Glossary
- Attribute-Based Access Control (ABAC)
- A mechanism for managing user access to information systems based on user attribute values. Attribute-Based Access Control (ABAC) evaluates access dynamically using an algorithm that takes 'attributes' as input and outputs an access decision (allow/deny). The attributes are usually user profile attributes, supplemented with context attributes such as time of access and the user's current location.
- Alternative terms: Claims-based Access Control, CBAC
- See also: Access Control
- Abstract Role
- In midPoint terminology: Abstract role means any type of object that acts as a role. This means that abstract tole can be used to hold inducements, which give privileges to other objects. Role, org, service, archetype are abstract roles in midPoint.
- Read more ...
- See also: Inducement, Role, Org, Archetype
- Access Certification
- Access certification helps with management of access rights. These rights also called privileges, role assignments, authorities or authorizations need to be assigned to the right users in the right systems at the right time. Access Certification means reviewing the settings such as assignments of roles to users to make sure that employees have accesses to the systems they need.
Certifications are often conducted in a form of certification campaigns, certifying access of many users in each campaign, distributing the work among many reviewers to keep amount of work per person reasonable. Despite that, the overall effort necessary for completion of certification campaign can be huge. Therefore, certification campaigns are being replaced by microcertifications, certifying specific users or privileges on as-needed basis.
Access certification is often used to address over-provisioning of privileges, in a attempt to maintain the principle of least privilege. - Alternative terms: Access Re-certification, Re-certification, Attestation, Access Review
- See also: Least Privilege Principle, Over-provisioning, Microcertification
- Access Cloning
- Access cloning is a practice of assigning a user the same access rights as another user has. It is often used to provision new users with initial access rights, copying access rights of an existing donor user.
Access cloning is an undesirable practice (see ISO/IEC 27002 5.18), as it often leads to over-provisioning. Even if the cloned access rights are justified, business role (RBAC) or similar mechanism should be used instead of cloning. Although the practice is generally undesirable, it is often employed due to its simplicity. - Alternative terms: Access Rights Cloning, Donor user
- See also: Least Privilege Principle, Over-provisioning, Role-Based Access Control
- Access Control
- Access control is an abstract concept of controlling access of users to applications. It is a very broad and general term, however it usually refers to a mechanism to define and evaluate authorization policies. Two commonly-used access control mechanisms are role-based access control (RBAC) and attribute-based access control (ABAC).
- X.1252 term: access control
- ISO 27000 term: access control
- See also: Role-Based Access Control, Attribute-Based Access Control, Policy-Based Access Control
- Access Management (AM)
- Access Management (AM) is a security discipline that provides access to authorised users to enter particular resources. It also prevents non-authorised users from accessing the resources. Thus the goal of Access Management is to unify the security mechanisms that take place when a user is accessing specific system or functionality. Single Sign-On (SSO) is sometimes considered to be a part of Access Management.
- Access Request Process
- Access request process is a business process used to request additional access or privileges for information systems and applications. It is usually a semi-manual process. It starts with a user requesting access or privileges for applications. The request is usually routed through approval steps. When approved, the access is provisioned.
Access request is very frequently used to provide necessary access to users, addressing access under-provisioning situations. As clear and complete access control policy is usually not known, access request process is a practical measure to compensate for this limitation. In fact, the access request process is often over-used, leading to systematic over-provisioning of access. Access certification mechanisms are usually used to compensate such over-provisioning. - Alternative terms: Access Request Management
- See also: Identity Provisioning, Under-provisioning, Over-provisioning, Access Certification
- Account
- Data structure in a database, file or a similar data store that describes characteristics of a user of a particular system (resource). Accounts are used to control access of users to applications, databases and so on. Account is a persistent data record, stored in an application or a database. This term is usually not used to describe ephemeral information about user's identity, such as information temporarily stored only for the duration of user's session. Such information is often referred to as "principal".
Account is different from a generic data record (e.g. "identity" or "principal"). The purpose of account is to provide user's access to the system, generic data record may not provide such access. - In midPoint terminology: An account strictly means a data structure in source/target system (resource). Term "user" is used to describe a similar data structure in midPoint itself.
- Alternative terms: User account
- See also: User, Principal
- Access Control List (ACL)
- Mechanism for controlling access to information system, based on a simple sequential list of access control instructions. Instructions in access control list are evaluated sequentially. If the instruction matches current access control situation (user, accessed object, operation), then the instruction is applied, either allowing or denying the access.
There is no standardized form or language for access control lists and instructions, making ACLs not interoperable across implementations. There are also numerous variations to the basic idea, e.g. always evaluating entire list, deny instructions always taking precedence, and so on. - See also: Access Control
- Active Directory
- An identity repository created by Microsoft that stores and arranges identity information. Based on this information, it provides access and permissions to users to enter particular resources and therefore improves organization's security.
- Agent
- Active entity, usually a software component that plays an active part.
In identity management field, the term "agent" often means an active software component installed into a controlled system, used to mediate management of identities. It is similar in function to identity connector, however unlike the connector, the agent has to be installed into a controlled system. - X.1252 term: agent
- See also: Identity Connector
- Anonymity
- A situation when an object cannot be distinguished from similar objects, where an identity of an object cannot be determined.
- X.1252 term: anonymity
- See also: Identity
- Application Programming Interface (API)
- Set of procedures, functions or methods that can be used by another program or component. APIs are usually interfaces exposed by an application, meant to be used by other application. Therefore APIs are important integration points between applications and services. In the past, APIs were usually created as a programming language library, such as C or Java library. Since c. 2010, APIs usually take form of HTTP-based RESTful service.
- See also: RESTful Service
- Archetype
- In midPoint terminology: Archetype is a formal definition of object subtype in midPoint. Archetypes can give specific characters to basic midPoint types such as user, role or org. For example, archetypes can be used to further refine concept of user to represent employees, students, contractors and partners.
- Read more ...
- Asset
- Assert is an integral collection of information, data, systems, services, equipment, knowledge and any other means that provide value to an organization. It may take form of customer database, results of a research project, trade secret, proprietary software package, essential business process or any form that is considered valuable. Assets are subjects to risk, realized by threats exploiting asset vulnerabilities. Protection of assets is the primary objective of cybersecurity.
- Alternative terms: Information asset
- See also: Risk, Threat, Vulnerability, Risk assessment
- Assignment
- In midPoint terminology: Assignment is a relation that directly assigns privileges, organizational membership, policy elements or other midPoint concepts to assignment holder objects (usually users). Assignment is quite a rich, flexible and universal mechanism. Assignments can be conditional, there may be time constraints, parameters and other details specifying the relation between assignment holder (usually user) and target (usually role or org). Many types of objects can be a target of an assignment, allowing for a significant expressive power.
- Read more ...
- See also: Inducement, Assignment Holder, Focus
- Assignment Holder
- In midPoint terminology: An object that can hold assignments. Assignment holder can be considered a "source" of an assignment, a source of a relation that an assignmnt represents. Almost all object types in midPoint are assignment holder, capable of containing an assignment.
- See also: Assignment, Focus
- Audit
- Audit is an systematic and documented process for reviewing specific processes, organizations or regulatory compliance. It involves obtaining and objective processing of evidence, including evidence stored in special-purpose audit trails. Audit can be internal, conducted by an organization, reviewing its own processes or compliance. It can also be external, conducted by an independent trusted party.
- ISO 27000 term: audit
- See also: Audit trail
- Audit scope
- Extent and boundaries of audit review.
- ISO 27000 term: audit scope
- See also: Audit
- Audit trail
- Audit trail is a record of essential information, meant to be used as an evidence in audit reviews. Audit trail is usually a structured, chronological record of operations or observations of an information system. It records important actions taken by users of the system, including actions taken by system administrators.
- Alternative terms: Audit log
- See also: Audit
- Authentication
- Authentication is a mechanism by which a computer system checks that the user is really the one she or he claims to be. Authentication can be implemented by a broad variety of mechanisms broadly divided into three categories: something you know, something you have, something you are. Traditionally, authentication is done by the means of by username and password. Authentication is often followed by authorization, however, authentication and authorization are two separate mechanisms.
- ISO 24760 term: authentication
- X.1252 term: authentication
- ISO 27000 term: authentication
- See also: Identification, Authorization, Multi-factor authentication
- Authenticated Identity
- ISO 24760 term, describing "identity information" created to record result of authentication. This may mean data such as authentication strength, timestamps and similar information. In software development, it is often referred to as "authenticated user" or "authenticated principal".
- Alternative terms: Authenticated user, Authenticated principal
- ISO 24760 term: authenticated identity
- See also: Authentication, Principal
- Authenticator
- Something the subject possesses and controls, which is used to prove the identity during authentication. Authenticator can be digital (information), physical (an object such as ID card or authentication device) or a combination of both (an ID card with a tamper-proof chip containing cryptographic keys). Perhaps the most common type of authenticator is a password.
The term "authenticator" is closely related to term "credential" - which is even more confusing as many authenticators are also credentials. The difference is that credential is bound to the authenticated identity, while authenticator does not need to be. E.g. password is not inherently bound to authenticated identity, as the same password can be used to authenticate many identities at various sites. Therefore, strictly speaking, password is an authenticator but not a credential. On the other end, digital certificate (X.509) with associated private key is bound to a specific identity, therefore it is both an authenticator and a credential. There are also credentials that are not authenticators, such as records in the authentication database linking identity identifiers. However, in common usage, the term "credential" is often used to refer to authenticators as well. - Alternative terms: Authentication token
- ISO 24760 term: credential
- X.1252 term: credential
- See also: Credential, Password, Passkey, Personal identification number, Authentication
- Authenticity
- Authenticity is a property of a data, and also an assurance, that the data are valid and true. Simply speaking, it tells that data are what they claim to be. Authenticity may also mean assurance of data origin (provenance) and their integrity.
- ISO 27000 term: authenticity
- See also: integrity
- Authorization
- Authorization is a mechanism by which a computer system determines whether to allow or deny specific action to a user. Authorization is often controlled by rather complex rules and algorithms, usually specified as part of an access control model. Authorization often follows (and required) authentication, however, authentication and authorization are two separate mechanisms.
In rare cases, "authorization" is understood as a process of allowing access, granting permissions or giving approval. Such as "authorization" of a request to join a group. - X.1252 term: authorization
- See also: Authentication, Role-Based Access Control, Attribute-Based Access Control, Coarse-grain Authorization, Fine-Grain Authorization, Access Control
- Authorization Service
- A system that provides authorization information to an application. It usually makes a decision whether a specific operation should be allowed or denied by the application. I.e. authorization system is performing the authorization decision instead of the application. Authorization systems often use complex policy, user roles or additional attributes to make the decision. Authorization servers usually implement functionality of Policy Decision Point (PDP). Typical protocols and frameworks: XACML, Open Policy Agent (OPA), SAML authorization assertions, proprietary mechanisms
- Alternative terms: Authorization Server
- See also: Authorization
- Availability
- Availability is a property of network service or information system, ensuring that all the necessary functions are available to the user. I.e. it is a property that ensures that systems and the data are available to users as intended, that the service is not interrupted by an attacker.
Availability, together with confidentiality and integrity form a "CIA triad", a classical model of information security (cybersecurity). - Alternative terms: Service availability
- See also: Confidentiality, integrity
- Biometrics
- Automated recognition of persons, based on their biological or behavioral characteristics.
- Alternative terms: Biometric authentication
- X.1252 term: biometric recognition
- See also: Authentication
- Birthright
- Privileges or access granted to users based on their inherent characteristic, such as user type (employee, contractor, student). It also includes a set of privileges automatically given to all users ("all users" access). Privileges and access that are automatically assigned due to organizational structure membership (e.g. access to departmental systems) is sometimes also considered to be a birthright.
- In midPoint terminology: Archetypes are usually used to manage birthright in midPoint, by placing appropriate inducements in archetype definition. Birthright originating from organizational structure can be implemented by placing inducements in organizational units (orgs).
- Alternative terms: Birthright provisioning
- See also: Identity Provisioning, Archetype, Org, Inducement
- Blinded Affirmation
- A method to provide strictly limited information to another party, without revealing any unintended information. Blinded affirmation is often used to demonstrate that a certain user is a member of an organization, without revealing any additional information about the user to a third party. Blinded affirmation usually relies on ephemeral identifiers or pseudonyms.
- ISO 24760 term: blinded affirmation
- See also: Ephemeral Identifier, Pseudonym
- Certificate Authority (CA)
- Entity that issues digital certificates. Certificate authority is usually a trusted third party, certifying correctness of the data presented in certificates that it issues. The most common form of certificate authority is an authority that issues X.509 digital certificates, containing public keys. Certificate authority signs the certificates, thus certifying that a specified public key belongs to a specified identity.
- See also: Digital Certificate, Trusted Third Party
- Claim
- Statement about an entity, provided in a form which can be verified by other parties. Verification of a claim provides reliable information about the entity that created the claim (issuer), and it provides assurance that the claim content was not modified. However, claim verification does not provide assurance that a claim is correct, or that it is an unquestionable truth. Technically, claims are often digital identity attributes, secured by cryptography mechanisms for network transfer.
- See also: Digital Identity Attribute, Triangle Of Trust, Issuer, Holder, Verifier
- Clockwork
- In midPoint terminology: MidPoint component responsible for evaluation of lifecycle, activation, object templates, assignments, roles, policies, mappings and many other aspects of midPoint configuration. Clockwork is the main workhorse of midPoint synchronization, making sure that objects are properly recomputed and policies are enforced. It also computes the data for synchronization, both in inbound and outbound direction.
- Read more ...
- Cloud Computing
- Internet-based computing when resources like storage, applications or servers are used by organizations or users via Internet. Data could be accessed any time from any place, without any installations and is stored and processed in third-party data centers which could be located anywhere in the world. Cloud computing is considered to lower organization's costs by avoiding the need of purchasing servers as well as to speed up the processes with less maintenance needed. Due to data being centralized at one place, it is considered to be secure and easily shared across bigger amount of users.
