systems and applications.
Self-service requests:
Enable users to update their own profiles (e.g., new home
phone number) and to request new entitlements (e.g.,
access to an application or share).
Delegated administration:
Enable managers, application owners and other stake-
holders to modify users and entitlements within their scope
of authority.
Authorization workflow:
Validate all proposed changes, regardless of their origin and
invite business stake-holders to approve them before they
are applied to integrated systems and applications.
Consolidated reporting:
Provide data about what users have what entitlements, what
accounts are dormant or orphaned, change history, etc.
across multiple systems and applications.
As well, a user provisioning system must be able to connect these
processes to systems and applications, using connectors that can:
List existing accounts and groups.
Create new and delete existing accounts.
Read and write identity attributes associated with a user
object.
Read and set flags, such as "account enabled/disabled,"
"account locked," and "intruder lockout."
8/8/2019 Identity Access Management Glossary 1 1
34/35
Identity and Access Management - Glossary
IAM Glossary 1.0 Confidential
Page
34
Change the login ID of an existing account (rename user).
Read a user's group memberships.
Read a list of a group's member users.
Add an account to or remove an account from a group.
Create, delete and set the attributes of a group.
Move a user between directory organizational units (OUs)
User Profile The set of login accounts, identity attributes and security
entitlements associated with a single (human) user.
Verification During a Knowledge Based Authentication session, the process that
ensures that the data provided for an individual exists and matches
(name, address, social security number, date of birth, drivers
license).
Veto Power Veto power is a right assigned to authorizers in an approvals
process whereby rejection of a change request by the authorizer
who has veto power cancels the request, regardless of any
approvals previously received from other authorizers
Vetting The process of thorough examination and evaluation
Virtual Directory A virtual directory is an application that exposes a consolidated view
of multiple physical directories over an LDAP interface. Consumersof the directory information connect to the virtual directorys LDAP
service and behind the scenes requests for information and
updates to the directory are sent to one or more physical directories,
where the actual information resides. Virtual directories enable
organizations to create a consolidated view of information that for
legal or technical reasons cannot be consolidated into a single
physical copy.
Web Access
Management
Web access management enables organizations to carefully
manage access rights to web-based resources on intranets,
extranets, portals and exchange infrastructures. With growing
numbers of internal and external users, and more and more
enterprise resources being made available online, it is critical to
ensure that qualified users can access only those resources to
which they are entitled. Web access management does just that: it
offers business rule-based access management that is easy to
deploy and monitor for compliance.
Web Based Web-based password synchronization works by having a user sign
8/8/2019 Identity Access Management Glossary 1 1
35/35
Identity and Access Management - Glossary
ge
35
Password
Synchronization
into a consolidated web page to change multiple passwords, rather
than waiting for each system or application to prompt the user to
change just one password.
Users typically sign into the password synchronization web page
using a primary login ID and password and can then specify a new
password, which will be applied to multiple systems and
applications.
A password synchronization web application typically must enforce
a password policy, which should be at least as strong as the policies
in each of the target applications.
Web Proxy A web proxy acts on behalf of one or more web browsers, fetching
web pages for users and possibly adding capabilities such as
caching (to reduce an organization's bandwidth usage), filtering (to
block unwanted content) and monitoring (to record user activity).
Web proxies act on behalf of one or more users.
Web Server Agent An agent installed on a web server may be used to implement a
WebSSO system by injecting user identification, authentication and
authorization data into the requests sent from a user's browser to
the web server. more web applications, may modify the HTTP orHTTPS requests (for instance, inserting credentials), and requests
web pages on behalf of the user.
The server agent architecture has the advantage of not requiring
new hardware to be deployed when implementing a WebSSO
system.
Web SSO
Authentication
Server
In a WebSSO system, one or more servers are dedicated to the
function of authenticating users and determining what operations
they will be permitted to perform. These are called authenticationservers
Recommended