Dictionary – identity management guide
ABAC, Attribute-Based Access Control
Attribute-driven access to resources; for example, a user is assigned an account on an information system based on their department.
A service that provides authentication, authorization, control, and policy enforcement over corporate systems.
The process by which a user’s identity is confirmed in terms of assigned permissions.
User authentication using login credentials, typically a name and password.
A system, or more precisely, a system repository that serves as a source of information about defined identity attributes. Different identity attributes may have different authoritative sources. Example: a personnel system is an authoritative source for personal information about an employee.
A security mechanism that allows or denies access rights to corporate resources such as applications, files, and data.
A process that provides an overview of permissions across the entire company. An authorization audit can be comprehensive – showing all access to all systems, but is generally used more to determine who has access to a particular resource (information system), or what resources a particular person has access to.
BYOD, Bring Your Own Device
BYOID, Bring Your Own Identity
An identity management approach that allows (usually customers) to access protected resources with an identity issued by another Identity Provider (example: logging in with an account from Facebook, Google, Yahoo). See Federation, OpenID, OAuth.
Cloud Service Provider
A service provider that offers capacity or a software service available as a hosted solution or on-premises in a private cloud (dedicated hosting for customer use only).
Access credentials that the user uses to authenticate their identity. Examples of credentials: username, username password, card PIN, SMS token, smartcard, hardware key.
Removing a user’s identity from the identity store and user accounts from systems and services (for example, when someone leaves the company). This action also removes the user permissions that the identity has acquired during its existence. A key element in the identity lifecycle from a security perspective.
A term with a broad scope, the general meaning is an object (person, animal, thing or phenomenon). In the identity and access management environment, it usually means either a person in relation to an information system, an organizational unit, or a permission object.
The ability or right to access a service or resource. Example: a new employee has an entitlement to access company email. However, this is only granted to him/her after it has been established in the information systems (provisioning) and the appropriate permissions have been set.
A trust relationship between identity providers and service providers that enables the exchange of information. It allows a user to log in to a service using an identity provider where they already have an account, thus increasing the user experience. For example, Facebook Connect allows users to log in to different web services using a Facebook account. See BYOID.
A software-created group that allows the management of different identities by one category. Groups are used, for example, to define roles and other affiliations. Groups simplify access control. Examples of groups are: a list of email addresses within a newsletter, a list of people who are allowed to enter a building. Groups can be nested hierarchically, an example would be an organizational structure.
IaaS, Infrastructure as a Service
A method of IT resource management in which a company outsources a portion of its IT infrastructure to a service provider that manages it. Examples of outsourcing from this category: desktop virtualization, Internet connectivity, administrative tasks.
IAM, Identity and Access Management
An information systems wrapper solution that provides user authentication, authorization and SSO. It also allows companies to manage and control the security of these accesses (who has access to where and why, who accessed where when). See Identity management and Access management.
IAMaaS, Identity and Access Management as a Service
A method of IT resource management in which a company outsources its IAM to a service provider that takes care of it. Here, the provider is responsible for the physical security of the solution.
IDaaS, Identity as a Service
The process of collecting and evaluating personal information for user authentication. An example is the verification of a person in the human resources department, which then enters the verified data into the identity repository. Successful identification is a prerequisite for registration.
A label (name, employee number, or other text) that gives a person a designation. This label makes it easier to identify who does or uses what. For example: the label “Karel Novak” can be assigned to the email firstname.lastname@example.org. Persons may have multiple identifiers, which may prove useful for different cases.
Identity, digital identity
A characteristic tied to a particular person. This can be a phone number, a permanent address, an email address, and other details. There are usually rules on how to handle such attributes, whether at the corporate level (standard business practices) or governmental (Personal Information Protection Act).
An integrated system consisting of business rules, processes and technology that enables an organization to control access to internal and external resources (information systems, services and devices), including the protection of sensitive data from unauthorized access. It includes a range of solutions that work together to manage authentication, access rights and restrictions, profiles, passwords and other attributes that are tied to the user.
Identity Lifecycle Management
A set of processes that create and manage digital identities. Lifecycle management typically consists of synchronizing, provisioning, and deprovisioning user accounts and managing the technologies that process user identity data.