- Coarse-grain Authorization
- Authorization concerning big architectural blocks, such as entire applications or systems. E.g. coarse-grain authorization usually decides whether a user can access an application, or access should be denied, without providing any additional details. Coarse-grained authentication is usually being made at the "perimeter" of the system, e.g. by infrastructure components, when a user is accessing an application. Typically, this authorization is based on simple policy rules, such as a role or group assigned to the user.
- See also: Authentication, Fine-Grain Authorization
- Competence
- Ability to perform certain function, or to achieve intended results. It may refer to the ability of people, an ability to apply knowledge, skills and effort to reach results. It may also apply to systems, describing an ability of the system to perform functions to achieve results.
- Alternative terms: Capability
- ISO 27000 term: competence
- Compliance
- Fulfillment of a requirement, or a system of requirements. It usually refers to conformity with a regulation, or an industry standard.
In identity and access management (IAM) field, the term "compliance" may refer to a set of IAM platform features that aid with regulation and standards compliance. - Alternative terms: Conformity
- ISO 27000 term: conformity
- Confidentiality
- Confidentiality is a property of communication channel or data, ensuring that they are available only to intended actors. I.e. it is a property that ensures that the data are seen only by communicating parties, and no other party can access and read the data. Confidentiality is usually implemented by using encryption.
Confidentiality, together with integrity and availability form a "CIA triad", a classical model of information security (cybersecurity). - Alternative terms: Secrecy
- ISO 27000 term: confidentiality
- See also: Availability, integrity
- ConnId
- ConnId is an open source identity connector framework project. It originated from Identity Connector Framework (ICF) developed by Sun Microsystems in late 2000s. ConnId is now an independent open source project, used by several identity management platforms.
- Alternative terms: ConnId Framework
- See also: Identity Connector, Identity Connector Framework
- Consent for Personal Data Processing
- Consent for personal data processing is given by a user, to indicate agreement for processing of personal data. In personal data protection frameworks (such as GDPR), consent has a strict structure, it is given for a very specific processing scope. Consent can be revoked by the user any time. Consent is just one of several personal data processing bases (lawful bases). Consent is perhaps the most well know, and also the most misused basis for personal data processing.
- Alternative terms: Consent
- See also: Personal Data Protection, Personal Data Processing Basis, General Data Protection Regulation
- Consequence
- Outcome of an event or an activity.
- Alternative terms: Outcome, Result
- ISO 27000 term: consequence
- See also: Event
- Continual improvement
- Continuous or recurring activity to enhance performance or results.
- ISO 27000 term: continual improvement
- Control
- Control is a measure that affects risk. Controls are used in security management programs to lower risk, and manage overall and residual risks. Controls may take variety of forms, including processes, technology, policies and people,
- Alternative terms: Countermeasure, Cybersecurity measure, Measure
- ISO 27000 term: control
- Control objective
- Control objective is an intended effect of an control. It is a description of the effect that a control should have when implemented.
- ISO 27000 term: control objective
- See also: Control
- Corrective action
- Corrective action is an action to eliminate causes of non-compliance and prevent recurrence. Unlike remediation (correction) which is focused on correcting the effects, corrective action aims at correction of the causes (e.g. updating the policy).
- ISO 27000 term: corrective action
- See also: Compliance, Remediation
- Credential
- Information used to prove the identity of a subject during authentication, which is bound to that particular identity. Credentials can be digital (information), physical (an object such as ID card) or a combination of both (an ID card with a tamper-proof chip containing cryptographic keys). Perhaps the most common type of digital credential is a password-based credential.
The term "credential" is closely related to term "authenticator" - which is even more confusing as many authenticators are also credentials. The difference is that credential is bound to the authenticated identity, while authenticator does not need to be. E.g. password is not inherently bound to authenticated identity, as the same password can be used to authenticate many identities at various sites. Therefore, strictly speaking, password is an authenticator but not a credential. However, when password is established as a shared secret at a particular site, and bound to a particular identity in that site's authentication database, a password-based credential is created. On the other end, digital certificate (X.509) with associated private key is bound to a specific identity, therefore it is both an authenticator and a credential. There are also credentials that are not authenticators, such as records in the authentication database linking identity identifiers. However, in common usage, the term "credential" is often used to refer to authenticators as well. - Alternative terms: Digital credential, Credentials
- ISO 24760 term: credential
- X.1252 term: credential
- See also: Authenticator, Password, Passkey, Personal identification number, Authentication
- Credential Issuer
- An entity that creates and provisions credentials to entities.
- ISO 24760 term: credential issuer
- See also: Credential, Issuer, Trust service
- Credential Service Provider (CSP)
- ISO 24760 term, describing an entity responsible for management of credentials in a domain.
- ISO 24760 term: credential service provider
- See also: Credential
- Cross-domain
- Anything that involves interaction between two or more domains. Specifically in context of identity and access management, it usually means transfer of information between domains that are under separate control, or transfer of information that needs to be somehow limited (e.g. only a subset of attributes is transferred).
Cross-domain techniques employ special mechanism to protect the information, or to make transfer between domains more reliable or secure. For example, special identifiers (often ephemeral pseudonyms) are used to refer to identity data. - See also: Domain, Identity Provider, Relying Party, Identity Federation
- Cyberattack
- Cyberattack is a an intentional effort to steal, destroy, expose, alter, disable or gain unauthorized access to information systems and data (information asset). Cyberattack is a cybersecurity breach.
- Alternative terms: Cyber attack
- ISO 27000 term: attack
- See also: Cybersecurity, Cybersecurity incident
- Cybersecurity
- Cybersecurity is a protection of information systems, usually focused on systems connected to the Internet. It is a broad practice, including protection of systems, networks, software and data. It involves technology as well as people, policies and processes. Cybersecurity is a continuous, never-ending effort to make the systems secure, and keep them secure. Most comprehensive and systematic cybersecurity techniques are based on risk-based approach.
- Alternative terms: Information security
- ISO 27000 term: information security
- See also: Cybersecurity governance, Cyberattack, Risk-based approach
- Cybersecurity event
- Cybersecurity event is a event affecting cybersecurity of an organization. It is an occurrence of system, service or network state, indicating possible breach of information security.
- Alternative terms: Information security event
- ISO 27000 term: information security event
- See also: Event, Cybersecurity incident, Cyberattack
- Cybersecurity governance
- Cybersecurity governance is a set of systematic activities to direct and control implementation of cybersecurity. Governance is a process of setting up and maintaining policies and rules to govern cybersecurity activities. It includes cybersecurity programs, policies, processes, decision-making hierarchies, mitigation plans, cybersecurity systems and especially oversight processes and procedures. Cybersecurity governance assumes existence and systemic application of cybersecurity strategy.
- Alternative terms: Information security governance
- ISO 27000 term: governance of information security
- See also: Cybersecurity, Information security management system, Cybersecurity resilience, Risk management
- Cybersecurity incident
- Cybersecurity incident is unwanted or unexpected cybersecurity event, impacting cybersecurity of an organization. Cyberattack is the usual type of cybersecurity incidents. Cybersecurity incidents include situations, where security breach cannot be proven, however there is a siginificant probability that security of information and systems might have been affected.
- Alternative terms: Information security incident, Incident
- ISO 27000 term: information security incident
- See also: Event, Cybersecurity event, Cyberattack, Cybersecurity incident management
- Cybersecurity incident management
- Cybersecurity incident management is set of processes and systems to manage cybersecurity incidents. It includes detection, recording, reporting, assessing and responding to incidents. Cybersecurity incident management systems are also used to learn from the incidents, with the goal to improve information security management system (ISMS).
- Alternative terms: Information security incident management, Incident management
- ISO 27000 term: information security incident management
- See also: Cybersecurity incident
- Cybersecurity professional
- Cybersecurity professional is a competent person who implements, maintains and improves cybersecurity practices.
- Alternative terms: Information security professional, ISMS professional, Information security practitioner
- ISO 27000 term: information security professional
- See also: Cybersecurity, Cybersecurity governance
- Cybersecurity resilience
- Cybersecurity resilience is a combination of processes, procedures and governance measures to ensure continuous operation of cybersecurity mechanism. It includes mechanisms to maintain appropriate levels of cybersecurity, as well as necessary improvement of cybersecurity measures to reflect increased threats.
- Alternative terms: Information security resilience, Information security continuity
- ISO 27000 term: information security continuity
- See also: Cybersecurity, Cybersecurity governance
- Cybersecurity standard
- Cybersecurity standard is a formal specification describing requirements and methods for appropriate implementation of cybersecurity.
- Alternative terms: Information security standard
- ISO 27000 term: security implementation standard
- See also: Compliance, Risk criteria
- Cyber hygiene
- Cyber hygiene is a cybersecurity principle and/or practice. As an analogy to personal hygiene, cyber hygiene requires users to establish routine measures to minimize their cybersecurity risk. It often refers to personal cybersecurity routines such as proper password management, malware protection and data back-up. However, in a broader organizational scope, it also includes infrastructural cybersecurity measures, such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management and user awareness trainings.
- Alternative terms: Digital hygiene
- See also: Zero trust
- Data Governance
- Data governance is a data management concept aimed at maintenance of high data quality, through management of data lifecycle and implementation of appropriate data quality controls. Identity governance and administration (IGA) field is concerned with governance of identity data.
- See also: Data Provenance, Data Minimization, Metadata, Identity Governance and Administration, Privacy
- Data Minimization
- A process of reducing the amount of data to the necessary minimum required for processing.
Data minimization often takes place in context of privacy and personal data protection, minimizing identity data to the necessary minimum. - Alternative terms: Minimization
- X.1252 term: data minimization
- See also: Privacy, Personal Data Protection, Data Governance
- Data Origin
- Organization or entity that have created or assigned a particular value. Origin is often part of data provenance, description of the method how a value was acquired by a system.
Origin may be relative, describing only an immediate origin of the information, a "previous hop, a system that have relayed the information to our system. Such origin may not have created or assigned the information, it may have only relayed or copied the information originated in a third system. Origin is often recorded in a form of metadata. - Alternative terms: Origin, Domain of Origin
- ISO 24760 term: domain of origin
- See also: Digital Identity Attribute, Data Provenance
- Data Provenance
- Description of the method how a value was acquired by a system. Provenance information almost always contains description of data origin. It is supplemented by additional information, such as timestamps and assurance information.
Provenance may be relative, describing only an immediate origin of the information, a "previous hop, a system that have relayed the information to our system. In other cases, provenance information may include a complete path from the ultimate origin of the information, describing all the systems that it has passed and all the transformations that were applied. Provenance is often recorded in a form of metadata. - Alternative terms: Provenance
- See also: Data Origin, Metadata, Data Governance
- Decentralized Identifier (DID)
- An identifier that does not require centralized registration authority. Technologies supporting decentralized identifiers vary, many of them are based on distributed ledger technologies (e.g. blockchain).
- X.1252 term: decentralized identifier
- See also: Decentralized Identity, Self-Sovereign Identity
- Decentralized Identity (DID)
- An identity that does not require centralized registration authority, identity provider, identity data store or any other centralized system to function. Decentralized identity systems are usually built to be self-sovereign.
- See also: Decentralized Identifier, Self-Sovereign Identity, Verifiable Credentials
- Delegated Administration
- Type of administration where chosen users have administrator permissions. They can manage other users, create passwords for them, move them into groups, assign them roles, etc.
- Delta
- In midPoint terminology: Delta is a data structure describing a change in data. It describes the data items (and values) that were added, removed or replaced. Delta is a relativistic data structure, it contains only the data that were changed.
- Read more ...
- Alternative terms: Prism Delta
- See also: Prism
- Digital Identity
- Digital representation of identity: set of characteristics, qualities, believes and behaviors of en entity, usually represented as a set of attributes. Digital identity forms unique representation of a subject engaged in an online transaction. While digital identity is always unique in the context of a digital service, but does not necessarily need to be traceable back to a specific real-life subject (linkability).
Digital identity should not be confused with identifier. Digital identity is a set of characteristics (complex data), while identifier is (usually simple) value used to refer to digital identity. - Alternative terms: Identity, Network Identity, User Profile
- ISO 24760 term: identity information
- X.1252 term: digital identity
- See also: Identity, Digital Identity Attribute, Entity, Linkability
- Digital Identity Attribute
- A value representing a characteristic or property of an entity. An attribute is a part of digital identity.
- Alternative terms: Attribute
- ISO 24760 term: attribute
- X.1252 term: attribute
- See also: Digital Identity, Identifier, Entity, Claim
- Digital Certificate
- Digital document, containing an information protected by cryptographic means. Digital certificates are usually used to bind an information to a digital identity. Perhaps the most common use of certificates are certificates of public keys, binding public key to identity of the owner, signed by a trusted third party (certificate authority). The most prominent specification of a format of such digital certificate is X.509.
- Alternative terms: Certificate
- X.1252 term: certificate
- See also: Certificate Authority, Trusted Third Party
- Digital Wallet
- Physical or virtual device designed to securely store small amount of sensitive information, usually storing credentials. Digital wallets can have variety of forms, ranging from tamper-proof physical devices, to simple programming libraries. It is expected that appropriate level of mechanisms to protect the data exist in all such forms. E.g. virtual wallets usually protect the data using a key or a passphrase.
Digital wallets are often used to store verifiable credentials or credentials for cryptocurrency schemes. The actual information that the wallet protects is usually a private or secret key associated with the credential. - See also: Verifiable Credentials
- Directory Service
- A database intended as a store of simple objects, shared between applications. Directory services are often used to store identity data. The data are used by other applications, that are accessing the directory service by using a well-known protocol. Lightweight Directory Access Protocol (LDAP) is the most common protocol used to access directory services.
Directory services used to be the usual method to implement functionality of identity data store. However, other databases and technologies are used to implement similar functionality. - Alternative terms: Directory Server
- See also: Identity Data Store, Lightweight Directory Access Protocol
- Documented information
- Information required to be created and maintained by an organization, usually for the purposes of compliance. Documented information may be in form of documents, documented processes, content of information systems, records of activities or any similar information.
