Last modified 13 Feb 2024 16:42 +01:00
Attribute-Based Access Control (ABAC)
A mechanism for managing of user access to information systems based on values of user attributes. Attribute-Based Access Control (ABAC) evaluates the access dynamically, using an algorithm that takes "attributes" as an input, and outputs access decision (allow/deny). The attributes are usually user attributes from the user profile, supplemented with context attributes, such as time of access and user's current location.
Alternative terms: Claims-based Access Control, CBAC
See also: Access Control
Abstract Role
In midPoint terminology: Abstract role means any type of object that acts as a role. This means that abstract tole can be used to hold inducements, which give privileges to other objects. Role, org, service, archetype are abstract roles in midPoint.
Read more ...
See also: Inducement, Role, Org, Archetype
Access Certification
Access certification helps with management of access rights. These rights also called privileges, role assignments, authorities or authorizations need to be assigned to the right users in the right systems at the right time. Access Certification means reviewing the settings such as assignments of roles to users to make sure that employees have accesses to the systems they need.
Certifications are often conducted in a form of certification campaigns, certifying access of many users in each campaign, distributing the work among many reviewers to keep amount of work per person reasonable. Despite that, the overall effort necessary for completion of certification campaign can be huge. Therefore, certification campaigns are being replaced by microcertifications, certifying specific users or privileges on as-needed basis.
Access certification is often used to address over-provisioning of privileges, in a attempt to maintain the principle of least privilege.
Alternative terms: Access Re-certification, Re-certification, Attestation, Access Review
See also: Least Privilege Principle, Over-provisioning, Microcertification
Access Cloning
Access cloning is a practice of assigning a user the same access rights as another user has. It is often used to provision new users with initial access rights, copying access rights of an existing user.
Access cloning is an undesirable practice (see ISO/IEC 27002 5.18), as it often leads to over-provisioning. Even if the cloned access rights are justified, business role (RBAC) or similar mechanism should be used instead of cloning. Although the practice is generally undesirable, it is often employed due to its simplicity.
Alternative terms: Access Rights Cloning
See also: Least Privilege Principle, Over-provisioning, Role-Based Access Control
Access Control
Access control is an abstract concept of controlling access of users to applications. It is a very broad and general term, however it usually refers to a mechanism to define and evaluate authorization policies. Two commonly-used access control mechanisms are role-based access control (RBAC) and attribute-based access control (ABAC).
X.1252 term: access control
ISO 27000 term: access control
See also: Role-Based Access Control, Attribute-Based Access Control, Policy-Based Access Control
Access Management (AM)
Access Management (AM) is a security discipline that provides access to authorised users to enter particular resources. It also prevents non-authorised users from accessing the resources. Thus the goal of Access Management is to unify the security mechanisms that take place when a user is accessing specific system or functionality. Single Sign-On (SSO) is sometimes considered to be a part of Access Management.
Access Request Process
Access request process is a business process used to request additional access or privileges for information systems and applications. It is usually a semi-manual process. It starts with a user requesting access or privileges for applications. The request is usually routed through approval steps. When approved, the access is provisioned.
Access request is very frequently used to provide necessary access to users, addressing access under-provisioning situations. As clear and complete access control policy is usually not known, access request process is a practical measure to compensate for this limitation. In fact, the access request process is often over-used, leading to systematic over-provisioning of access. Access certification mechanisms are usually used to compensate such over-provisioning.
Alternative terms: Access Request Management
See also: Identity Provisioning, Under-provisioning, Over-provisioning, Access Certification
Data structure in a database, file or a similar data store that describes characteristics of a user of a particular system (resource). Accounts are used to control access of users to applications, databases and so on. Account is a persistent data record, stored in an application or a database. This term is usually not used to describe ephemeral information about user's identity, such as information temporarily stored only for the duration of user's session. Such information is often referred to as "principal".
Account is different from a generic data record (e.g. "identity" or "principal"). The purpose of account is to provide user's access to the system, generic data record may not provide such access.
In midPoint terminology: An account strictly means a data structure in source/target system (resource). Term "user" is used to describe a similar data structure in midPoint itself.
Alternative terms: User account
See also: User, Principal
Access Control List (ACL)
Mechanism for controlling access to information system, based on a simple sequential list of access control instructions. Instructions in access control list are evaluated sequentially. If the instruction matches current access control situation (user, accessed object, operation), then the instruction is applied, either allowing or denying the access.
There is no standardized form or language for access control lists and instructions, making ACLs not interoperable across implementations. There are also numerous variations to the basic idea, e.g. always evaluating entire list, deny instructions always taking precedence, and so on.
See also: Access Control
Active Directory
An identity repository created by Microsoft that stores and arranges identity information. Based on this information, it provides access and permissions to users to enter particular resources and therefore improves organization’s security.
Active entity, usually a software component that plays an active part.
In identity management field, the term "agent" often means an active software component installed into a controlled system, used to mediate management of identities. It is similar in function to identity connector, however unlike the connector, the agent has to be installed into a controlled system.
X.1252 term: agent
See also: Identity Connector
A situation when an object cannot be distinguished from similar objects, where an identity of an object cannot be determined.
X.1252 term: anonymity
See also: Identity
Application Programming Interface (API)
Set of procedures, functions or methods that can be used by another program or component. APIs are usually interfaces exposed by an application, meant to be used by other application. Therefore APIs are important integration points between applications and services. In the past, APIs were usually created as a programming language library, such as C or Java library. Since c. 2010, APIs usually take form of HTTP-based RESTful service.
See also: RESTful Service
In midPoint terminology: Archetype is a formal definition of object subtype in midPoint. Archetypes can give specific characters to basic midPoint types such as user, role or org. For example, archetypes can be used to further refine concept of user to represent employees, students, contractors and partners.
Read more ...
Assert is an integral collection of information, data, systems, services, equipment, knowledge and any other means that provide value to an organization. It may take form of customer database, results of a research project, trade secret, proprietary software package, essential business process or any form that is considered valuable. Assets are subjects to risk, realized by threats exploiting asset vulnerabilities. Protection of assets is the primary objective of cybersecurity.
Alternative terms: Information asset
See also: Risk, Threat, Vulnerability, Risk assessment
In midPoint terminology: Assignment is a relation that directly assigns privileges, organizational membership, policy elements or other midPoint concepts to assignment holder objects (usually users). Assignment is quite a rich, flexible and universal mechanism. Assignments can be conditional, there may be time constraints, parameters and other details specifying the relation between assignment holder (usually user) and target (usually role or org). Many types of objects can be a target of an assignment, allowing for a significant expressive power.
Read more ...