Identity provider, IdP
A service that creates a relationship between users and service providers and mediates data transactions between them. This allows service providers to use the identity provider’s login credentials, instead of service providers creating their own new records for each new user.
Authenticating a user with only one means of authentication – typically a name and password.
Level of Assurance, LoA
The degree of certainty with which the user has been correctly identified based on their login credentials. New standards are emerging in this area, such as the US NIST 800-63.
MDM, Mobile Device Management
Mobile device management. It is used wherever there is a need for a controlled environment for running applications and accessing data. It is usually handled by software, such as a virtualized environment on the mobile device.
MIM, Mobile Identity Management
Identity management in mobile devices where the SIM card acts as an identification tool. Mobile identity allows you to bundle authentication with transaction signing for online banking, payment confirmation, corporate services and online content.
Start of a new employee, Onboarding
The process of introducing a new employee to the corporate identity and permissions management system (IAM).
An open standard for authorization that allows certain applications to programmatically access resources in an information system on behalf of an end user. For example, in the case of a Facebook or Google account, this mechanism allows a user to choose which information in that user’s account is accessed by a third-party application.
Employee departure, Offboarding
The process of removing a user from the corporate IAM system. The Identity and Access management system here provides a defined level of assurance that the user has lost their assigned permissions and is correctly removed from the company’s information systems.
A service providing on-demand software, see SaaS.
Capacity or software service that is operated on the customer’s premises (premise = building, on-premises = in the buildings). The original – and today still dominant – way of operating. It is gradually being complemented and replaced by cloud-based operation.
A standardized method of decentralized authentication. It is an open form of federated identity management (see Federace).
OTP, One-Time Password
A password that is valid for one login. It can be time-limited or pre-generated from a series of passwords. Examples are Google Authenticator (OTP via the app) or OTP via an SMS code sent by the server.
Separation of various support and ancillary activities and entrusting them to another company or subcontractor specialised in the relevant activity. This is a type of division of labour where the activity is not carried out by the company’s own employees but on the basis of a contract.
PaaS, Platform as a Service
A service designed to allow customers to create their own online applications. The PaaS provider provides customers with the tools and libraries necessary to develop these applications. Usually, the application is created faster and easier this way than if the customer were to develop it from scratch themselves.
Persona (latin “mask”)
A digital identity that a user can choose to represent them in a particular context. For example, an IT worker may have access to the digital identities “user” and “administrator”. While the “administrator” identity gives the IT worker the ability to act as an administrator within a defined scope, the “user” identity allows the worker to operate at the level of ordinary users. These different digital identities also have different login credentials. Another reason for introducing personas may be to prevent administrative mix-ups, where privileged users use their user personas normally, and only for administrative tasks they log into a different persona – a digital identity.
A construct that speeds up and simplifies access control. Privileges allow entities to have specified privileges within the infrastructure. These privileges are typically defined by entities (see Entitlement) and application access policies.
Example use case: imagine a system privilege that allows users with the role “Business Analyst” to issue invoices up to 100,000 CZK within the “Accounting” application. However, this action must occur during business hours, but not within 3 days before the quarterly closing.
The expression used for this privilege will be of the form “identity with given attributes/role” is allowed to call a given “method” over a defined “object” under “certain circumstances” that do not conflict with “other circumstances”.
A system that allows the owner of an information system (generally a resource) to modify or assign policies in accordance with corporate policies and business practices. A properly configured privilege management system requires close cooperation between information system owners, corporate policy administrators and system architects.
Privileged Identity Management (PIM)
IAM solution that specializes in privileged accounts in applications and operating systems – root, Administrator. The solution includes consistent monitoring of user activity so that it is possible to prove the actions performed, in order to ensure the undeniability of the user’s activity.
Proof of identity
The process by which a natural person (entity) is bound to its digital identity. This can be ensured, for example, at the registration stage, when the individual sends a copy of his/her passport or driving licence.
Usually an automated process that ensures that users with the correct permissions (see Entitlement) gain access to the desired system or service. During provisioning, an account is typically created in the information system and its attributes are set. The opposite activity is called deprovisioning.
RAdAC, Risk-Adaptable Access Control
An advanced access control model where the decision to grant or deny a request for access to a system or service depends on a dynamic risk assessment. RAdAC is a privilege management system and can be implemented using, for example, the XACML protocol.