- ISO 27000 term: documented information
- See also: Compliance, Audit trail
- Domain
- An environment under an autonomous control. A domain is often an organization, managing a set of information systems and databases, keeping the information consistent. However, it may also refer to a smaller information set within an organization, such as a single database or directory server.
Identifiers are often designed to be unique within a particular domain, such as an organization or a database. - Alternative terms: Domain of applicability, Realm, Context, Scope
- ISO 24760 term: domain
- X.1252 term: domain
- See also: Digital Identity, Identifier, Internal context
- Effectiveness
- Effectiveness is a measure of extent to which activities are realized and desired results are achieved.
- ISO 27000 term: effectiveness
- Enrollment
- A process of entering new identity data into a specific system (usually in a domain). Enrollment usually involves validation and verification of the information and its origin, such as verification of identity assertion that relied the information to the system.
The terms "enrollment", "registration" and "onboarding" are overlapping and they are often used as synonyms. Strictly speaking, "enrollment" is the verification process, "registration" is an act of recording information to data store, and "onboarding" is a complete business process making sure that a new person in an organization is well-equipped for activities within the organization. - ISO 24760 term: enrollment
- X.1252 term: enrollment
- See also: Identity Registration, Onboarding, Identity Assertion
- Entitlement
- A privilege or right of access given to the user. An "entitlement" is a very overloaded term. It can be used to represent any kind of privilege, ranging from a very high-level business role to the finest filesystem permission in a specific system.
- In midPoint terminology: An Entitlement is a resource object representing privilege, access right, resource-side role, group or any similar concept. However, unlike account, the entitlement does not represent a user.
- Alternative terms: Privilege, Access Right, Permission
- X.1252 term: privilege
- See also: Privileged entitlement, Static Entitlement
- Entity
- Being (such as person or animal), thing, concept or anything else that has recognizably distinct existence. An entity is usually described by a set of characteristics, known as its identity. An entity can have several identities.
In some interpretations (usually legislation), "entity" is limited to natural and legal persons that are recognized in context of the legislation, able to exercise its rights and be subject to obligations. - ISO 24760 term: entity
- X.1252 term: entity
- See also: Identity, Digital Identity
- Ephemeral Identifier
- An identifier used only for a very short duration. Ephemeral identifiers are valid usually only during a single session, or even during a single protocol exchange (e.g. authentication). Ephemeral identifiers are almost always randomly-chosen. When ephemeral identifiers refer to a digital identity, they are efficiently a short-lived pseudonyms.
- ISO 24760 term: ephemeral identifier
- See also: Identifier, Pseudonym
- Event
- Event is a significant occurrence or change of circumstances. In cybersecurity, "event" usually means a negative action or occurrence, an incident, such as cyberattack. An event may have several causes and many consequences (outcomes). In a strict sense, an event can consist of something not occurring, e.g. a back-up procedure not running as planned.
- ISO 27000 term: event
- See also: Cybersecurity event, Consequence, Cyberattack
- External context
- Circumstances external to the organization, which affect the way an organization achieves objectives. It includes broad context, such as national and international environment, including regulatory, legal, technological, economic and natural aspects.
- Alternative terms: Global environment, Externalities
- ISO 27000 term: external context
- See also: Internal context
- Federated Identity
- Digital identity intended to be used in several domains, usually by the means of identity federation. Information about federated identity is transferred between domains, usually in a form of identity assertions exchanged between identity providers and relying parties.
- ISO 24760 term: federated identity
- See also: Identity Federation, Digital Identity
- Fine-Grain Authorization
- Authorization made on very detailed information and is providing more detail control within the application operation. E.g. authorization to approve the transaction in an accounting system, with amount up to a certain limit. Typically, fine-grain authorization requires detailed knowledge of both the user profile (attributes) and the operation context (operation name, parameters and their meaning). Due to this requirement, fine-grain application is often implemented directly in application code.
- See also: Authorization, Coarse-grain Authorization
- Focus
- In midPoint terminology: An object that can is a focus of computation, an object central to midPoint computation. The focus is usually a user, but it can be a role, org or a service. Focus is the center of a computation, the hub in hub-and-spoke (star) data synchronization in midPoint. The "spokes" in the computation are represented by projections.
- Read more ...
- Alternative terms: Focal Object
- See also: Assignment, Projection
- Fulfillment
- Fulfillment is a functionality of identity management (IDM) system, making sure that users have appropriate access to systems. Simply speaking, this is the functionality that creates accounts, associates them with entitlements (e.g. groups), modifies passwords, enables/disables accounts and deletes them in the end. Fulfillment is a name used for identity provisioning together with deprovisioning and associated activities.
- Read more ...
- Alternative terms: Provisioning/deprovisioning
- See also: Identity Management, Identity Management System, Identity Provisioning, Identity Deprovisioning, Manual Fulfillment
- Graph-Based Access Control (GBAC)
- Access control model based on a semantic graph modeling an organization. The organization is modeled as a semantic graph. Nodes represent organizational units, functional units (roles) and agents (users), edges represent relationships (e.g. membership, deputy). The model includes a query language, which is used to build the access control matrix.
- See also: Access Control, Relationship-Based Access Control
- General Data Protection Regulation (GDPR)
- General Data Protection Regulation 2016/679 (GDPR) is European Union regulation on personal data protection and privacy. It defines rules for processing of personal data in European Union, European Economic Area, with provisions of the regulation applicable to other parties as well.
- See also: Personal Data Protection
- Generic Synchronization
- Advanced model of synchronization where not only users and accounts are synchronized, but also groups to roles, organizational units to groups, roles to ACLs and so on.
- Governance, risk management and compliance (GRC)
- Governance, risk management and compliance (GRC) is a discipline that helps organizations to have more control over processes and be more effective. Governance is the set of decisions and actions by which individual processes as well as the whole organization are lead to achieve specific goals. Risk management identifies, predicts and prioritizes risks with aim to minimize them or avoid their negative influence on organizations' aims. Compliance means following certain rules, regulations or procedures. A GRC software facilitates this problematic by taking care of all three parts by one single solution. It is a very helpful tool for business executives, managers or IT directors. Thanks to it it is possible to define, enforce, audit and review policies responsible for the exchange of information between internal systems as well as between the external ones.
- See also: Cybersecurity governance, Risk management, Compliance
- Governing body
- Governing body is a person or a group of persons who are responsible and accountable for the performance of an organization, mostly for the purposes of financial performance and regulatory compliance.
- ISO 27000 term: governing body
- See also: Compliance
- Holder
- An entity that holds credentials or claims, which usually describe the holder entity. In Triangle of Trust scenarios, the credentials/claims are issued by the issuer and verified by the verifier.
- See also: Principal, Subject, Triangle Of Trust, Issuer, Verifier, Trusted Third Party, Credential, Claim
- Identifier
- A value, or a set of values, that uniquely identify an identity in a certain scope.
An identity usually have several identifiers, used in various situations and contexts. Identifiers may be compound, composed of several values. - ISO 24760 term: identifier
- X.1252 term: identifier
- See also: Identity, Digital Identity, Digital Identity Attribute, Entity
- Identification
- A process of recognizing an identity as distinct from other identities in a particular scope or context. Identification is almost always performed by processing identifiers, using them to reference an identity in an identity database.
Identification is a process distinct from authentication. Authentication is a process of proving an identity (verification), whereas identification does not assume any such proof.
The term "identification" usually refers to a process of looking up identity data based on a simple identifier, such as username or reference identifier. In some cases, process of identification involves a correlation, looking up or matching identity information in a more complex way. For example, a system may compare registration data entered by the user with the content of its identity database, in an attempt to determine whether such user is already registered. - ISO 24760 term: identification
- X.1252 term: identification
- See also: Digital Identity, Identifier, Authentication, Identity Correlation
- Identity
- The fact of being who or what a person or thing is. Set of characteristics, qualities, believes, behaviors and other aspects of en entity. Identity can be applied to persons, things, even intangible concepts, known as entities. An entity can have several identities (often known as personas). In context of information technologies, parts of identity can be usually represented in a form of digital record, known as digital identity.
Identity should not be confused with identifier. Identity is a set of characteristics, while identifier is a value used to refer to identity. - ISO 24760 term: identity
- X.1252 term: identity
- See also: Identifier, Digital Identity, Entity
- Identity and Access Management (IAM)
- Identity and access management (IAM) is a field concerned with managing identities (e.g. users) and their access to systems and applications. IAM is concerned with all the aspects dealing with "identity", with many subfields that specialize in selected aspects. Access management deals (AM) especially with access to applications, including authentication and (partially) authorization. Identity management and governance (IGA) deals with management of user data (e.g. user profiles), synchronization of identity data and applying policies. Other IAM subfields deal with storage of identity data, transfer of the data over the network and so on.
- Read more ...
- See also: Identity Management, Identity Governance and Administration, Access Management, Identity Data Store
- Identity Assertion
- Statement made by an identity provider regarding properties or behavior of an identity. Assertions are used by relying parties. The most common assertion is perhaps authentication assertion, relying information about authentication event from identity provider to relying party. Assertions may contain other information as well, usually identity attributes and authorization decisions.
- Alternative terms: Assertion, Claim
- ISO 24760 term: identity assertion
- X.1252 term: claim
- See also: Digital Identity Attribute, Identity Provider, Relying Party
- Identity-based Security
- Identity-based security is a approach to cybersecurity, focused on concept of identity. It places identities in the center of cybersecurity mind-set, adjusting cybersecurity design and practices around identities. Identity-based security is concerned with the identity that initiates an action, or identity that is responsible for an action, object or configuration. Simply speaking, identity-based security tries to make sure that access to service or information is provided to a specific identity, and only to the identity that is entitled for such access. Identity-based security is not limited to identity of persons. Identities of machines, services, devices, networks and similar technological and virtual concepts (non-human identities, NHI) are included as well.
Identity-based security relies on dynamic policies based on the identity of the actor, as well as context of the operation or situation. Unlike traditional approaches, identity-based security is not fixed, it does not assume static world where an operation is allowed once and for all, and stays allowed for ever. Policies in identity-based security are dynamic, they are meant to be continuously applied, maintained, reviewed and improved, dynamically adapting to the environment and requirements.
Identity-based security is fundamental foundation for zero-trust approach.
Note: Identity-based security should not be confused with "identity security", which is a vastly overloaded term used mostly for marketing purposes. - Alternative terms: Identity-first security, Identity-centric security, Identity-defined security, Identity defense in depth
- See also: Cybersecurity, Identity Governance and Administration, Zero trust, Identity Security
- Identity Correlation
- Process of comparing identity information, with an aim to find a matching identity. Correlation is usually employed during identity enrollment or registration, when a system determines whether the new identity is already known to the system. For example, a system may compare registration data entered by the user with the content of its identity database, in an attempt to determine whether such user is already registered. If such a comparison involves simple and reliable identifiers (such as username or employee number), it is called "identification". However, in many cases such identifiers are not available, and the system needs to combine several identifiers or employ sophisticated techniques to find matching identity. Some identity correlation techniques involve probabilistic matching techniques or machine learning methods to find suitable candidates, which are later reviewed by human operator.
- Alternative terms: Identity Matching
- X.1252 term: correlation
- See also: Identification, Enrollment, Identity Registration, Identifier
- Identity Connector
- Usually small and simple unit of code that connects to a remote system. The purpose of identity connector is to retrieve and manage identity information, such as information about user accounts, groups and organizational units. The connectors are usually written for and managed by a particular connector framework.
- Alternative terms: Connector
- See also: Identity Connector Framework, ConnId
- Identity Connector Framework
- Generally speaking, a programing framework (library) for creating and managing identity connectors. However, this rather generic term often refers to the Identity Connector Framework (ICF), originally developed by Sun Microsystem in 2000s. The ICF was releases as an open source project by Sun, only to be later abandoned after Sun-Oracle merger. The ICF was a base for several forks, including ConnId and OpenICF.
- Alternative terms: Connector Framework, ICF
- See also: Identity Connector, ConnId
- Identity Data Source
- A system that is the source of identity data, usually data about users. The data are usually created and maintained in such systems manually. There are often multiple identity data sources in an organization with various characteristics. Some data sources are considered authoritative, providing reliable information about identities. Other data sources usually contain user-provided information, such as data entered by the user during registration process. Almost all data sources contain partial information only, information that is limited both in breadth (only some identity types) and depth (only some attributes). Data source may be an intermediary, providing information acquired from other systems.
- Alternative terms: Source System
- Identity Data Store
- A database, designed and/or dedicated to store identity-related data. Identity data store is usually shared among many applications, it is accessed by many systems reading the data. Applications read data from identity data stores, often using them for authorization, and sometimes even authentication purposes. Structure of data in the data store is often application-friendly, containing pre-processed and derived information. Identity data store also usually contain entitlements, or similar information that can be used for authorization purposes. There are usually several identity data stores in an organization, managed and synchronized by an identity management system.
Traditionally, directory servers (such as LDAP serves) are used as identity data stores.
Identity data store is similar to identity register, and in fact many identity data stores are identity registers. The difference is that identity register has a more formal data structure, usually functioning as an authoritative data source. Whereas identity data store usually contains information copied from other system, including application-friendly derived data. However, the exact boundary between functions of identity register and identity data store is not exactly defined. - Alternative terms: Identity Store, Identity Database, Directory Service
- See also: Identity Register
- Identity Deprovisioning
- Identity deprovisioning is as well as identity provisioning a subfield of Identity and Access Management (IAM). It is an opposite to identity provisioning. While identity provisioning takes care of creating new accounts, determining the roles for individual users and their rights or making changes in them, deprovisioning works oppositely. When an employee leaves the company, his account is deactivated or deleted and he loses all the accesses to both internal and external systems. This way organization minimizes information theft and stays secure. Identity provisioning together with deprovisioning and associated activities is known as "fulfillment".
- Alternative terms: Deprovisioning, Revocation
- See also: Fulfillment
- Identity Evidence
- Data and documents that support verification of identity data (identity proofing). Identity evidence is used in identity proofing process to achieve higher level of assurance of identity information.