See also: Inducement, Assignment Holder, Focus
Assignment Holder
In midPoint terminology: An object that can hold assignments. Assignment holder can be considered a "source" of an assignment, a source of a relation that an assignmnt represents. Almost all object types in midPoint are assignment holder, capable of containing an assignment.
See also: Assignment, Focus
Audit is an systematic and documented process for reviewing specific processes, organizations or regulatory compliance. It involves obtaining and objective processing of evidence, including evidence stored in special-purpose audit trails. Audit can be internal, conducted by an organization, reviewing its own processes or compliance. It can also be external, conducted by an independent trusted party.
ISO 27000 term: audit
See also: Audit trail
Audit scope
Extent and boundaries of audit review.
ISO 27000 term: audit scope
See also: Audit
Audit trail
Audit trail is a record of essential information, meant to be used as an evidence in audit reviews. Audit trail is usually a structured, chronological record of operations or observations of an information system. It records important actions taken by users of the system, including actions taken by system administrators.
Alternative terms: Audit log
See also: Audit
Authentication is a mechanism by which a computer system checks that the user is really the one she or he claims to be. Authentication can be implemented by a broad variety of mechanisms broadly divided into three categories: something you know, something you have, something you are. Traditionally, authentication is done by the means of by username and password. Authentication is often followed by authorization, however, authentication and authorization are two separate mechanisms.
ISO 24760 term: authentication
X.1252 term: authentication
ISO 27000 term: authentication
See also: Identification, Authorization, Multi-factor authentication
Authenticated Identity
ISO 24760 term, describing "identity information" created to record result of authentication. This may mean data such as authentication strength, timestamps and similar information. In software development, it is often referred to as "authenticated user" or "authenticated principal".
Alternative terms: Authenticated user, Authenticated principal
ISO 24760 term: authenticated identity
See also: Authentication, Principal
Authenticity is a property of a data, and also an assurance, that the data are valid and true. Simply speaking, it tells that data are what they claim to be. Authenticity may also mean assurance of data origin (provenance) and their integrity.
ISO 27000 term: authenticity
See also: integrity
Authorization is a mechanism by which a computer system determines whether to allow or deny specific action to a user. Authorization is often controlled by rather complex rules and algorithms, usually specified as part of an access control model. Authorization often follows (and required) authentication, however, authentication and authorization are two separate mechanisms.
In rare cases, "authorization" is understood as a process of allowing access, granting permissions or giving approval. Such as "authorization" of a request to join a group.
X.1252 term: authorization
See also: Authentication, Role-Based Access Control, Attribute-Based Access Control, Coarse-grain Authorization, Fine-Grain Authorization, Access Control
Authorization Service
A system that provides authorization information to an application. It usually makes a decision whether a specific operation should be allowed or denied by the application. I.e. authorization system is performing the authorization decision instead of the application. Authorization systems often use complex policy, user roles or additional attributes to make the decision. Authorization servers usually implement functionality of Policy Decision Point (PDP). Typical protocols and frameworks: XACML, Open Policy Agent (OPA), SAML authorization assertions, proprietary mechanisms
Alternative terms: Authorization Server
See also: Authorization
Availability is a property of network service or information system, ensuring that all the necessary functions are available to the user. I.e. it is a property that ensures that systems and the data are available to users as intended, that the service is not interrupted by an attacker.
Availability, together with confidentiality and integrity form a "CIA triad", a classical model of information security (cybersecurity).
Alternative terms: Service availability
See also: Confidentiality, integrity
Automated recognition of persons, based on their biological or behavioral characteristics.
Alternative terms: Biometric authentication
X.1252 term: biometric recognition
See also: Authentication
Privileges or access granted to users based on their inherent characteristic, such as user type (employee, contractor, student). It also includes a set of privileges automatically given to all users ("all users" access). Privileges and access that are automatically assigned due to organizational structure membership (e.g. access to departmental systems) is sometimes also considered to be a birthright.
In midPoint terminology: Archetypes are usually used to manage birthright in midPoint, by placing appropriate inducements in archetype definition. Birthright originating from organizational structure can be implemented by placing inducements in organizational units (orgs).
Alternative terms: Birthright provisioning
See also: , Archetype, Org, Inducement
Blinded Affirmation
A method to provide strictly limited information to another party, without revealing any unintended information. Blinded affirmation is often used to demonstrate that a certain user is a member of an organization, without revealing any additional information about the user to a third party. Blinded affirmation usually relies on ephemeral identifiers or pseudonyms.
ISO 24760 term: blinded affirmation
See also: Ephemeral Identifier, Pseudonym
Certificate Authority (CA)
Entity that issues digital certificates. Certificate authority is usually a trusted third party, certifying correctness of the data presented in certificates that it issues. The most common form of certificate authority is an authority that issues X.509 digital certificates, containing public keys. Certificate authority signs the certificates, thus certifying that a specified public key belongs to a specified identity.
See also: Digital Certificate, Trusted Third Party
Statement about an entity, provided in a form which can be verified by other parties. Verification of a claim provides reliable information about the entity that created the claim (issuer), and it provides assurance that the claim content was not modified. However, claim verification does not provide assurance that a claim is correct, or that it is an unquestionable truth. Technically, claims are often digital identity attributes, secured by cryptography mechanisms for network transfer.
See also: Digital Identity Attribute, Triangle Of Trust, Issuer, Holder, Verifier
In midPoint terminology: MidPoint component responsible for evaluation of lifecycle, activation, object templates, assignments, roles, policies, mappings and many other aspects of midPoint configuration. Clockwork is the main workhorse of midPoint synchronization, making sure that objects are properly recomputed and policies are enforced. It also computes the data for synchronization, both in inbound and outbound direction.
Read more ...
Cloud Computing
Internet-based computing when resources like storage, applications or servers are used by organizations or users via Internet. Data could be accessed any time from any place, without any installations and is stored and processed in third-party data centers which could be located anywhere in the world. Cloud computing is considered to lower organization’s costs by avoiding the need of purchasing servers as well as to speed up the processes with less maintenance needed. Due to data being centralized at one place, it is considered to be secure and easily shared across bigger amount of users.
Coarse-grain Authorization
Authorization concerning big architectural blocks, such as entire applications or systems. E.g. coarse-grain authorization usually decides whether a user can access an application, or access should be denied, without providing any additional details. Coarse-grained authentication is usually being made at the "perimeter" of the system, e.g. by infrastructure components, when a user is accessing an application. Typically, this authorization is based on simple policy rules, such as a role or group assigned to the user.