Example of a RAdAC use case: in a local area network environment, an administrator is allowed to log in to an information system using a name and password. However, if accessed from an external environment or outside working hours, two-factor authentication is required.
RBAC, Role-Based Access Control
A model in which users are assigned roles that give them some degree of access to a resource. The role assignment guarantees the user a defined set of entitlements (entitlement claims) that are assigned either automatically, or upon meeting a certain condition, or upon approval by the responsible persons. The advantage of the RBAC model is the reusability of the assigned roles and the possibility to define role attributes – e.g. description.
The process of restarting approval workflows over a group of permissions to confirm that those permissions are current and valid. This is used where there is less formal oversight of identities, such as with vendors.
The process of dealing with audit report findings. Exceptions to company policies will be included in the remediation process. Because dealing with these exceptions is outside the bounds of remediation, the remediator marks the exception as either resolved (and next time compliance is rechecked) or accepted (then it is simply skipped).
A process that provides users with electronic login credentials and binds their identity to a service. This process may include authentication of the user’s identity (see Identification).
Repository of identities
A system dedicated as a data repository for the IAM system. It contains digital identities, their attributes and assigned permissions. It is typically a relational or hierarchical database. The corporate infrastructure then uses the identity repository as a source of authentication and authorization.
The process by which a user changes their own password. The goal of this self-service feature is to reduce the time IT administrators spend responding to support requests. Password reset usually takes place in the browser environment and allows the user to reset their forgotten password after correctly answering questions that verify the user’s identity.
A separate entity that carries permissions to an application (see Entitlement) or identifies a group of users (if the group defines users with the intention of providing them with the same set of privileges). A role is the basis of authorization in modern information systems. The advantage of a role is its reusability and the ability to assign additional attributes to the role, thus increasing its comprehensibility for the end user. See RBAC.
Designated person responsible for the position of Methodologist. His/her responsibility is to ensure that each role created meets the business requirements.
SaaS, Software as a Service
A model in which the running of the software is outsourced to a cloud server. The software is usually accessible via a web browser, but this is not a requirement. The software and associated data are hosted in the cloud. Sometimes this model is also referred to as “on-demand software”.
SAML, Security Assertion Markup Language
A standard for exchanging user information in a federated environment between an identity provider and a service provider, focusing on authentication, authorization, and user attributes. Example use case: logging into a website using a Facebook account. The standard is based on XML. See Federation.
SCIM, System for Cross-domain Identity Management
Interface standard for identity management in cloud applications.
An entity that can be authenticated by a computer or a network. It may be a user account, a computer account, a computational thread, or a computational process. The general term is “principal”, “security principal” is a term from the Java and Microsoft worlds.
In the context of authentication and authorization, the system on which users consume a service. The service provider maintains a trust relationship with the identity provider.
A session that occurs between two entities that exchange information. Within the session, data flows between these entities. An important part of a session is its duration (or validity), which can be artificially limited to prevent misuse of the session, and the assertion of one or the other entity involved in the session.
SSO, Single Sign-On
A service model in which a user logs in to one system or service and is automatically logged in to other applications. This access may be time-limited. In this model, the user uses only one set of login credentials (e.g., the user does not need to remember the password for each application separately). Single Sign-On to web applications is called “Web SSO” and is the best known case of SSO.
SPML, Service Provisioning Markup Language
An XML-based standard that allows participating parties to exchange information about users, resources and services. It is mainly used in on-premises systems.
A system that allows the owner of an information system (generally a resource) to modify or assign policies in accordance with corporate policies and business practices. A properly configured privilege management system requires close cooperation between information system owners, corporate policy administrators, and system architects.
Proces, kterým je úložiště identit (repozitář, repozitory) synchronizováno s databází daného informačního systému za účelem zajištění konzistence a aktuálnosti veškerých dat všech identit.
TFA, Two-factor authentication
Multifactor authentication (MFA)
A method of authenticating a user to a system or service by multiple, independent factors. It generally consists of something the user knows (password, personal information), something the user holds (hardware token, mobile phone, ID card) and something that represents the user’s physical identity (fingerprint, retina scan, voice, DNA).
eXtensible Access Control Markup Language (XACML)
An XML-based authorization standard used with the intention of improving interoperability between different solution providers and user experience.