- Alternative terms: Evidence of Identity, Identity Proof
- ISO 24760 term: identity evidence
- See also: Identity Proofing, Level of Assurance, Verification, Digital Identity Attribute
- Identity Federation
- Identity federation is an agreement between several domains, specifying the details of exchange and use of shared identity information. The information in identity federation is usually transferred by the means of identity assertions, exchanged between identity providers and relying parties.
From user's point of view, identity federation is a process of sharing user's identification and personal data between multiple systems and between organizations, so the user doesn't have to register for each organization separately and can seamlessly access systems in federated organizations. - ISO 24760 term: identity federation
- X.1252 term: federation
- See also: Domain, Federated Identity, Identity Assertion, Identity Provider, Relying Party
- Identity Governance
- Business aspect of managing identities including business processes, rules, policies and organizational structures. Any complete solution for management of identities consists of two major parts – identity governance and identity management. Identity governance is primarily concerned with establishing and maintaining policies and rules, while identity management is implementing such policies. As such, identity governance is closer to high-level business environment, while identity management is concerned mostly with underlying technology.
- Alternative terms: Governance
- See also: Identity Governance and Administration, Governance, risk management and compliance, Identity Management
- Identity Information Authority (IIA)
- ISO 24760 term, referring to an entity related to a particular domain that can make provable statements on the validity and/or correctness of one or more attribute values in an identity.
- ISO 24760 term: identity information authority
- See also: Identity Provider, Domain
- Identity Lifecycle
- Set of identity stages from creation to its deactivation or deletion. It contains creation of an account, assignment of correct groups and permissions, setting and resetting passwords and in the end deactivation or deletion of the account.
- Alternative terms: Identity lifecycle management
- See also:
- Identity Management (IDM)
- Identity Management (IDM) is a process of managing digital identities and their accesses to specific resources in the cyberspace. It ensures appropriate access in appropriate time and helps to manage user accounts as well as to synchronize data. Identity management deals with digital identity lifecycle, managing values of digital identity attributes and entitlements.
- Alternative terms: Identity Administration, User management, User provisioning
- ISO 24760 term: identity management
- X.1252 term: identity management
- See also: Access Management, Identity Lifecycle, Identity Provisioning, Identity Governance and Administration, Digital Identity, Digital Identity Attribute
- Identity Management System (IDMS)
- A system that provides identity management functionality: it is managing identities and their accesses to specific resources in the cyberspace. It ensures appropriate access in appropriate time and helps to manage user accounts as well as to synchronize data.
Identity management (IDM) systems are concerned about the "management" side, maintaining user data, policies, roles, entitlements and so on. IDM systems usually do not "apply" or enforce the policies. The policies are transformed as needed and provisioned to other systems (a.k.a. "target systems") that interpret and enforce the policies. The process of provisioning (and "deprovisioning") of data and policies is known as "fulfillment".
In a broad sense, IDM systems are used to manage the policies and data in all connected systems in the organization. IDM systems make sure that the data are consistent, that all the policies are applied, that user profile data are up-to-date, detecting and removing illegal access and generally keep all identity-related information in order across all the systems.
Note: ISO 24760 definition seems to include identification and authentication as functions of identity management systems. While almost all IDM systems implement such functions, they are mostly used for internal purposes, e.g. for system administration access. IDM system usually do not provide identification and authentication services to other systems. ISO 24760 definition is closer to definition of identity and access management (IAM) system. However, complete IAM functionality is usually provided by a combination of several systems in practice. - Alternative terms: IDM System, Provisioning System, User Provisioning System
- ISO 24760 term: identity management system
- See also: Identity Management, Identity Lifecycle, Identity Provisioning, Identity Governance and Administration
- Identity Proofing
- Verification of evidence to make sure that identity information are true and up-to-date. Identity proofing is used to achieve higher level of assurance of identity information.
Identity proofing should not be confused with authentication. Identity proofing is used to establish the link between identities and/or subjects/entities. However, identity proofing does not necessarily provide assurance that the entity currently interacting with a service is in fact the same entity that was initially established. - Alternative terms: Initial Entity Authentication
- ISO 24760 term: identity proofing
- X.1252 term: identity proofing
- See also: Digital Identity Attribute, Level of Assurance, Linkability, Authentication
- Identity Provider (IdP)
- System that provides identity-related information to applications (known in this context as "relying party" or "service provider"). Such information usually includes user identifiers (which may be ephemeral), user name(s) and affiliation. The information is usually provided in form of identity assertions (claims).
Identity providers are often authenticating the users. In that case, identity providers usually include information describing the authentication, such as statement that user was authenticated and indication of authentication mechanism strength. Identity provider authenticates the users in its own capacity, it never reveals user's credentials to the application (relying party). In fact, many identity providers are focused on authentication only, providing only a very minimal identity information (often just a single identifier), in which case the authentication-related information forms the most important part of provided information. Such identity providers effectively work as cross-domain single sign-on (SSO) systems.
Although most identity providers include user authentication, there are also providers that do not (directly) authenticate the users, sometimes called "attribute providers". Identity provider may provide also additional information of the user to the application, such as information about user attributes and entitlements.
Identity provider is often managed by a different organization than the relying applications (service providers), thus providing cross-domain identity mechanism. Typical protocols and frameworks used by identity providers include: SAML, OpenID Connect, CAS - ISO 24760 term: identity information provider
- X.1252 term: identity service provider
- See also: Relying Party, Identity Federation, Cross-domain, Identity Assertion
- Identity Provisioning
- In broad sense, identity provisioning is a subfield of Identity Management (IDM), concerned with technical aspects of creating user accounts, groups and other objects in target systems. It is a technology thanks to which many identity stores are synchronized, merged and maintained. Identity provisioning takes care of technical tasks during the whole user lifecycle - when new employee is hired, when his responsibilities change or he leaves the company (deprovisioning). It helps the organization to work more effectively as its goal is to automate as much as possible.
The provisioning system usually takes information about employees from the Human Resource (HR) system. When new employee is recorded into HR system, this information is detected and pulled by the provisioning system. After that, it is processed to determine set of roles each user should have. These roles determine and create accounts users should have, so everything is ready for new users on the very first day. If a user is transferred to another department or his privileges change, similar processes happen again. If an employee leaves the company, identity provisioning systems makes sure all his accounts are closed.
In a specific sense, identity provisioning means a process of creating accounts, assigning entitlements and similar actions, making sure a user has appropriate access to information systems. Identity provisioning together with deprovisioning and associated activities is known as "fulfillment". - Alternative terms: User provisioning, Provisioning
- See also: Identity Management, Identity Lifecycle, Fulfillment
- Identity Register
- A repository (database) of identity information, usually structured in a formal manner. Identity registers are almost always indexed using a reference identifier. They are usually designed for a specific purpose of being an authoritative data sources for other systems.
Identity register is similar to identity data store, and in fact many identity registers function as identity data stores. The difference is that identity data store has less formal, usually application-friendly data structure, containing pre-processed and derived information. Identity data store also usually contain entitlements, or information that can be used for authorization purposes. However, the exact boundary between functions of identity register and identity data store is not exactly defined. - Alternative terms: IMS Register, Reference Register
- ISO 24760 term: identity register
- See also: Identity Registration, Reference Identifier, Identity Data Source, Identity Data Store
- Identity Registration
- A process of recording new identity data into identity register or identity data store. Registration process may involve storing the information is several distinct data stores or registers. The recording process may be indirect, e.g. mediated by synchronization process of an identity management system.
Informally, the registration process often involves the data acquisition process as well, such as asking user for the data using a form.
The terms "enrollment", "registration" and "onboarding" are overlapping and they are often used as synonyms. Strictly speaking, "enrollment" is the verification process, "registration" is an act of recording information to data store, and "onboarding" is a complete business process making sure that a new person in an organization is well-equipped for activities within the organization. - Alternative terms: Registration
- ISO 24760 term: identity registration
- X.1252 term: registration
- See also: Enrollment, Onboarding, Identity Register, Identity Data Store
- Identity Resource
- In IAM field, a Resource is usually a network-accessible asset capable of managing identity information.
- In midPoint terminology: An Resource is a system that is either identity data source or provisioning target. IDM system (midPoint) is managing accounts in that system, feeding data from that system or doing any other combination of identity management operations. Identity resource should not be confused with "web resource" that is used by RESTful APIs.
- Alternative terms: Provisioning Resource, Resource
- See also: Resource, Identity Connector
- Identity Security
- Identity security is a vastly overloaded term, usually used for marketing purposes. Depending on the entity describing "identity security", its meaning can range from low-level network security to a high-level identity governance. The common motif seems to be focus on securing the identities, whether the identities represent persons, services or devices, which is a very broad and vague description. Overall, "identity security" does not bring any significant new concept or approach, it is mostly just a marketing description of pre-existing technology and methods.
Identity security should not be confused with identity-based security, which is a valid approach to cybersecurity. - See also: Identity-based Security, Identity Governance and Administration
- Identity Vigilance
- Identity vigilance is a practice of appropriate and responsible management of identity data. It includes proper synchronization of data among information systems and databases, identification of duplicates, handling of data inconsistencies, application of privacy protection and all other practices necessary to ensure that the data are always correct, up-to-date and protected. Identity vigilance is especially important in healthcare, where patient mis-identification or data errors may lead to fatal consequences.
- See also: Identity Governance and Administration
- Identity Governance and Administration (IGA)
- Identity governance and administration (IGA) si a subfield of identity and access management (IAM) dealing with management and governance of identity-related information. IGA systems store, synchronize and manage identity information, such as user profiles. Complex data, entitlement and governance polices can be defined, applied to identity data. IGA system are responsible for evaluating the policies, making sure the data are compliant, addressing policy violations. IGA is often considered an umbrella term covering identity management, identity governance, compliance management, identity-based risk management and other aspects related to management of identities. Identity Governance and Administration (IGA) includes both the technical and business aspects of identity management.
IGA provides basic foundational platform for identity-based security, zero trust approach, and many other cybersecurity techniques and approaches. - Read more ...
- See also: Identity Management, Identity Governance, Governance, risk management and compliance, Identity and Access Management, Identity-based Security
- Inducement
- In midPoint terminology: Inducement is an indirect representation of an assignment, a relation that assigns privileges, organizational membership, policy elements or other midPoint concepts to assignment holder objects (usually users). Inducement has the same data structure as assignment, and very similar functionality. However, while assignment represents direct relation, inducement is indirect. For example, assignment can be used to assign an account or a group membership directly to a user. Inducement can facilitate the same functionality, however it is usually placed in role. As the role is assigned (using an assignment) to the user, inducements placed in the role are indirectly applied to a user.
- Read more ...
- See also: Assignment, Role
- Information classification
- In midPoint terminology: Information classification is a process in which organisations assess their data and systems, with regard to the necessary level of protection. The information is classified by assigning information _labels_ or _classifications_ to individual assets, such as databases, filesystems, applications or even individual files.
- Read more ...
- Alternative terms: Information labeling, Labeling
- Information need
- In midPoint terminology: Information need is an information necessary to perform certain activity or a task. It is often a basis of "least privilege" principle, providing the minimum necessary information and access to users.
- Alternative terms: As-needed basis
- ISO 27000 term: information need
- See also: Least Privilege Principle
- Information processing facilities
- In midPoint terminology: Information processing facilities are all systems processing and storing information, including services, infrastructure and physical locations housing it. They include hardware, software, networks and all necessary equipment to operate them.
- ISO 27000 term: information processing facilities
- See also: Information system
- Information system
- In midPoint terminology: Information systems are technological systems and applications built for processing and storing information. Information systems include hardware, software, networks and all necessary equipment to operate them. In some context, the "system" also includes the technological and physical environment (e.g. a network) as well as the information (data) processes by the system.
- ISO 27000 term: information system
- See also: Information processing facilities
- integrity
- Integrity is a property of data or a communication channel, describing that the data or content of a communication channel were not modified in unintended way. I.e. it is a property that ensures that data are received in the same exact form as they were transmitted, without any modification or tampering.
Integrity, together with confidentiality and availability form a "CIA triad", a classical model of information security (cybersecurity). - Alternative terms: Data integrity, Integrity of communication
- ISO 27000 term: integrity
- See also: Confidentiality, Availability
- Interested party
- Person or organization that can affect, be affected or in any way perceive itself to be involved or affected by a decision, activity or an event. The term "stakeholder" usually describes a person or organization that holds a "stake" in an activity, such as investors or directors of an organization.
- Alternative terms: Stakeholder
- ISO 27000 term: interested party
- Internal context
- Circumstances internal to the organization, which affect the way an organization achieves objectives. It includes all internal parts and mechanisms of an organization, such as governance, organizational structure, management hierarchy, policies, objectives, responsibilities, resources and capabilities.
- Alternative terms: Local environment, Internals
- ISO 27000 term: internal context
- See also: External context, Domain
- Information security management system (ISMS)
- Information security management system (ISMS) is a set of policies and procedures for systematically managing cybersecurity of an organization. ISMS includes risk assessment, risk treatment (implementation of controls), risk communication and incident response. Management of cybersecurity is a continuous, never-ending effort, which is meant to be constantly improving. Cybersecurity governance is meant to establish and maintain rules and policies for ISMS, and to provide oversight and consistent improvement of ISMS processes.
- Alternative terms: Cybersecurity management system
- See also: Cybersecurity, Cybersecurity governance, Risk assessment, Risk treatment, Risk communication
- Issuer
- An entity that issues credentials or claims, usually describing another entity (holder). In Triangle of Trust scenarios, issuer is considered to be trusted third party.
- See also: Triangle Of Trust, Holder, Verifier, Trusted Third Party, Credential, Claim
- Joiner-Leaver Processes
- Joiner-Leaver are human resources (HR) process, handling employees joining the organization and leaving the organization. They are constrained versions of joiner-mover-leaver processes, not considering movement of employees in organizational structure.