See also: Authentication, Fine-Grain Authorization
Ability to perform certain function, or to achieve intended results. It may refer to the ability of people, an ability to apply knowledge, skills and effort to reach results. It may also apply to systems, describing an ability of the system to perform functions to achieve results.
Alternative terms: Capability
ISO 27000 term: competence
Fulfillment of a requirement, or a system of requirements. It usually refers to conformity with a regulation, or an industry standard.
In identity and access management (IAM) field, the term "compliance" may refer to a set of IAM platform features that aid with regulation and standards compliance.
Alternative terms: Conformity
ISO 27000 term: conformity
Confidentiality is a property of communication channel or data, ensuring that they are available only to intended actors. I.e. it is a property that ensures that the data are seen only by communicating parties, and no other party can access and read the data. Confidentiality is usually implemented by using encryption.
Confidentiality, together with integrity and availability form a "CIA triad", a classical model of information security (cybersecurity).
Alternative terms: Secrecy
ISO 27000 term: confidentiality
See also: Availability, integrity
ConnId is an open source identity connector framework project. It originated from Identity Connector Framework (ICF) developed by Sun Microsystems in late 2000s. ConnId is now an independent open source project, used by several identity management platforms.
Alternative terms: ConnId Framework
See also: Identity Connector, Identity Connector Framework
Consent for Personal Data Processing
Consent for personal data processing is given by a user, to indicate agreement for processing of personal data. In personal data protection frameworks (such as GDPR), consent has a strict structure, it is given for a very specific processing scope. Consent can be revoked by the user any time. Consent is just one of several personal data processing bases (lawful bases). Consent is perhaps the most well know, and also the most misused basis for personal data processing.
Alternative terms: Consent
See also: Personal Data Protection, Personal Data Processing Basis, General Data Protection Regulation
Outcome of an event or an activity.
Alternative terms: Outcome, Result
ISO 27000 term: consequence
See also: Event
Continual improvement
Continuous or recurring activity to enhance performance or results.
ISO 27000 term: continual improvement
Control is a measure that affects risk. Controls are used in security management programs to lower risk, and manage overall and residual risks. Controls may take variety of forms, including processes, technology, policies and people,
Alternative terms: Countermeasure, Cybersecurity measure, Measure
ISO 27000 term: control
Control objective
Control objective is an intended effect of an control. It is a description of the effect that a control should have when implemented.
ISO 27000 term: control objective
See also: Control
Corrective action
Corrective action is an action to eliminate causes of non-compliance and prevent recurrence. Unlike remediation (correction) which is focused on correcting the effects, corrective action aims at correction of the causes (e.g. updating the policy).
ISO 27000 term: corrective action
See also: Compliance, Remediation
Information used to prove the identity during authentication. Credentials can be digital (information), physical (an object such as ID card) or a combination of both (an ID card with a tamper-proof chip containing cryptographic keys). Perhaps the most common type of digital credential is a password.
Alternative terms: Digital credential, Credentials
ISO 24760 term: credential
X.1252 term: credential
See also: Password, Passkey, Personal identification number, Authentication
Credential Issuer
An entity that creates and provisions credentials to entities.
ISO 24760 term: credential issuer
See also: Credential, Issuer, Trust service
Credential Service Provider (CSP)
ISO 24760 term, describing an entity responsible for management of credentials in a domain.
ISO 24760 term: credential service provider
See also: Credential
Anything that involves interaction between two or more domains. Specifically in context of identity and access management, it usually means transfer of information between domains that are under separate control, or transfer of information that needs to be somehow limited (e.g. only a subset of attributes is transferred).
Cross-domain techniques employ special mechanism to protect the information, or to make transfer between domains more reliable or secure. For example, special identifiers (often ephemeral pseudonyms) are used to refer to identity data.
See also: Domain, Identity Provider, Relying Party, Identity Federation
Cyberattack is a an intentional effort to steal, destroy, expose, alter, disable or gain unauthorized access to information systems and data (information asset). Cyberattack is a cybersecurity breach.
Alternative terms: Cyber attack
ISO 27000 term: attack
See also: Cybersecurity, Cybersecurity incident
Cybersecurity is a protection of information systems, usually focused on systems connected to the Internet. It is a broad practice, including protection of systems, networks, software and data. It involves technology as well as people, policies and processes. Cybersecurity is a continuous, never-ending effort to make the systems secure, and keep them secure. Most comprehensive and systematic cybersecurity techniques are based on risk-based approach.
Alternative terms: Information security
ISO 27000 term: information security
See also: Cybersecurity governance, Cyberattack, Risk-based approach
Cybersecurity event
Cybersecurity event is a event affecting cybersecurity of an organization. It is an occurrence of system, service or network state, indicating possible breach of information security.
Alternative terms: Information security event
ISO 27000 term: information security event
See also: Event, Cybersecurity incident, Cyberattack
Cybersecurity governance
Cybersecurity governance is a set of systematic activities to direct and control implementation of cybersecurity. Governance is a process of setting up and maintaining policies and rules to govern cybersecurity activities. It includes cybersecurity programs, policies, processes, decision-making hierarchies, mitigation plans, cybersecurity systems and especially oversight processes and procedures. Cybersecurity governance assumes existence and systemic application of cybersecurity strategy.
Alternative terms: Information security governance
ISO 27000 term: governance of information security
See also: Cybersecurity, Information security management system, Cybersecurity resilience, Risk management
Cybersecurity incident
Cybersecurity incident is unwanted or unexpected cybersecurity event, impacting cybersecurity of an organization. Cyberattack is the usual type of cybersecurity incidents. Cybersecurity incidents include situations, where security breach cannot be proven, however there is a siginificant probability that security of information and systems might have been affected.
Alternative terms: Information security incident, Incident
ISO 27000 term: information security incident
See also: Event, Cybersecurity event, Cyberattack, Cybersecurity incident management
Cybersecurity incident management
Cybersecurity incident management is set of processes and systems to manage cybersecurity incidents. It includes detection, recording, reporting, assessing and responding to incidents. Cybersecurity incident management systems are also used to learn from the incidents, with the goal to improve information security management system (ISMS).
Alternative terms: Information security incident management, Incident management
ISO 27000 term: information security incident management
See also: Cybersecurity incident
Cybersecurity professional
Cybersecurity professional is a competent person who implements, maintains and improves cybersecurity practices.
Alternative terms: Information security professional, ISMS professional, Information security practitioner
ISO 27000 term: information security professional
See also: Cybersecurity, Cybersecurity governance
Cybersecurity resilience
Cybersecurity resilience is a combination of processes, procedures and governance measures to ensure continuous operation of cybersecurity mechanism. It includes mechanisms to maintain appropriate levels of cybersecurity, as well as necessary improvement of cybersecurity measures to reflect increased threats.