- Alternative terms: Joiners and Leavers
- See also: Joiner-Mover-Leaver Processes, Onboarding, Offboarding
- Joiner-Mover-Leaver Processes (JML)
- Joiner-Mover-Leaver (JML) are human resources (HR) process, handling employees joining the organization, moving within organizational structure and leaving the organization. JML process can be understood as handling events of employee lifecycle from the point of view of organizational and business processes. Generally speaking, this process is not limited to employees. However, when similar processes are applied to other types of persons (students, contractors) they are often referred to as "on-boarding" and "off-boarding".
JML processes are (manual) business processes in their nature. Despite that, the JML processes are important for identity management, as they provide the contextual framework for identity management technology to fit in. Moreover, identity management deployments are usually automating some parts of the JML processes. - Alternative terms: Joiners, Movers and Leavers
- See also: Onboarding, Offboarding, Joiner-Leaver Processes
- Lightweight Directory Access Protocol (LDAP)
- Lightweight Directory Access Protocol (LDAP) is industry-standard protocol (RFC4510) for accessing directory services.
- See also: Directory Service, Identity Data Store
- Level of Assurance (LoA)
- Measure of reliability of identity information. Information with low levels of assurance are usually user-provided information that were not verified in any significant way. Higher levels of assurance are usually achieved by identity proofing, a process of verifying the information. Level of assurance is usually stored as metadata, describing the specific value that was verified.
- X.1252 term: assurance level
- See also: Digital Identity Attribute, Identity Proofing, Metadata
- Least Privilege Principle
- Principle of information security, stating that each user should have the least privilege necessary to carry out their activities. In other words, the principle states that there should be no over-provisioning (over-permissioning) of users. The principle is often implemented by "default deny" approach: everything is denied by default, every access has to be explicitly allowed.
Adherence to the principle of least privilege is generally accepted as best practice for information security, as it is minimizing overall risk by keeping the extent of privileges as low as possible. However, due to complexity, maintenance effort and other factors, strict adherence to the principle is surprisingly difficult to achieve. - Alternative terms: Principle of Least Privilege, PoLP, Default deny
- See also: Over-provisioning, Information need
- Linkability
- Ability to determine that two digital identities represent the same entity, or whether a digital identity represents a particular (real-life) subject. Linkability is usually deterministic, based on a reliable identifier. Identity proofing is a mechanism to reliably establish the link.
- X.1252 term: linkability
- See also: Identity Correlation, Digital Identity, Identity Proofing
- Management
- Management is a broad set of systematic activities, methods and other means to direct and control activities in an organization, in order to achieve its objectives. It is meant to provide efficient, systematic method to achieve objectives, which can be controlled and monitored. Management operates within the constraints given by governance activities. While governance is a process of establishing policies and rules, management is concerned with efficient implementation of the activities within established rules.
- Alternative terms: Management system
- ISO 27000 term: management system
- See also: Information security management system, Identity Management, Cybersecurity governance
- Manual Fulfillment
- Manual process of creating, updating and deleting accounts, entitlements and similar objects, driven by identity management system, but exexcuted by human operator. Manual fulfillment is initiated by an identity management system, usually as a consequence of change in user privileges or policies. Identity management system creates a ticket for system administrators, containing instructions to create/modify/delete an acccount or entitlement in a specific information system. Actual action is executed manually, by the system administrator. Manual fulfillment is used for systems, for which automatic identity connector is not available.
- Alternative terms: Manual Provisioning/deprovisioning, Manual resource, Manual connector
- See also: Fulfillment, Identity Provisioning, Identity Deprovisioning, Identity Connector
- Memorized Secret Authenticator
- Memorized secret authenticator is a secret value intended to be memorized by the user, used during authentication. Passwords and PINs are the most common type of memorized secret authenticators. Memorized secrets are used for "something you know" type of authentication.
- Alternative terms: Something you know
- See also: Authenticator, Password, Personal identification number
- Metadata
- Data about data. Metadata describe properties of data, such as the method how the data were acquired (a.k.a. "provenance"), how reliable the data are (e.g. level of assurance) and so on.
- Alternative terms: Meta-data, Meta data
- See also: Data Origin, Data Provenance, Level of Assurance
- Multi-factor authentication (MFA)
- Multi-factor authentication (MFA) is a composite mechanism, combining several independent authentication factors in a single authentication session. MFA is meant to counteract vulnerability of individual credential types. E.g. what-you-know credentials (such as passwords) are easily phished, while what-you-have credentials may be lost or stolen. Multi-factor authentication solves the problem by combining several credential types, making combined authentication stronger.
- See also: Authentication, Credential
- Microcertification
- Microcertification is a form of access certification (access review), limited to a single user or privilege. The basic idea of micro-certification is to limit the huger effort associated with traditional certification campaigns. Microcertifications are usually automatically triggered by specific events, such as user re-assignment in organizational structure, or increase of user's overall risk above tolerable threshold.
- See also: Access Certification, Least Privilege Principle, Over-provisioning
- Minimal Disclosure
- A principle, stating that only the minimal amount of information is disclosed as is required to perform a specific function or provide a service. Minimal disclosure principle is often used in cross-domain data transfer, such as when using identity providers or identity federations. Only the information required to perform a service is disclosed to the other party, no extra information is provided.
- Alternative terms: Minimal Disclosure of Personal Information
- ISO 24760 term: minimal disclosure
- See also: Digital Identity, Personal Data Protection, Privacy, Identity Provider, Identity Federation, Selective Disclosure
- Monitoring
- Systematic effort to continuously determine status of a process, system or activity.
- ISO 27000 term: monitoring
- Mutual Authentication
- Authentication process in which all involved parties authenticate to all other parties. Usually a two-sided process, where both sides of a connection authenticate to each other, i.e. server authenticates to client and client authenticates to server.
- X.1252 term: mutual authentication
- See also: Mutual Authentication
- Near miss
- An event that could have compromised the security of systems, data or services that did not materialise.
- See also: Cyberattack, Cybersecurity incident
- Next Generation Access Control (NGAC)
- A graph-based mechanism for managing of user access to information systems. NGAC specifies directed acyclic graph for user and concepts related to them (e.g. organizational units), and a separate directed acyclic graph for objects and and concepts related to them (e.g. folders). Access control decisions are reached by evaluating the two directed acyclic graphs with respect to policy classes, and operations specified as relations between the graphs. NGAC is specified in NIST publications (e.g. INCITS 499: Information technology - Next Generation Access Control - Functional Architecture)
- See also: Access Control, Relationship-Based Access Control
- Non-compliance
- State of non-fulfilment of a requirement, such as violation of a requirement stated in a policy, regulation or standard.
- Alternative terms: Noncompliance, Nonconformity, Violation
- ISO 27000 term: nonconformity
- Non-repudiation
- Non-repudiation is an ability to prove that an event happened, including proof of the originating parties. Non-repudiation is a property of a system, protecting against denial from one of the parties. The involved parties cannot deny that an action took place.
- X.1252 term: non-repudiation
- ISO 27000 term: non-repudiation
- Objective
- Intended result of an activity or process.
- Alternative terms: Goal
- ISO 27000 term: objective
- Offboarding
- Business process that takes place when a person leaves an organization. The aim of offboarding is making sure that the person no longer has access to sensitive data and premises of the organization. From IT point of view, this often means identity de-provisioning, e.i. deactivation of user accounts in various applications, databases and identity data stores. This process is often automated using an identity management system. However, a complete offboarding process is usually more complex, including non-IT steps such as returning the provided equipment.
- Alternative terms: Off-boarding
- See also: Identity Deprovisioning, Joiner-Mover-Leaver Processes
- Onboarding
- Business process that takes place when a new person enters an organization. The aim of onboarding is making sure that the person is well-equipped for any tasks and activities within the organization. From IT point of view, this often means identity provisioning, e.i. creation of user accounts in various applications, databases and identity data stores. This process is often automated using an identity management system. However, a complete onboarding process is usually more complex, including non-IT steps such as providing the person with appropriate equipment and training.
The terms "enrollment", "registration" and "onboarding" are overlapping and they are often used as synonyms. Strictly speaking, "enrollment" is the verification process, "registration" is an act of recording information to data store, and "onboarding" is a complete business process making sure that a new person in an organization is well-equipped for activities within the organization. - Alternative terms: On-boarding
- See also: Enrollment, Identity Registration, Identity Provisioning, Joiner-Mover-Leaver Processes
- Open Source (OSS)
- The meaning of this term is very simple - it is something people can wilfully modify according to their own needs or wishes. Firstly, this term was known in the context of software, which code was publicly exposed and available for modification. Later open source spread widely. There are open source projects, products, participations and many others.
Many organizations and people choose open source software, hence it is considered to be more secured and grants people more control over it. This software can also be more stable as many other people may contribute their own ideas, correct it or improve it.
Open source products are free and the creators usually charge other organizations for support or software services as implementation or deployment. - Alternative terms: Open Source Software, FOSS, Free and Open Source Software
- Org
- In midPoint terminology: Org is a type of midPoint objects, object that represent various forms of organizational units and structures. Org can represent company, division, section, project, team, research group or any other grouping of identities. Orgs are not limited to grouping people, orgs can be used to group most midPoint objects (any assignment holder object).
- Read more ...
- See also: Organization, Organizational Structure
- Organization
- Organization is an entity, usually representing a group of people, that has its objectives and methods to achieve them. Organizations may be or may not be legal entities.
- ISO 27000 term: organization
- See also: Org, Organizational Structure
- Organizational Structure
- A hierarchical arrangement of authority, rights or duties in an organization. It determines the assignment, control or coordination of roles, responsibilities and power. A character of the organizational structure is highly dependent on the organization's strategy and goals.
The theme of organizational structure is closely linked to identity management. Organizing the company into this structure, assigning rights to individuals, working groups or project and controlling everything from one place – that are advantages that any high quality IDM solution is supposed to provide. - See also: Organization, Org
- Orphan Account
- An account without an owner, an account that does not seem to belong to anybody. In identity management, each account is supposed to have an owner, a user to whom the account belongs. An account without an owner is considered to be "orphaned", and it is usually deprovisioned (disabled or deleted).
Orphan accounts often originate as testing accounts that are not deleted after the testing is done. They may also belong to former users, but were not properly deleted or disabled. Orphan accounts are almost always a security risk, especially testing accounts with weak passwords. Most identity management systems have processes that scan systems for orphan accounts. - Alternative terms: Orphan, Orphaned Account
- See also: Account, User, Reconciliation
- Outsourcing
- Outsourcing is a practice of delegating functions, tasks and responsibilities to an external organization.
- ISO 27000 term: outsource
- Over-provisioning
- Situation when an identity has more privileges than are necessary for the tasks that the identity is supposed to carry out.
Over-provisioning is generally undesirable, as it is a violation of least privilege principle which is introducing unnecessary risk. However, over-provisioning is a common occurrence, mostly due to high complexity of access control models, limited visibility, huge privilege maintenance effort or lack of appropriate security management practices. - Alternative terms: Over-permissioning, Over-privileged Access, Excessive Access, Excessive Privilege
- See also: Identity Provisioning, Identity Deprovisioning, Under-provisioning
- Policy Administration Point (PAP)
- Functional component with a responsibility to specify, manage and maintain the policy. The "policy" usually refers to access control and/or authorization policy. PAP is an administrative point, which is creating and managing the policy. The policy is then stored at policy retrieval point (PRP). Policy administration point (PAP) can be part of applications, or they may be provided by dedicated infrastructure components (identity management and governance components). PAP specifies the policy, usually as a result of interaction with an administrator by the means user interface. PAP does not make policy decisions or enforce them, that is a responsibility of policy decision point (PDP) and policy enforcement point (PEP) respectively.
Note: The acronym PAP may also refer to Policy Access Point, which is an alternative name for Policy Retrieval Point (PRP), making the terminology somehow confusing. - Alternative terms: Policy Management Point
- See also: Authorization, Access Control, Policy Enforcement Point, Policy Decision Point, Policy Information Point, Policy Retrieval Point, Identity Governance and Administration
- Passkey
- Passkey is a type of strong digital credential. They are used to authenticate a user to information systems, identity provides and applications. Passkeys are based on public key cryptography, making them relatively strong and secure. They may be provided in a hardware form (e.g. a small USB device), or managed entirely in software (e.g. mobile application). Passkeys are bound for each website or application, making them phishing-resistant.
- See also: Credential, Personal identification number
- Password
- Password is a type of (usualy weak) digital credential, meant to be secret, known only to a single user. Passwords are memorized secret authenticators, usually selected by users, meant to be remembered. Therefore, they are often short strings in a human-friendly form, such as simple words or names. Simplicity of passwords makes them vulnerable to dictionary attacks. Recently, passwords are randomly generated, managed by password management applications. However, even randomly-generated passwords may still be vulnerable to phishing attacks. Therefore organizations are moving towards authentication methods that do not depend on passwords (e.g. passkeys), or enroll multi-factor authentication schemes.
- Alternative terms: Passcode
- See also: Authenticator, Memorized Secret Authenticator, Credential, Password Management, Password policy, Passkey
- Passwordless authentication
- Passwordless authentication is an authentication that does not use passwords, or similar knowledge-based credential. It is usually considered to be a stronger form of authentication that the usual password-based authentication. Password-less authentication mechanisms usually rely on public-key cryptography mechanisms.
- Alternative terms: Passwordless
- See also: Authentication, Password, Passkey, Multi-factor authentication
- Password policy
- Password policy constraints the selection and use of passwords with an aim to make them more secure. It almost always sets requirements for password complexity, such as minimal length of passwords and characted classes used in the password (e.g. letters, numbers, punctuation). Password policies often specify constraints on password lifetime, such as password expiration intervals.
- Alternative terms: Password complexity policy
- See also: Password, Password Management
- Password Management
- Gives the organization an opportunity to meet the highest security standards thanks to the ability of having access to business systems and networks under control. Most of the employees usually pick just simple passwords and use same ones in multiple systems or applications. Password management helps to compose strong and unique passwords for both users and resources and ideally takes care of them during the whole user life cycle.
The term "password management" may also mean management of password on the user side, such as generating and storing of random passwords. - Alternative terms: Credential management
- See also: Password, Credential
- Policy-Based Access Control (PBAC)
- A mechanism for managing of user access to information systems based on policy. In PBAC, authorizations are supposed to be dynamically evaluated, based on policy specified in a machine-processable form. PBAC policy is an abstract concept, it is not clearly defined how it is expressed or evaluated. PBAC is meant to solve problems of static access control models such as RBAC.
PBAC seems to be technically equivalent to ABAC. However, in contrast to ABAC, PBAC is supposed to contain "policy management" layer, which is not clearly defined either.
Overall, PBAC is an conceptual idea rather than a concrete access control model. It is still in early stages of development. - Alternative terms: Dynamic Authorization Management, Policy as Code
- See also: Authorization, Attribute-Based Access Control, Role-Based Access Control, Policy-Driven Role-Based Access Control
- Policy Enforcement Point (PEP)
- Functional component with a responsibility to enforce policy decisions. The "policy" usually refers to access control and/or authorization policy. Policy enforcement points are usually part of applications or infrastructure components, with an ability to analyze and intercept policed operation. Policy enforcement point only enforces the policy, it does not interpret or decides the policy. PEP depends on policy decision point (PDP) to interpret the policy and make a decision.
- See also: Authorization, Access Control, Policy Decision Point, Policy Administration Point
- Performance
- Performance is a measure of a result. In process management, it a measure of how well is a process or activity achieving its objectives. The term "performance" may also meat a measure of efficiency of a computer system, describing how quickly it can provide results and how much resources it needs to perform a task.
- ISO 27000 term: performance
- Perimeter
- Security perimeter is a boundary that separates secure and insecure areas. In cybersecurity, "perimeter" separated insecure outer network (usually the Internet) and secure inner network (usually corporate network). The perimeter was usually implemented by physical protection of network devices and connections, inter-connecting networks by the means of dedicated security devices (firewalls, gateways). Security requirements were significantly reduced in the presumably-secure inner network, usually to the point of no tangible security at all. Access control inside the perimeter was often limited to access control based on network addresses (IP-based access control), or even no practical access control was implemented at all.
Reliance on cybersecurity perimeter was a very common occurrence in early years of inter-network computing. However, concept of cybersecurity perimeter is fundamentally flawed, as computer networks are no longer bound to their physical form. Existence of virtual networking technologies, wireless networks, covert network channels and other technologies made cybersecurity perimeter unsustainable. This effect is further emphasized by move towards cloud services, that are located outside of classic security perimeter by their very nature.
Overall, cybersecurity perimeter is considered flawed and insecure approach. Zero trust approach provides a broad conceptual movement to migrate from the concept of cybersecurity perimeter to more resilient and holistic cybersecurity approach that does not rely on concept of perimeter. - Alternative terms: Security perimeter, Information security perimeter, Network perimeter, Cybersecurity perimeter
- See also: Zero trust
- Persistent Identifier
- An identifier that cannot be changed or re-assigned to another identity. Once assigned, the identifier always references the same identity. Persistent identifiers are usually used as reference identifiers, and reference identifiers are usually persistent, resulting in "persistent reference identifiers".
Depending on a policy, persistent identifiers can be re-assign to another identity after the original identity was deleted (identifier re-use). However, there is usually relatively long interval during which the identifier cannot be re-assigned. - Alternative terms: Non-reassignable identifier
- See also: Identifier, Reference Identifier
- Personal Data
- Data about a person, usually processed in an information system. The definition of "personal data" slightly differ from case to case. For example, GDPR defines personal data as "any information which are related to an identified or identifiable natural person". However, the general understanding is that "personal data" are any data that relate to a natural person, that describe the person in some way. This is different from personally identifiable information (PII), as personal data may not uniquely identify a person. For example, person's full name is considered personal data, however, a name such as "John Smith" is not entirely unique or identifiable in most contexts.
- Alternative terms: Personal information, Identity data, Identity information, Personal profile
- See also: Personal Data Protection, Personally Identifiable Information, General Data Protection Regulation
- Personal Data Erasure
- Erasure (deletion) of personal data, usually due to explicit request from user (e.g. "delete account" request), or due to lack of lawful basis for personal data processing.
- Alternative terms: Erasure, Data erasure
- See also: Personal Data Protection, Personal Data, Personal Data Processing Basis, General Data Protection Regulation
- Personal Data Processing Basis
- Basis for processing of personal data. Legal data protection frameworks (such as GDPR) usually mandate that personal data cannot be processed unless there is a basis for that processing. The basis may be a contract, legal obligation, consent, or similar legitimate interest for processing of the data. Some frameworks (such as GDPR) are enumerating the available processing bases.
- Alternative terms: Basis for processing, Legal basis, Lawful basis
- See also: Personal Data Protection, Personal Data, General Data Protection Regulation
- Personal Data Protection
- Personal data protection is a field dealing with protection of personal information, rules for their processing, storage and erasure. It is closely related to privacy, as one of the main goals of personal data protection is to limit exposure of personal data, thus minimizing potential for their abuse.
- Alternative terms: Data Protection, DP
- See also: Personal Data, General Data Protection Regulation
- Personally Identifiable Information (PII)
- Information that allows a person to be (directly or indirectly) identified. Obviously, government-issued identifiers, such as birth numbers, social security numbers or serial numbers of various identity documents are usually considered to be personally identifiable information. However, interpretation of what information is "personally identifiable" depends on the context. Even a simple full name of a person may be considered personally identifiable information in some contexts. Personally identifiable information usually require special protection or processing regime. Personally identifiable information should not be confused with personal data. PII are used as an identifier, pointing out a specific person in a group of other persons. Personal data describe certain person, there is no requirement for personal data to be "identifiable".
- Alternative terms: Personal identifiers
- X.1252 term: personally identifiable information
- See also: Personal Data
- Policy Decision Point (PDP)
- Functional component with a responsibility to interpret policy and make decisions. The "policy" usually refers to access control and/or authorization policy. Policy decision point (PDP) can be part of applications, or they may be provided by dedicated infrastructure components (authorization services). PDP interprets the policy and make a decision, which is usually allow/deny decision. PDP does not enforce the decision, it relies on policy enforcement point (PEP) to enforce it. PDP does not define or manage the policy either, it depends on policy administration point (PAP) to set the policy.
- See also: Authorization, Access Control, Authorization Service, Policy Enforcement Point, Policy Administration Point, Policy Information Point
- Policy-Driven Role-Based Access Control
- A mechanism for managing of user access to information systems based on a concept of dynamic roles and policies. It is an extension of traditional Role-Based Access Control (RBAC), applying dynamic policies to govern behaviour and assignment of roles. In policy-driven RBAC, roles are no longer static, they contain logic that determines set of privileges given by the role. The user-role assignments are also dynamic, controlled by automatic role assignment policies.
- Read more ...
- Alternative terms: PDRBAC
- See also: Role-Based Access Control, Role, Entitlement, Role Management, Access Control
- Personal identification number (PIN)
- Personal identification number (PIN) is a type of authenticator, meant to be secret, known only to a single user. They are almost always in a form of short numbers (4-8 digits). PINs are memorized secret authenticators. Even though most PINs are randomly generated, they are meant to be remembered by the users. Simplicity of PINs makes them vulnerable to enumeration attacks when used on their own. Therefore PINs they are almost exclusively used in combination with other authenticators. E.g. PINs are often used to protect strong authenticators/credentials, such as passkeys or public key credentials stored on smart cards.
- See also: Authenticator, Memorized Secret Authenticator, Credential, Passkey
- Policy Information Point (PIP)
- Functional component with a responsibility to provide additional information for policy decision point (PDP). PIP is usually retrieving data from identity data stores, providing them to PDP in form of attributes.
- See also: Authorization, Access Control, Policy Decision Point, Policy Administration Point, Policy Enforcement Point, Identity Data Store, Digital Identity Attribute
- Policy
- Policy is a system of guidelines or rules used to reach an objective or a decision.
Unfortunately, "policy" is a heavily overloaded term with numerous of meanings. It may mean organizational policy, a set of high-level guidelines interpreted by people to guide their decisions. Policy may be formal, written down in a form that can be strictly followed, where compliance with a policy can be evaluated. It may also be informal, expressed in non-exact form, specifying a vague objective and methods. Policy may also mean machine-processable and executable code, used to quickly reach authorization decisions in run-time. - ISO 27000 term: policy
- See also: Policy Management, Access Control, Authorization
- Policy Management
- Set of operations defining the authorization roles or policies, or assigning roles to the particular users. This is often manual or semi-manual operation performed in identity management system or identity data store. Policy management is implementing the functionality of Policy Administration Point (PAP).
This term is often confused with authorization itself. However, policy management aims at definition of the policy, while authorization is interpreting the policy. - Read more ...
- Alternative terms: Management of Authorization Policies, Policy and Role Management
- See also: Policy, Authorization
- Polystring
- A built-in data type for polymorphic string maintaining extra values in addition to its original value. The extra values are derived from the original value automatically using a normalization code. PolyString supports national characters in strings. It contains both the original value (with national characters) and normalized value (without national characters). This can be used for transliteration of national characters in usernames. All the values are stored in the repository, therefore they can be used to look for the object. Search ignoring the difference in diacritics or search by transliterated value can be used even if the repository itself does not support such feature explicitly.
- Principal
- An entity or identity, information about which is managed in an information system.
Usage of the term "principal" varies significantly. Depending on context, it may refer to entity (person), its identity or data structure describing parts of the identity (digital identity). In information security frameworks (such as X.509), "principal" usually refers to entity or identity, such as owner of credentials. In programming frameworks, "principal" usually refers to ephemeral information about user, maintained during user's session. This is usually different from "account", as accounts are usually persistent (stored in database), while principal may be ephemeral, or may refer to entities that are not users of the system (may not be able to log in). In some contexts, "principal" is equivalent to "subject". - Alternative terms: Subject
- ISO 24760 term: principal
- X.1252 term: principal
- See also: Subject, Holder, Entity, Identity, Account
- Prism
- In midPoint terminology: Prism is a name of a data representation library, which is used by midPoint to access data in its repository. The concepts of Prism permeates all of midPoint, giving structure to midPoint objects, and their representation in XML/JSON/YAML. Prism defines a concept of object, container, property, item, delta and many other useful concepts.
- Read more ...
- See also: Delta
- Privacy
- The right to be left alone. In IT context, privacy is an ability of individuals to control the information about themselves, to choose how the information is used to express their individuality. Technologies that support the concept of privacy are known as privacy-enhancing technologies (PET).
- See also: Privacy-Enhancing Technology, Personal Data Protection
- Privacy-Enhancing Technology (PET)
- Technologies that support and enhance privacy. This usually means technologies that give an individual an effective control over personal data, and the way how these data are used to express one's individuality.
Most privacy-enhancing technologies are focused on limiting the spread of personal data, making sure that only a minimal amount of data is disclosed (minimal disclosure), making sure that user approves data transfer (consent), using pseudonyms and various anonymization techniques to limit data exposure.
Privacy-enhancing technologies are somewhat different from personal data protection technologies. While privacy-enhancing technologies are focused on limiting exposure of the data (secrecy), data protection technologies are focused on controlling the way how data are used. - See also: Privacy, Personal Data Protection, Minimal Disclosure, Pseudonym
- Privacy Policy
- A policy that sets rules for processing of personal data, respecting privacy of an individual.
- X.1252 term: privacy policy
- See also: Privacy, Privacy-Enhancing Technology
- Private Key
- In an asymmetric cryptosystem (a.k.a. "public-key cryptosystem), a part of the key pair that is known only to the key owner.
- X.1252 term: private key
- See also: Public Key
- Privileged entitlement
- Entitlement (access right, privilege) that allows the performance of activities that typical entities in the system cannot perform. User with privileged entitlement can usually perform activities that goes far beyond usual usage of the system. Privileged entitlements may allow unrestricted access to data, allow modification of entitlements of other users, and often include destructive operations such as deletion of data sets. System administration privileges are almost always considered privileged entitlements.
- Alternative terms: Privileged access rights, Privileged access
- See also: Entitlement
- Probability
- Measure of a chance of an event happening.
- Alternative terms: Likelihood
- ISO 27000 term: likelihood
- See also: Risk, Risk level
- Process
- Process is a structured and repeatable activity. Process usually consists of a sequence of steps, which may be interrelated and interactive, involving several parties. Unlike one-off activities such as projects, processes are meant to be repeatable, conducting the same or similar activities more than once, delivering similar results.
- ISO 27000 term: process
- See also: Project, Program
- Product Architecture
- Concept, design and description of the products part which are assigned into subsystems. It is also way how these subsystems interact with each other.
- Program
- Program is a structured and continuous activity meant to maintain and improve a state. Programs are continuous, never-ending activities. They are often executed in cycles: analyzing situation, planning, implementing and validating the results. Programs are meant to continuously maintain and improve a certain state, such as appropriate level of cybersecurity.
- See also: Process
- Project
- Project is a structured and unique activity meant to reach specific objectives. Process usually consists of a sequence of steps, which may be interrelated and interactive, involving several parties. Unlike repeatable activities such as processes and programs, projects are not meant to be repeated. Projects are designed to deliver a specific outcome, and to deliver it only once.
- See also: Process, Program
- Projection
- In midPoint terminology: Projection is a part of midPoint computation that represents the objects in identity resources, usually accounts, entitlements or organizational units. Projection are the "spokes" in hub-and-spoke (star) data synchronization in midPoint. Projections are represented in the computation in a form of shadows (shadow objects), usually supplemented with real-time data from the resource objects.
- Read more ...
- See also: Shadow, Focus, Assignment
- Policy Retrieval Point (PRP)
- Functional component with a responsibility to store and distribute policies for use by policy decision points (PDP). PRP acts as an repository for policy. The policy is usually stored persistently at PRP, e.g. in a form of a file or database. Primary responsibility of PRP is to make policy available to policy decision points (PDP), either by "pull" (PDP retrieving the policy from PRP) or by "push" (PRP sending the policy to PDP). PRP is instrumental in enabling distributed architecture with several PDPs.