Alternative terms: Information security resilience, Information security continuity
ISO 27000 term: information security continuity
See also: Cybersecurity, Cybersecurity governance
Cybersecurity standard
Cybersecurity standard is a formal specification describing requirements and methods for appropriate implementation of cybersecurity.
Alternative terms: Information security standard
ISO 27000 term: security implementation standard
See also: Compliance, Risk criteria
Cyber hygiene
Cyber hygiene is a cybersecurity principle and/or practice. As an analogy to personal hygiene, cyber hygiene requires users to establish routine measures to minimize their cybersecurity risk. It often refers to personal cybersecurity routines such as proper password management, malware protection and data back-up. However, in a broader organizational scope, it also includes infrastructural cybersecurity measures, such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management and user awareness trainings.
Alternative terms: Digital hygiene
Data Governance
Data governance is a data management concept aimed at maintenance of high data quality, through management of data lifecycle and implementation of appropriate data quality controls. Identity governance and administration (IGA) field is concerned with governance of identity data.
See also: Data Provenance, Data Minimization, Metadata, Identity Governance and Administration, Privacy
Data Minimization
A process of reducing the amount of data to the necessary minimum required for processing.
Data minimization often takes place in context of privacy and personal data protection, minimizing identity data to the necessary minimum.
Alternative terms: Minimization
X.1252 term: data minimization
See also: Privacy, Personal Data Protection, Data Governance
Data Origin
Organization or entity that have created or assigned a particular value. Origin is often part of data provenance, description of the method how a value was acquired by a system.
Origin may be relative, describing only an immediate origin of the information, a "previous hop, a system that have relayed the information to our system. Such origin may not have created or assigned the information, it may have only relayed or copied the information originated in a third system. Origin is often recorded in a form of metadata.
Alternative terms: Origin, Domain of Origin
ISO 24760 term: domain of origin
See also: Digital Identity Attribute, Data Provenance
Data Provenance
Description of the method how a value was acquired by a system. Provenance information almost always contains description of data origin. It is supplemented by additional information, such as timestamps and assurance information.
Provenance may be relative, describing only an immediate origin of the information, a "previous hop, a system that have relayed the information to our system. In other cases, provenance information may include a complete path from the ultimate origin of the information, describing all the systems that it has passed and all the transformations that were applied. Provenance is often recorded in a form of metadata.
Alternative terms: Provenance
See also: Data Origin, Metadata, Data Governance
Decentralized Identifier (DID)
An identifier that does not require centralized registration authority. Technologies supporting decentralized identifiers vary, many of them are based on distributed ledger technologies (e.g. blockchain).
X.1252 term: decentralized identifier
See also: Decentralized Identity, Self-Sovereign Identity
Decentralized Identity (DID)
An identity that does not require centralized registration authority, identity provider, identity data store or any other centralized system to function. Decentralized identity systems are usually built to be self-sovereign.
See also: Decentralized Identifier, Self-Sovereign Identity, Verifiable Credentials
Delegated Administration
Type of administration where chosen users have administrator permissions. They can manage other users, create passwords for them, move them into groups, assign them roles, etc.
In midPoint terminology: Delta is a data structure describing a change in data. It describes the data items (and values) that were added, removed or replaced. Delta is a relativistic data structure, it contains only the data that were changed.
Read more ...
Alternative terms: Prism Delta
See also: Prism
Digital Identity
Digital representation of identity: set of characteristics, qualities, believes and behaviors of en entity, usually represented as a set of attributes.
Digital identity should not be confused with identifier. Digital identity is a set of characteristics (complex data), while identifier is (usually simple) value used to refer to digital identity.
Alternative terms: Identity, Network Identity, User Profile
ISO 24760 term: identity information
X.1252 term: digital identity
See also: Identity, Digital Identity Attribute, Entity
Digital Identity Attribute
A value representing a characteristic or property of an entity. An attribute is a part of digital identity.
Alternative terms: Attribute
ISO 24760 term: attribute
X.1252 term: attribute
See also: Digital Identity, Identifier, Entity, Claim
Digital Certificate
Digital document, containing an information protected by cryptographic means. Digital certificates are usually used to bind an information to a digital identity. Perhaps the most common use of certificates are certificates of public keys, binding public key to identity of the owner, signed by a trusted third party (certificate authority). The most prominent specification of a format of such digital certificate is X.509.
Alternative terms: Certificate
X.1252 term: certificate
See also: Certificate Authority, Trusted Third Party
Digital Wallet
Physical or virtual device designed to securely store small amount of sensitive information, usually storing credentials. Digital wallets can have variety of forms, ranging from tamper-proof physical devices, to simple programming libraries. It is expected that appropriate level of mechanisms to protect the data exist in all such forms. E.g. virtual wallets usually protect the data using a key or a passphrase.
Digital wallets are often used to store verifiable credentials or credentials for cryptocurrency schemes. The actual information that the wallet protects is usually a private or secret key associated with the credential.
See also: Verifiable Credentials
Directory Service
A database intended as a store of simple objects, shared between applications. Directory services are often used to store identity data. The data are used by other applications, that are accessing the directory service by using a well-known protocol. Lightweight Directory Access Protocol (LDAP) is the most common protocol used to access directory services.
Directory services used to be the usual method to implement functionality of identity data store. However, other databases and technologies are used to implement similar functionality.
Alternative terms: Directory Server
See also: Identity Data Store, Lightweight Directory Access Protocol
Documented information
Information required to be created and maintained by an organization, usually for the purposes of compliance. Documented information may be in form of documents, documented processes, content of information systems, records of activities or any similar information.
ISO 27000 term: documented information
See also: Compliance, Audit trail
An environment under an autonomous control. A domain is often an organization, managing a set of information systems and databases, keeping the information consistent. However, it may also refer to a smaller information set within an organization, such as a single database or directory server.
Identifiers are often designed to be unique within a particular domain, such as an organization or a database.
Alternative terms: Domain of applicability, Realm, Context, Scope
ISO 24760 term: domain
X.1252 term: domain
See also: Digital Identity, Identifier, Internal context
Effectiveness is a measure of extent to which activities are realized and desired results are achieved.
ISO 27000 term: effectiveness
A process of entering new identity data into a specific system (usually in a domain). Enrollment usually involves validation and verification of the information and its origin, such as verification of identity assertion that relied the information to the system.
The terms "enrollment", "registration" and "onboarding" are overlapping and they are often used as synonyms. Strictly speaking, "enrollment" is the verification process, "registration" is an act of recording information to data store, and "onboarding" is a complete business process making sure that a new person in an organization is well-equipped for activities within the organization.
ISO 24760 term: enrollment
X.1252 term: enrollment
See also: Identity Registration, Onboarding, Identity Assertion
A privilege or right of access given to the user. An "entitlement" is a very overloaded term. It can be used to represent any kind of privilege, ranging from a very high-level business role to the finest filesystem permission in a specific system.
In midPoint terminology: An Entitlement is a resource object representing privilege, access right, resource-side role, group or any similar concept. However, unlike account, the entitlement does not represent a user.
Alternative terms: Privilege, Access Right, Permission
X.1252 term: privilege
See also: Privileged entitlement, Static Entitlement
Being (such as person or animal), thing, concept or anything else that has recognizably distinct existence. An entity is usually described by a set of characteristics, known as its identity. An entity can have several identities.
In some interpretations (usually legislation), "entity" is limited to natural and legal persons that are recognized in context of the legislation, able to exercise its rights and be subject to obligations.
ISO 24760 term: entity
X.1252 term: entity
See also: Identity, Digital Identity
Ephemeral Identifier
An identifier used only for a very short duration. Ephemeral identifiers are valid usually only during a single session, or even during a single protocol exchange (e.g. authentication). Ephemeral identifiers are almost always randomly-chosen. When ephemeral identifiers refer to a digital identity, they are efficiently a short-lived pseudonyms.
ISO 24760 term: ephemeral identifier
See also: Identifier, Pseudonym
Event is a significant occurrence or change of circumstances. In cybersecurity, "event" usually means a negative action or occurrence, an incident, such as cyberattack. An event may have several causes and many consequences (outcomes). In a strict sense, an event can consist of something not occurring, e.g. a back-up procedure not running as planned.
ISO 27000 term: event
See also: Cybersecurity event, Consequence, Cyberattack
External context
Circumstances external to the organization, which affect the way an organization achieves objectives. It includes broad context, such as national and international environment, including regulatory, legal, technological, economic and natural aspects.
Alternative terms: Global environment, Externalities
ISO 27000 term: external context
See also: Internal context
Federated Identity
Digital identity intended to be used in several domains, usually by the means of identity federation. Information about federated identity is transferred between domains, usually in a form of identity assertions exchanged between identity providers and relying parties.
ISO 24760 term: federated identity
See also: Identity Federation, Digital Identity
Fine-Grain Authorization
Authorization made on very detailed information and is providing more detail control within the application operation. E.g. authorization to approve the transaction in an accounting system, with amount up to a certain limit. Typically, fine-grain authorization requires detailed knowledge of both the user profile (attributes) and the operation context (operation name, parameters and their meaning). Due to this requirement, fine-grain application is often implemented directly in application code.
See also: Authorization, Coarse-grain Authorization
In midPoint terminology: An object that can is a focus of computation, an object central to midPoint computation. The focus is usually a user, but it can be a role, org or a service. Focus is the center of a computation, the hub in hub-and-spoke (star) data synchronization in midPoint. The "spokes" in the computation are represented by projections.
Read more ...
Alternative terms: Focal Object
See also: Assignment, Projection
Fulfillment is a functionality of identity management (IDM) system, making sure that users have appropriate access to systems. Simply speaking, this is the functionality that creates accounts, associates them with entitlements (e.g. groups), modifies passwords, enables/disables accounts and deletes them in the end. Fulfillment is a name used for identity provisioning together with deprovisioning and associated activities.
Read more ...
Alternative terms: Provisioning/deprovisioning
See also: Identity Management, Identity Management System, Identity Provisioning, Identity Deprovisioning, Manual Fulfillment
Graph-Based Access Control (GBAC)
Access control model based on a semantic graph modeling an organization. The organization is modeled as a semantic graph. Nodes represent organizational units, functional units (roles) and agents (users), edges represent relationships (e.g. membership, deputy). The model includes a query language, which is used to build the access control matrix.
See also: Access Control, Relationship-Based Access Control
General Data Protection Regulation (GDPR)
General Data Protection Regulation 2016/679 (GDPR) is European Union regulation on personal data protection and privacy. It defines rules for processing of personal data in European Union, European Economic Area, with provisions of the regulation applicable to other parties as well.
See also: Personal Data Protection
Generic Synchronization
Advanced model of synchronization where not only users and accounts are synchronized, but also groups to roles, organizational units to groups, roles to ACLs and so on.
Governance, risk management and compliance (GRC)
Governance, risk management and compliance (GRC) is a discipline that helps organizations to have more control over processes and be more effective. Governance is the set of decisions and actions by which individual processes as well as the whole organization are lead to achieve specific goals. Risk management identifies, predicts and prioritizes risks with aim to minimize them or avoid their negative influence on organizations' aims. Compliance means following certain rules, regulations or procedures. A GRC software facilitates this problematic by taking care of all three parts by one single solution. It is a very helpful tool for business executives, managers or IT directors. Thanks to it it is possible to define, enforce, audit and review policies responsible for the exchange of information between internal systems as well as between the external ones.
See also: Cybersecurity governance, Risk management, Compliance
Governing body
Governing body is a person or a group of persons who are responsible and accountable for the performance of an organization, mostly for the purposes of financial performance and regulatory compliance.
ISO 27000 term: governing body
See also: Compliance
An entity that holds credentials or claims, which usually describe the holder entity. In Triangle of Trust scenarios, the credentials/claims are issued by the issuer and verified by the verifier.
See also: Principal, Subject, Triangle Of Trust, Issuer, Verifier, Trusted Third Party, Credential, Claim
A value, or a set of values, that uniquely identify an identity in a certain scope.
An identity usually have several identifiers, used in various situations and contexts. Identifiers may be compound, composed of several values.
ISO 24760 term: identifier
X.1252 term: identifier
See also: Identity, Digital Identity, Digital Identity Attribute, Entity
A process of recognizing an identity as distinct from other identities in a particular scope or context. Identification is almost always performed by processing identifiers, using them to reference an identity in an identity database.
Identification is a process distinct from authentication. Authentication is a process of proving an identity (verification), whereas identification does not assume any such proof.
The term "identification" usually refers to a process of looking up identity data based on a simple identifier, such as username or reference identifier. In some cases, process of identification involves a correlation, looking up or matching identity information in a more complex way. For example, a system may compare registration data entered by the user with the content of its identity database, in an attempt to determine whether such user is already registered.