Note: PRP is only storing and distributing the policy, it is not responsible for policy creation or management. Policy management is responsibility of policy administration point (PAP). - Alternative terms: Policy Access Point
- See also: Authorization, Access Control, Policy Decision Point, Policy Administration Point, Policy Enforcement Point, Policy Information Point
- Pseudonym
- An identifier designed to avoid any inherent information about identity or entity. Pseudonyms are meant to hide or modify perception of the entity or identity, as presented to other parties.
In user experience sense, pseudonyms can be chosen by the user to hide or alter their real identity in information systems.
In implementation sense, pseudonym is often a randomly-generated identifier, used selectively for communication with specific domain or system. The pseudonym is used instead of other identifiers to avoid possibility of the other party to reveal parts of user's identity or correlate user's actions. - ISO 24760 term: pseudonym
- X.1252 term: pseudonym
- See also: Identifier, Personal Data Protection, Privacy
- Public Key
- In an asymmetric cryptosystem (a.k.a. "public-key cryptosystem), a part of the key pair that can be shared with other entities.
- X.1252 term: public key
- See also: Private Key
- Role-Based Access Control (RBAC)
- A mechanism for managing of user access to information systems based on a concept of roles. Role-Based Access Control (RBAC) is using roles to group permissions. Roles usually represent meaningful entities, such as job positions, organizational affiliations or similar business concepts. One of the basic assumptions of RBAC is that management of roles is much easier than management of individual permissions.
A form of RBAC is standardized in a series of NIST standards (ANSI/INCITS 359-2004, INCITS 359-2012).
RBAC is mostly concerned with using the roles to control user access to the system and other information assets. Role definitions are usually maintained using a somehow separate "Role Management" mechanisms.
Traditional RBAC models are static: user-role and role-permission relations are fixed, set up by system administrator. Newer RBAC models are dynamic (policy-driven): user-role and role-permission relations may be dynamic, determined by policy (algorithm). - Read more ...
- See also: Role, Entitlement, Role Management, Access Control, Role Explosion, Policy-Driven Role-Based Access Control
- Reconciliation
- In identity management, reconciliation is a process of comparing recorded state od identity management system with a real state of identity resources. In the most common form, reconciliation is comparing user data stored in identity management database with account data stored in identity resource (source or target systems). Reconciliation is meant to detect differences in the data, including detection of orphaned accounts.
Reconciliation is usually quite heavyweight, yet very reliable mechanism of identity data synchronization. - See also: Account, User, Orphan Account
- Relationship-Based Access Control (ReBAC)
- A mechanism for managing of user access to information systems based on a concept of relationship. Relationship-Based Access Control (ReBAC) is defined by presence of relationship between objects, such as "owner" or "editor". The relationships are interpreted by an access control policy to form access control decisions.
- In midPoint terminology: MidPoint has a concept of "relation" that can be used together with assignment/inducement mechanism to implement ReBAC access control structures.
- See also: Access Control, Relation, Next Generation Access Control
- Reference Identifier (RI)
- An identifier that reliably references an identity in a particular scope. Once assigned, the identifier always references the same identity, it cannot be assigned to a different identity. Reference identifiers are often persistent, however, they can change, as long as the identifier is not re-assigned to other identity.
Depending on a policy, reference identifiers can be re-assign to another identity after the original identity was deleted (identifier re-use). However, there is usually relatively long interval during which the identifier cannot be re-assigned. - Alternative terms: Non-reassignable identifier
- ISO 24760 term: reference identifier
- See also: Identifier, Persistent Identifier, Reference Identifier Generator
- Reference Identifier Generator
- ISO 24760 term, used to describe the tool that generates reference identifier, usually during an enrollment and registration.
- ISO 24760 term: reference identifier generator
- See also: Reference Identifier, Enrollment, Identity Registration
- Referential Integrity
- Consistency constraint in a database, mandating that every reference points to a valid object. Simply speaking, when an identifier is used to reference another object, such objects should exist.
Referential integrity is often a concern in group management and directory services. Systems that provide referential integrity make sure that a group points to valid members (user that exist), or that a list of user groups points to valid groups. In case a user who is a member of a group is removed, a system with referential integrity will either automatically remove the user from the group, or it will deny the operation until user is explicitly removed from all groups first. Systems that do not provide referential integrity would allow such operation, leaving invalid identifier in the database, an identifier that does not point to any existing object. - See also: Schema, Digital Identity Attribute, Verification
- Registration Authority (RA)
- An entity that gathers and verifies identity information, for the purposes of enrollment and identity registration. Registration authority is usually the organization that carries out identity proofing by verifying identity evidence, such as national identity cards.
- ISO 24760 term: registration authority
- See also: Identity Registration, Enrollment, Identity Proofing, Identity Evidence
- Relation
- In midPoint terminology: MidPoint concept of "relation" can parametrize a reference between two objects, further specifying the relation between them. It is usually used in assignment/inducement to provide details about the relationship of the holder and target objects. For example, relation is used to specify role owners, approvers and organizational unit managers. Relation can also be used to implement relationship-based access control (ReBAC) mechanism in midPoint.
- Read more ...
- See also: Access Control, Assignment, Inducement, Relationship-Based Access Control
- Reliability
- Property of a system to behave consistently and deliver expected results.
- ISO 27000 term: reliability
- See also: Availability
- Relying Party (RP)
- System that relies on other party (identity provider) to provide identity information. Relying party (also known as "service provider") usually relies on identity provider to authenticate the user, and relay the information to the relying party. Relying party has no access to credentials (e.g. passwords), it only knows that the authentication was successful. Identity provider may transfer identity attributes and additional information (such as authorization decisions) to the relying party. Relying party usually has a trust relationship with identity provider.
- Alternative terms: Service Provider
- ISO 24760 term: relying party
- X.1252 term: relying party
- See also: Identity Provider, Single Sign-On, Identity Federation
- Remediation
- Remediation is an action to eliminate violation of a policy, or a non-compliance with regulation or a standard. Remediation is usually a manual action that is addressing the effects, specific cases of non-compliance. E.g. violation of segregation of duties can be remediated by removing one of the conflicting roles or responsibilities.
- Alternative terms: Correction
- ISO 27000 term: correction
- See also: Compliance, Corrective action
- Repository
- A database, often a database of self-contained objects. In identity and access management context, it usually means a database of identity information.
- In midPoint terminology: MidPoint internal database. It is used to store all internal midPoint data and the vast majority of midPoint configuration.
- Alternative terms: MidPoint repository
- Requirement
- Requirement is a need or expectation that is stated or implied. Requirements are usually specified by legislation, regulation or standards. Also, requirements are usual part of software specifications or contracts. Although most of the requirements are expected to be explicitly stated, there may be implied requirements, given by usual practice or common expectations.
- ISO 27000 term: requirement
- See also: Compliance
- Residual risk
- Residual risk is a risk that remains after risk treatment. It is a risk that was not eliminated during a cybersecurity activities. As it is practically impossible to eliminate risk completely, some residual risk has to be accepted, as part of the usual cybersecurity program.
- Alternative terms: Retained risk
- ISO 27000 term: residual risk
- See also: Risk, Risk acceptance
- Resource
- In generic terms, a Resource is any information asset, system or a service that can be meaningfully used to obtain an information, or to initiate an action. Web resources are often used to access information across World Wide Web, e.g. in a form of RESTful interfaces. In IAM field, a Resource (Identity Resource) is usually a network-accessible asset capable of managing identity information.
- In midPoint terminology: A Resource is a system that is either identity data source or provisioning target.
- Alternative terms: Information Resource, Data Resource
- See also: Identity Resource
- REST
- Architectural style that describes fundamental principles of World Wide Web (WWW). REST architectural style was used to develop HTTP protocol, fundamental building block of WWW. REST specifies a concept of resource (web resource), identified by Unified Resource Locator (URL), access by unified interface. Although REST is designed for hypertext applications, some REST principles are used for general-purpose programming interfaces, known as "RESTful" services or APIs.
- Alternative terms: Representational State Transfer
- See also: RESTful Service, Application Programming Interface, Resource
- RESTful Service
- Usually a general-purpose programming interface (API) or network service, exposed by one application to be used by another application. RESTful services are based on operations of HTTP protocols such as GET, PUT and POST. RESTful services are using Unifier Resource Locators (URLs) as addressing scheme, and also for the purposes of conveying some parameters. Despite the name, RESTful services actually do not strictly follow principles of REST architectural style. REST architectural style is designed for use in hypertext applications, while most RESTful services are procedural in nature. Therefore most RESTful services adapt and bind the REST principles for their purposes. Despite such deformations, RESTful services provide a very popular method for application-to-application interaction over the Internet.
- Alternative terms: REST Service, REST API
- See also: REST, Application Programming Interface
- Review
- Review is an activity that aims at evaluation whether certain subject matter is adequate to achieve its objectives. Review often evaluates performance of a process, program, project or policy.
- ISO 27000 term: review
- See also: Access Certification, Performance
- Review object
- Review object is the subject matter reviewed by a review. It is usually a process, program, project or policy.
- ISO 27000 term: review object
- See also: Review
- Review objective
- Review objective is a statement describing the intended results of a review.
- ISO 27000 term: review objective
- See also: Review
- Risk
- Effect of uncertain, unforeseen, unknown or unknowable effects on objectives. Risk may originate from the fact that the effects are inherently uncertain, such as short-term fluctuations of the markets. However, many forms of risk stem from lack of knowledge or understanding, such as lack of knowledge about capabilities of attackers. While risk includes both positive and negative uncertain effects, almost all activities in cybersecurity deal with negative effects of risk.
In cybersecurity risk assessment and modeling, risk is associated with the impact of threats, exploiting vulnerabilities of information assets. - ISO 27000 term: risk
- See also: Risk level
- Risk acceptance
- Risk acceptance is a decision to accept a particular (residual) risk. As it is practically impossible to eliminate risk completely, some residual risk has to be accepted, as part of the usual cybersecurity program. Risk acceptance is usual part of risk treatment process. Even though a risk is accepted, it does not mean it is forgotten. Accepted is should be subject to monitoring.
- ISO 27000 term: risk acceptance
- See also: Risk, Residual risk, Monitoring
- Risk analysis
- Risk analysis is a systematic process to understand the nature and extent of risk, and to determine risk levels. It is a structured process, evaluating several aspects of risk. As risk is almost impossible to measure exactly, risk levels are often estimated during risk analysis.
- ISO 27000 term: risk analysis
- See also: Risk, Risk level
- Risk assessment
- Risk assessment is a comprehensive process consisting of risk identification, risk analysis and risk evaluation. Risk treatment is a necessary part of risk management process.
- ISO 27000 term: risk assessment
- See also: Risk, Risk analysis, Risk identification, Risk evaluation
- Risk-based approach
- Risk-based approach is an approach to cybersecurity management based on systematic management of risk. It is based on controlled method to manage of risk in an organization. One of the primary principles of risk-based approach is an acceptance that risk cannot be completely eliminated. The risk has to be assessed, subjected to appropriate treatment, and residual risk has to be accepted.
- See also: Risk, Risk management
- Risk communication
- Risk communication is a set of activities to communicate information about risk with interested parties (stakeholders). Communication may take form of consultation, communicating risk and risk-related information both ways. Purpose of risk communication is to improve decision processes related to risk and its impact on organization objectives.
- Alternative terms: Risk communication and consultation
- ISO 27000 term: risk communication and consultation
- See also: Risk, Risk assessment, Interested party
- Risk criteria
- Specification of requirements and other criteria used to evaluate risk. Legislation, regulation, standards and best practice are the usual baseline for risk criteria. However, specific risk criteria are determine by character, objectives and methods of a particular organization.
- ISO 27000 term: risk criteria
- See also: Risk, Risk evaluation, Compliance, Requirement, Policy
- Risk evaluation
- Risk evaluation is a process of comparing results of risk analysis to risk criteria. Result of risk evaluation is a decision whether risk is acceptable, or it has to be treated (eliminated or mitigated).
- ISO 27000 term: risk evaluation
- See also: Risk, Risk assessment, Risk criteria
- Risk identification
- Risk identification is a process of discovering and describing risks. It involves identification of risk sources and causes, which may be based on historical data or expertise.
- ISO 27000 term: risk identification
- See also: Risk, Risk assessment
- Risk level
- Magnitude or measure of risk. Expression of risk level is heavily influenced by context. Risk levels can be quantitative, expressing risk level in a measurable and generally comparable quantities, such as perceptual probability or weighted monetary cost. Risk levels can also be qualitative, expressing risk level in a relative terms, such as "low", "medium" and "high". Risk levels may consider impact (consequence) or a risk, or it may be concerned solely with probability of a risk occurrence.
- Alternative terms: Level of risk
- ISO 27000 term: level of risk
- See also: Risk, Probability, Risk analysis
- Risk management
- Risk management is a broad set of coordinated activities aimed at control of risk in an organization. It includes formal risk management processes, as well as informal and implicit activities. Risk management is one of the basic mechanisms of cybersecurity.
- ISO 27000 term: risk management
- See also: Risk, Risk management process, Risk-based approach, Cybersecurity
- Risk management process
- Risk management process is a systematic application of processes and methods for controlled management of risk in an organization. It is supposed to be based on formal specification of processes and policies. It is usually a circular, iterative process, going through analytical, implementation, monitoring and review phases. Risk management is one of the most important processes in cybersecurity.
- ISO 27000 term: risk management process
- See also: Risk, Risk management, Risk-based approach, Policy
- Risk owner
- Risk owner is a person who is responsible for a particular risk. It may be an owner of the system, certain privilege in a system, or owner of business process that is a source of risk. Risk owner is supposed to have accountability as well as authority to properly manage the risk.
- ISO 27000 term: risk owner
- See also: Risk, Risk management process
- Risk treatment
- Risk treatment is an activity to address the risk. Ultimate goal of risk treatment is to lower overall risk to an acceptable level. Many methods can be used to treat the risk, including avoiding activities that are sources of risk, eliminating risk sources, lowering probability or impact of a risk, redirecting risk to another party, or accepting the risk. Risk treatment is a necessary part of risk management process.