ISO 24760 term: identification
X.1252 term: identification
See also: Digital Identity, Identifier, Authentication, Identity Correlation
The fact of being who or what a person or thing is. Set of characteristics, qualities, believes, behaviors and other aspects of en entity. Identity can be applied to persons, things, even intangible concepts, known as entities. An entity can have several identities (often known as personas). In context of information technologies, parts of identity can be usually represented in a form of digital record, known as digital identity.
Identity should not be confused with identifier. Identity is a set of characteristics, while identifier is a value used to refer to identity.
ISO 24760 term: identity
X.1252 term: identity
See also: Identifier, Digital Identity, Entity
Identity and Access Management (IAM)
Identity and access management (IAM) is a field concerned with managing identities (e.g. users) and their access to systems and applications. IAM is concerned with all the aspects dealing with "identity", with many subfields that specialize in selected aspects. Access management deals (AM) especially with access to applications, including authentication and (partially) authorization. Identity management and governance (IGA) deals with management of user data (e.g. user profiles), synchronization of identity data and applying policies. Other IAM subfields deal with storage of identity data, transfer of the data over the network and so on.
Read more ...
See also: Identity Management, Identity Governance and Administration, Access Management, Identity Data Store
Identity Assertion
Statement made by an identity provider regarding properties or behavior of an identity. Assertions are used by relying parties. The most common assertion is perhaps authentication assertion, relying information about authentication event from identity provider to relying party. Assertions may contain other information as well, usually identity attributes and authorization decisions.
Alternative terms: Assertion, Claim
ISO 24760 term: identity assertion
X.1252 term: claim
See also: Digital Identity Attribute, Identity Provider, Relying Party
Identity Correlation
Process of comparing identity information, with an aim to find a matching identity. Correlation is usually employed during identity enrollment or registration, when a system determines whether the new identity is already known to the system. For example, a system may compare registration data entered by the user with the content of its identity database, in an attempt to determine whether such user is already registered. If such a comparison involves simple and reliable identifiers (such as username or employee number), it is called "identification". However, in many cases such identifiers are not available, and the system needs to combine several identifiers or employ sophisticated techniques to find matching identity. Some identity correlation techniques involve probabilistic matching techniques or machine learning methods to find suitable candidates, which are later reviewed by human operator.
Alternative terms: Identity Matching
X.1252 term: correlation
See also: Identification, Enrollment, Identity Registration, Identifier
Identity Information Authority (IIA)
ISO 24760 term, referring to an entity related to a particular domain that can make provable statements on the validity and/or correctness of one or more attribute values in an identity.
ISO 24760 term: identity information authority
See also: Identity Provider, Domain
Identity Connector
Usually small and simple unit of code that connects to a remote system. The purpose of identity connector is to retrieve and manage identity information, such as information about user accounts, groups and organizational units. The connectors are usually written for and managed by a particular connector framework.
Alternative terms: Connector
See also: Identity Connector Framework, ConnId
Identity Connector Framework
Generally speaking, a programing framework (library) for creating and managing identity connectors. However, this rather generic term often refers to the Identity Connector Framework (ICF), originally developed by Sun Microsystem in 2000s. The ICF was releases as an open source project by Sun, only to be later abandoned after Sun-Oracle merger. The ICF was a base for several forks, including ConnId and OpenICF.
Alternative terms: Connector Framework, ICF
See also: Identity Connector, ConnId
Identity Data Source
A system that is the source of identity data, usually data about users. The data are usually created and maintained in such systems manually. There are often multiple identity data sources in an organization with various characteristics. Some data sources are considered authoritative, providing reliable information about identities. Other data sources usually contain user-provided information, such as data entered by the user during registration process. Almost all data sources contain partial information only, information that is limited both in breadth (only some identity types) and depth (only some attributes). Data source may be an intermediary, providing information acquired from other systems.
Alternative terms: Source System
Identity Data Store
A database, designed and/or dedicated to store identity-related data. Identity data store is usually shared among many applications, it is accessed by many systems reading the data. Applications read data from identity data stores, often using them for authorization, and sometimes even authentication purposes. Structure of data in the data store is often application-friendly, containing pre-processed and derived information. Identity data store also usually contain entitlements, or similar information that can be used for authorization purposes. There are usually several identity data stores in an organization, managed and synchronized by an identity management system.
Traditionally, directory servers (such as LDAP serves) are used as identity data stores.
Identity data store is similar to identity register, and in fact many identity data stores are identity registers. The difference is that identity register has a more formal data structure, usually functioning as an authoritative data source. Whereas identity data store usually contains information copied from other system, including application-friendly derived data. However, the exact boundary between functions of identity register and identity data store is not exactly defined.
Alternative terms: Identity Store, Identity Database, Directory Service
See also: Identity Register
Identity Deprovisioning
Identity deprovisioning is as well as identity provisioning a subfield of Identity and Access Management (IAM). It is an opposite to identity provisioning. While identity provisioning takes care of creating new accounts, determining the roles for individual users and their rights or making changes in them, deprovisioning works oppositely. When an employee leaves the company, his account is deactivated or deleted and he loses all the accesses to both internal and external systems. This way organization minimizes information theft and stays secure. Identity provisioning together with deprovisioning and associated activities is known as "fulfillment".
Alternative terms: Deprovisioning, Revocation
See also: Fulfillment
Identity Evidence
Data and documents that support verification of identity data (identity proofing). Identity evidence is used in identity proofing process to achieve higher level of assurance of identity information.
Alternative terms: Evidence of Identity, Identity Proof
ISO 24760 term: identity evidence
See also: Identity Proofing, Level of Assurance, Verification, Digital Identity Attribute
Identity Federation
Identity federation is an agreement between several domains, specifying the details of exchange and use of shared identity information. The information in identity federation is usually transferred by the means of identity assertions, exchanged between identity providers and relying parties.
From user's point of view, identity federation is a process of sharing user’s identification and personal data between multiple systems and between organizations, so the user doesn’t have to register for each organization separately and can seamlessly access systems in federated organizations.
ISO 24760 term: identity federation
X.1252 term: federation
See also: Domain, Federated Identity, Identity Assertion, Identity Provider, Relying Party
Identity Governance
Business aspect of managing identities including business processes, rules, policies and organizational structures. Any complete solution for management of identities consists of two major parts – identity governance and identity management. Identity governance is primarily concerned with establishing and maintaining policies and rules, while identity management is implementing such policies. As such, identity governance is closer to high-level business environment, while identity management is concerned mostly with underlying technology.
Alternative terms: Governance
See also: Identity Governance and Administration, Governance, risk management and compliance, Identity Management
Identity Lifecycle
Set of identity stages from creation to its deactivation or deletion. It contains creation of an account, assignment of correct groups and permissions, setting and resetting passwords and in the end deactivation or deletion of the account.