- Alternative terms: Risk mitigation, Risk elimination, Risk reduction, Risk prevention
- ISO 27000 term: risk treatment
- See also: Risk, Risk management process, Risk assessment
- Role
- Abstract concept that usually groups entitlements (privileges, access rights) in a single object. The purpose of grouping entitlements in roles is to make access control policies manageable, usually using Role-Based Access Control (RBAC) principles.
- X.1252 term: role
- See also: Entitlement, Role-Based Access Control, Role Management
- Role Explosion
- Unreasonable multiplication of the number of roles in role-based access control (RBAC) systems. Role explosion occurs due to a combination of several causes, poor role management practices and cartesian product in role definitions are perhaps the most common. It occurs mostly in static RBAC models, dynamic RBAC models have methods to avoid role explosion.
- Read more ...
- See also: Role-Based Access Control, Role Management
- Role Management
- A process of managing role definitions. It usually includes creating role definitions, maintenance of role definitions, adapting to changed environment and decommissioning role definitions. Role management is concerned with role definitions only, in contrast with Role-Based Access Control (RBAC), which is mostly concerned in using the definitions to control the access.
- Alternative terms: Role Modeling, Role Engineering
- See also: Role, Role-Based Access Control
- Schema
- Description of a structure of information, such as description of data types, attribute names and types, attribute structure and multiplicity, often supplemented by additional information such as documentation and presentation metadata.
In information systems designed to process identity information, the schema usually refers to structure of digital identity data, names of identity attributes, their types, multiplicity, optionality and similar properties. - Alternative terms: Data model, Identity model
- See also: Digital Identity Attribute, Verification, Referential Integrity
- Secure by Default
- Software development principle, mandating that system or service should be secure from the moment of installation. Software and services should be distributed with a secure configuration.
- Alternative terms: Security by Default
- See also: Secure by Design, Secure Through Lifecycle
- Secure by Design
- Software development principle, mandating that security of software products and services should be built into the system from very early stages of design and development. Security should be an integral part of the design, rather than an after-thought. Functionalities of the system should be based well-established security practices and standards and reduced to the minimum required for operation.
- Alternative terms: Security by Design
- See also: Secure by Default, Secure Through Lifecycle
- Secure Through Lifecycle
- Software development principle, mandating that system should be secure from its inception, through all its life all the way to decommissioning. System should always be in a secure configuration, never opening any vulnerabilities, not even in emergency situations.
- Alternative terms: Security Through Lifecycle
- See also: Secure by Design, Secure by Default
- Security Audit
- Independent review of a system, in order to assess adequacy of security controls, evaluate compliance with policies, regulations and operational procedures.
- X.1252 term: security audit
- Security Posture
- Security posture is the security status of an enterprise's networks, information, and systems based on cybersecurity resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes. It is a "big picture" of the state of cybersecurity in an organization.
- Alternative terms: Cybersecurity posture
- See also: Cybersecurity
- Selective Disclosure
- A mechanism that gives person a control over the sharing of data, usually between domains. Selective disclosure is sometimes applied in cross-domain data transfer, such as when using identity providers or identity federations. In case of data transfer, the user is prompted to select that data that can be disclosed to the other domain. This process is sometimes automatic, governed by a pre-defined data disclosure policy.
- Alternative terms: Selective Disclosure of Personal Information
- ISO 24760 term: selective disclosure
- See also: Digital Identity, Personal Data Protection, Privacy, Identity Provider, Identity Federation, Minimal Disclosure
- Self-Asserted
- An assertion (claim) made by an entity about itself. It usually means a claim that was not verified or certified by any other party.
- See also: Self-Asserted Identity
- Self-Asserted Identity
- An identity (usually a digital identity) that an entity declares about itself. It usually means a set of digital identity attributes that an entity claimed about itself, without being verified of certified by any other party.
- X.1252 term: self-asserted identity
- See also: Self-Asserted, Decentralized Identifier, Identity Assertion
- Shadow
- In midPoint terminology: Shadow objects are objects in midPoint repository representing objects in identity resources, such as accounts or groups. Shadow objects are used by midPoint as a proxy objects, or data adapters for real accounts, groups or organizational units in identity resources. MidPoint stores identifiers of resource objects in shadow objects, together with meta-data, policy-related information and operational data that relate to the resource object that the shadows represent. The identifiers stored in shadow objects are used to locate the correct resource object even in cases that is renamed or it moves. Shadow objects may contain copies of the data of real resource objects. However, in default configuration, only identifiers are stored in shadow objects.
- Read more ...
- Alternative terms: Shadow Object
- See also: Projection
- Self-Sovereign Identity (SSI)
- Self-sovereign identity is an approach to digital identity that gives individual control over their identity data. Without self-sovereign identity, individuals need to rely on (usually big and influential) organizations to manage their identity data, acting as identity providers. SSI systems are often decentralized, based on verifiable credentials stored in digital wallet which are under user's control.
- See also: Decentralized Identity, Verifiable Credentials, Identity Provider
- Single Sign-On (SSO)
- Single sign-on (SSO) is an authentication process based on user logging into multiple systems with single set of credentials (usually username and password)s. It is used for systems that require authentication for each application while using the same credentials. SSO works on central service from where the user gains access to different applications without logging in again.
Unlike identity providers, SSO systems usually operate within a single domain. Both the SSO server and the applications being controlled by the same organization. Implicit trust of such arrangement allows SSO systems to be much simpler than identity federation systems, albeit both classes of systems provide similar services and mechanisms. - Alternative terms: Single Log-On
- See also: Authentication, Identity Provider, Identity Federation
- Standard
- Technical specification, adopted by a recognised standardisation body, for repeated or continuous application, with which compliance is not compulsory.
- Alternative terms: Technical standard, Technology standard, Official standard
- See also: Technical specification
- Static Entitlement
- An entitlement that is statically assigned to a user or an account. The entitlement stays ("stands") assigned to a user indefinitely, until it is explicitly unassigned. Static entitlement is assigned to a user by an action of system administrator, by the means of access request process or by similar means.
Standing entitlement forms a basis of some access control models, most notably Role-Based Access Control (RBAC). Static nature of the entitlement assignment is often a target of critique, stating the lack of dynamics and flexibility of static entitlements. Policy-based access control models avoid use of standing entitlements in favor of entitlements that are determined dynamically in run-time.
While static entitlements may be necessary at higher levels (especially identity governance level), they may not necessarily be reflected to lower levels (e.g. directory services and operating systems). Eliminating low-level standing privilege has several advantages, including lower risk of misuse and less visibility for the attacker. Just-in-time or on-demand mechanisms for temporary assignment of privileged access provides a solution for bridging high-level and low-level static entitlements. - Alternative terms: Standing Privilege, Standing Entitlement, Persistent Privileges
- See also: Entitlement, Access Control, Role-Based Access Control, Policy-Driven Role-Based Access Control, Attribute-Based Access Control, Policy-Based Access Control
- Subject
- An entity or identity, which is active in information system, typically a user. It is assumed that subject has an agency, directly or indirectly. Subjects can represent organizations or similar "legal persons" that cannot act on their own, users have to act on their behalf. In this case the organization is the "subject", while the person that acts on organization behalf is the "user".
The term "subject" is often used in context of authorization, as part of subject-action-object triple. Subject is the active part, a user executing certain action on a specific object. In some contexts, "subject" is equivalent to "principal". - Alternative terms: Principal
- See also: Principal, User, Entity, Identity, Account, Authorization, Holder
- Target System
- In IAM field, it is any system in which identity management (IDM) system is managing identity data. IDM system is usually using identity connectors to manage data in target systems.
Some target systems can also be (partial) identity data sources, IDM system both managing and reading the data. - See also: Identity Management System, Identity Connector, Identity Data Source
- Technical specification
- Document that prescribes technical requirements to be fulfilled by a product, process, service or system and which lays down characteristics, production methods or assessment criteria. Unlike standard, it is not required that technical specification is adopted by a recognized standardization body.
- See also: Standard
- Threat
- In cybersecurity, threat is a potential to cause harm or to endanger information assets or organization. Threats may be intentional, unintentional or completely natural. Many cybersecurity threats are materialized by motivated attackers, while other threats may be environmental (flooding, fire), or may be caused by a society or government actions.
- Alternative terms: Cyber threat, Security threat
- ISO 27000 term: threat
- See also: Risk, Asset, Risk assessment, Cyberattack
- Top management
- Top management is a person or a group who controls the organization at the top level. Top management is ultimately responsible for allocation of resources, objectives and results of the organization.
- Alternative terms: Executive management, Board, Board of directors
- ISO 27000 term: top management
- See also: Organization, Organizational Structure
- Triangle Of Trust
- Triangle of trust is a three-party relationship of issuer, holder and verifier. Issuer issues credential or claim to the holder. Holder presents the credential/claim to the verifier. Verifier verifies the credential/claim, using data provided by the issuer.
Triangle of trust is a frequently-used concept to support trust relationships in distributed information systems. - Alternative terms: Trust Triangle
- See also: Issuer, Holder, Verifier, Trusted Third Party
- Trust
- Confidence in or reliance on some person or quality. In information technology world, it usually means a confidence in a correctness of an information. It is often a long-term relationship between entities, one of the entity trusting in correctness of a whole class of information claimed by other entity (trusted third party).
- X.1252 term: trust
- See also: Triangle Of Trust, Trusted Third Party
- Trust service
- Electronic service that issues a digital credentials, acting as a trusted third party.
- See also: Trusted Third Party, Certificate Authority
- Trusted Third Party
- An entity which makes a claims, claims that are trusted by other parties. Usually a central entity in a system that is trusted by many entities. In scenarios involving Triangle of Trust, the issuer is considered to be trusted third party.
- X.1252 term: trusted third party
- See also: Trust, Triangle Of Trust, Issuer, Trust service
- Under-provisioning
- Situation when an identity has less privileges than are necessary for the tasks that the identity is supposed to carry out. For example, a user does not have all the necessary permission to carry out his usual work tasks. Under-provisioning is an operational risk, leading to low workforce efficiency.
Ideally, under-provisioning should be addressed by automated provisioning mechanism of identity management systems, such as utilization of birthright provisioning. However, due to a lack of clear access control policy, under-provisioning is often addressed by access request processes. - Alternative terms: Under-permissioning, Under-privileged Access
- See also: Identity Provisioning, Birthright, Access Request Process, Over-provisioning
- User
- Generally speaking, a person that is using a computing system.
- In midPoint terminology: A user means a data structure in midPoint that describes a person. Similar data structure in source/target system (identity resource) is called an "account".
- Alternative terms: MidPoint User
- X.1252 term: user
- See also: Account, Principal, Subject
- User-Centric
- A system that is oriented towards the user, having user in control. In identity and access management context it usually means a system, where users are in control of their data.
- X.1252 term: user-centric
- Verifiable Credentials (VC)
- Credentials that can be presented by the holder to the verifier, and independently verified by the verifier, without cooperation of any third party. Verifiable credentials do not require verifier to cooperate with credential issuer to verify every single credential issued. Only the holder and the verifier are aware about the transaction, no other party has any data about the transaction. Some verifier-issuer communication may be necessary to establish or renew the trust. However, such communication is in no way related to the holder-verifier transaction.
Verifiable credentials are often based on public key cryptography techniques. Holders keep verifiable credentials in digital wallets. - See also: Credential, Digital Wallet, Self-Sovereign Identity, Decentralized Identity, Triangle Of Trust
- Verification
- A process establishing that a particular information is correct, while the meaning of "information" and "correct" varies from context to context. When dealing with identity information, this usually means formal verification of identity attributes, checking the schema, identifier uniqueness and referential integrity. However, verification may mean deeper verification, such as checking that the information is true and up-to-date.
- ISO 24760 term: verification
- X.1252 term: verification
- See also: Verifier, Digital Identity Attribute, Schema, Referential Integrity
- Verifier
- Entity that performs verification, usually a verification of an credential or a claim. In Triangle of Trust scenarios, the verifier verifies credentials/claims provided by the holder. Verifier may need information provided by the issuer of credential/claim to be able to complete the verification process.
- ISO 24760 term: verifier
- See also: Verification, Triangle Of Trust, Issuer, Holder, Trusted Third Party, Credential, Claim
- Vulnerability
- Vulnerability is an aspect of information asset that makes it vulnerable to damage or misuse. It is a weakness in the protection of an asset that can be exploited by a threat. In software development, vulnerability is a bug in software code that opens the software to cyberattacks.
- Alternative terms: Weakness
- ISO 27000 term: vulnerability
- See also: Risk, Threat, Asset, Risk assessment, Cyberattack
- Zero trust (ZTA)
- "Zero trust" is an approach to cybersecurity based on the concept of "never trust, always verify". The basic idea of the approach is to never trust any system or network implicitly, always verify that the request is authentic both with respect to the identity of the source and trustworthiness of network channels. Under zero trust, every request should be authenticated and authorized. For that approach to work, all relevant identities must be reliably known, especially non-human identities (NHI) representing communicating services and devices. Therefore, identity-based security is a fundamental foundation for zero trust approach.
Zero trust originated mostly as a reaction to flawed concept of cybersecurity perimeter, which was a common approach to cybersecurity in early years of inter-network computing. Cybersecurity perimeter approach allowed for existence of "perimeter" that separated insecure outer network (usually the Internet) and secure inner network (usually corporate network). Security requirements were significantly reduced in the presumably-secure inner network. In that respect, zero trust can be summarized as "no weak interior", an approach in which no assumption of secure inner network exists. Zero trust approach is operating under "assumption of breach", meaning that it is assumed that the attacker already has access to the network, devices or services.
Overall, "zero trust" is mostly a broad conceptual approach - a set of guiding principles, rather than a set of specific technologies and practices. It is currently used as a token of paradigm shift from perimeter-based approach to more resilient and holistic cybersecurity approach that does not rely on concept of perimeter. - Alternative terms: Zero-trust, Zero trust security model, Zero trust architecture, Zero trust approach, Perimeterless security, Defense in depth
- See also: Cybersecurity, Identity-based Security, Perimeter
Was this page helpful?
YES
NO
Thanks for your feedback