Alternative terms: Identity lifecycle management
See also:
Identity Management (IDM)
Identity Management (IDM) is a process of managing digital identities and their accesses to specific resources in the cyberspace. It ensures appropriate access in appropriate time and helps to manage user accounts as well as to synchronize data. Identity management deals with digital identity lifecycle, managing values of digital identity attributes and entitlements.
Alternative terms: Identity Administration, User management, User provisioning
ISO 24760 term: identity management
X.1252 term: identity management
See also: Access Management, Identity Lifecycle, Identity Provisioning, Identity Governance and Administration, Digital Identity, Digital Identity Attribute
Identity Management System (IDMS)
A system that provides identity management functionality: it is managing identities and their accesses to specific resources in the cyberspace. It ensures appropriate access in appropriate time and helps to manage user accounts as well as to synchronize data.
Identity management (IDM) systems are concerned about the "management" side, maintaining user data, policies, roles, entitlements and so on. IDM systems usually do not "apply" or enforce the policies. The policies are transformed as needed and provisioned to other systems (a.k.a. "target systems") that interpret and enforce the policies. The process of provisioning (and "deprovisioning") of data and policies is known as "fulfillment".
In a broad sense, IDM systems are used to manage the policies and data in all connected systems in the organization. IDM systems make sure that the data are consistent, that all the policies are applied, that user profile data are up-to-date, detecting and removing illegal access and generally keep all identity-related information in order across all the systems.
Note: ISO 24760 definition seems to include identification and authentication as functions of identity management systems. While almost all IDM systems implement such functions, they are mostly used for internal purposes, e.g. for system administration access. IDM system usually do not provide identification and authentication services to other systems. ISO 24760 definition is closer to definition of identity and access management (IAM) system. However, complete IAM functionality is usually provided by a combination of several systems in practice.
Alternative terms: IDM System, Provisioning System, User Provisioning System
ISO 24760 term: identity management system
See also: Identity Management, Identity Lifecycle, Identity Provisioning, Identity Governance and Administration
Identity Proofing
Verification of evidence to make sure that identity information are true and up-to-date. Identity proofing is used to achieve higher level of assurance of identity information.
Alternative terms: Initial Entity Authentication
ISO 24760 term: identity proofing
X.1252 term: identity proofing
See also: Digital Identity Attribute, Level of Assurance
Identity Provider (IdP)
System that provides identity-related information to applications (known in this context as "relying party" or "service provider"). Such information usually includes user identifiers (which may be ephemeral), user name(s) and affiliation. The information is usually provided in form of identity assertions (claims).
Identity providers are often authenticating the users. In that case, identity providers usually include information describing the authentication, such as statement that user was authenticated and indication of authentication mechanism strength. Identity provider authenticates the users in its own capacity, it never reveals user's credentials to the application (relying party). In fact, many identity providers are focused on authentication only, providing only a very minimal identity information (often just a single identifier), in which case the authentication-related information forms the most important part of provided information. Such identity providers effectively work as cross-domain single sign-on (SSO) systems.
Although most identity providers include user authentication, there are also providers that do not (directly) authenticate the users, sometimes called "attribute providers". Identity provider may provide also additional information of the user to the application, such as information about user attributes and entitlements.
Identity provider is often managed by a different organization than the relying applications (service providers), thus providing cross-domain identity mechanism. Typical protocols and frameworks used by identity providers include: SAML, OpenID Connect, CAS
ISO 24760 term: identity information provider
X.1252 term: identity service provider
See also: Relying Party, Identity Federation, Cross-domain, Identity Assertion
Identity Provisioning
In broad sense, identity provisioning is a subfield of Identity Management (IDM), concerned with technical aspects of creating user accounts, groups and other objects in target systems. It is a technology thanks to which many identity stores are synchronized, merged and maintained. Identity provisioning takes care of technical tasks during the whole user lifecycle - when new employee is hired, when his responsibilities change or he leaves the company (deprovisioning). It helps the organization to work more effectively as its goal is to automate as much as possible.
The provisioning system usually takes information about employees from the Human Resource (HR) system. When new employee is recorded into HR system, this information is detected and pulled by the provisioning system. After that, it is processed to determine set of roles each user should have. These roles determine and create accounts users should have, so everything is ready for new users on the very first day. If a user is transferred to another department or his privileges change, similar processes happen again. If an employee leaves the company, identity provisioning systems makes sure all his accounts are closed.
In a specific sense, identity provisioning means a process of creating accounts, assigning entitlements and similar actions, making sure a user has appropriate access to information systems. Identity provisioning together with deprovisioning and associated activities is known as "fulfillment".
Alternative terms: User provisioning, Provisioning
See also: Identity Management, Identity Lifecycle, Fulfillment
Identity Register
A repository (database) of identity information, usually structured in a formal manner. Identity registers are almost always indexed using a reference identifier. They are usually designed for a specific purpose of being an authoritative data sources for other systems.
Identity register is similar to identity data store, and in fact many identity registers function as identity data stores. The difference is that identity data store has less formal, usually application-friendly data structure, containing pre-processed and derived information. Identity data store also usually contain entitlements, or information that can be used for authorization purposes. However, the exact boundary between functions of identity register and identity data store is not exactly defined.
Alternative terms: IMS Register, Reference Register
ISO 24760 term: identity register
See also: Identity Registration, Reference Identifier, Identity Data Source, Identity Data Store
Identity Registration
A process of recording new identity data into identity register or identity data store. Registration process may involve storing the information is several distinct data stores or registers. The recording process may be indirect, e.g. mediated by synchronization process of an identity management system.
Informally, the registration process often involves the data acquisition process as well, such as asking user for the data using a form.
The terms "enrollment", "registration" and "onboarding" are overlapping and they are often used as synonyms. Strictly speaking, "enrollment" is the verification process, "registration" is an act of recording information to data store, and "onboarding" is a complete business process making sure that a new person in an organization is well-equipped for activities within the organization.
Alternative terms: Registration
ISO 24760 term: identity registration
X.1252 term: registration
See also: Enrollment, Onboarding, Identity Register, Identity Data Store
Identity Resource
In IAM field, a Resource is usually a network-accessible asset capable of managing identity information.
In midPoint terminology: An Resource is a system that is either identity data source or provisioning target. IDM system (midPoint) is managing accounts in that system, feeding data from that system or doing any other combination of identity management operations. Identity resource should not be confused with "web resource" that is used by RESTful APIs.
Alternative terms: Provisioning Resource, Resource
See also: Resource, Identity Connector
Identity Vigilance
Identity vigilance is a practice of appropriate and responsible management of identity data. It includes proper synchronization of data among information systems and databases, identification of duplicates, handling of data inconsistencies, application of privacy protection and all other practices necessary to ensure that the data are always correct, up-to-date and protected. Identity vigilance is especially important in healthcare, where patient mis-identification or data errors may lead to fatal consequences.
See also: Identity Governance and Administration
Identity Governance and Administration (IGA)
Identity governance and administration (IGA) si a subfield of identity and access management (IAM) dealing with management and governance of identity-related information. IGA systems store, synchronize and manage identity information, such as user profiles. Complex data, entitlement and governance polices can be defined, applied to identity data. IGA system are responsible for evaluating the policies, making sure the data are compliant, addressing policy violations. IGA is often considered an umbrella term covering identity management, identity governance, compliance management, identity-based risk management and other aspects related to management of identities. Identity Governance and Administration (IGA) includes both the technical and business aspects of identity management.
Read more ...
See also: Identity Management, Identity Governance, Governance, risk management and compliance, Identity and Access Management
In midPoint terminology: Inducement is an indirect representation of an assignment, a relation that assigns privileges, organizational membership, policy elements or other midPoint concepts to assignment holder objects (usually users). Inducement has the same data structure as assignment, and very similar functionality. However, while assignment represents direct relation, inducement is indirect. For example, assignment can be used to assign an account or a group membership directly to a user. Inducement can facilitate the same functionality, however it is usually placed in role. As the role is assigned (using an assignment) to the user, inducements placed in the role are indirectly applied to a user.
Read more ...
See also: Assignment, Role
Information classification
In midPoint terminology: Information classification is a process in which organisations assess their data and systems, with regard to the necessary level of protection. The information is classified by assigning information _labels_ or _classifications_ to individual assets, such as databases, filesystems, applications or even individual files.
Read more ...
Alternative terms: Information labeling, Labeling
Information need
In midPoint terminology: Information need is an information necessary to perform certain activity or a task. It is often a basis of "least privilege" principle, providing the minimum necessary information and access to users.
Alternative terms: As-needed basis
ISO 27000 term: information need
Information processing facilities
In midPoint terminology: Information processing facilities are all systems processing and storing information, including services, infrastructure and physical locations housing it. They include hardware, software, networks and all necessary equipment to operate them.
ISO 27000 term: information processing facilities
See also: Information system
Information system
In midPoint terminology: Information systems are technological systems and applications built for processing and storing information. Information systems include hardware, software, networks and all necessary equipment to operate them. In some context, the "system" also includes the technological and physical environment (e.g. a network) as well as the information (data) processes by the system.
ISO 27000 term: information system
See also: Information processing facilities
Integrity is a property of data or a communication channel, describing that the data or content of a communication channel were not modified in unintended way. I.e. it is a property that ensures that data are received in the same exact form as they were transmitted, without any modification or tampering.
Integrity, together with confidentiality and availability form a "CIA triad", a classical model of information security (cybersecurity).
Alternative terms: Data integrity, Integrity of communication
ISO 27000 term: integrity
See also: Confidentiality, Availability
Interested party
Person or organization that can affect, be affected or in any way perceive itself to be involved or affected by a decision, activity or an event. The term "stakeholder" usually describes a person or organization that holds a "stake" in an activity, such as investors or directors of an organization.
Alternative terms: Stakeholder
ISO 27000 term: interested party
Internal context
Circumstances internal to the organization, which affect the way an organization achieves objectives. It includes all internal parts and mechanisms of an organization, such as governance, organizational structure, management hierarchy, policies, objectives, responsibilities, resources and capabilities.
Alternative terms: Local environment, Internals
ISO 27000 term: internal context
See also: External context, Domain
Information security management system (ISMS)
Information security management system (ISMS) is a set of policies and procedures for systematically managing cybersecurity of an organization. ISMS includes risk assessment, risk treatment (implementation of controls), risk communication and incident response. Management of cybersecurity is a continuous, never-ending effort, which is meant to be constantly improving. Cybersecurity governance is meant to establish and maintain rules and policies for ISMS, and to provide oversight and consistent improvement of ISMS processes.
Alternative terms: Cybersecurity management system
See also: Cybersecurity, Cybersecurity governance, Risk assessment, Risk treatment, Risk communication
An entity that issues credentials or claims, usually describing another entity (holder). In Triangle of Trust scenarios, issuer is considered to be trusted third party.
See also: Triangle Of Trust, Holder, Verifier, Trusted Third Party, Credential, Claim
Joiner-Leaver Processes
Joiner-Leaver are human resources (HR) process, handling employees joining the organization and leaving the organization. They are constrained versions of joiner-mover-leaver processes, not considering movement of employees in organizational structure.
Alternative terms: Joiners and Leavers
See also: Joiner-Mover-Leaver Processes, Onboarding, Offboarding
Joiner-Mover-Leaver Processes (JML)
Joiner-Mover-Leaver (JML) are human resources (HR) process, handling employees joining the organization, moving within organizational structure and leaving the organization. JML process can be understood as handling events of employee lifecycle from the point of view of organizational and business processes. Generally speaking, this process is not limited to employees. However, when similar processes are applied to other types of persons (students, contractors) they are often referred to as "on-boarding" and "off-boarding".
JML processes are (manual) business processes in their nature. Despite that, the JML processes are important for identity management, as they provide the contextual framework for identity management technology to fit in. Moreover, identity management deployments are usually automating some parts of the JML processes.
Alternative terms: Joiners, Movers and Leavers
See also: Onboarding, Offboarding, Joiner-Leaver Processes
Lightweight Directory Access Protocol (LDAP)
Lightweight Directory Access Protocol (LDAP) is industry-standard protocol (RFC4510) for accessing directory services.
See also: Directory Service, Identity Data Store
Level of Assurance (LoA)
Measure of reliability of identity information. Information with low levels of assurance are usually user-provided information that were not verified in any significant way. Higher levels of assurance are usually achieved by identity proofing, a process of verifying the information. Level of assurance is usually stored as metadata, describing the specific value that was verified.
X.1252 term: assurance level
See also: Digital Identity Attribute, Identity Proofing, Metadata
Least Privilege Principle
Principle of information security, stating that each user should have the least privilege necessary to carry out their activities. In other words, the principle states that there should be no over-provisioning (over-permissioning) of users. The principle is often implemented by "default deny" approach: everything is denied by default, every access has to be explicitly allowed.
Adherence to the principle of least privilege is generally accepted as best practice for information security, as it is minimizing overall risk by keeping the extent of privileges as low as possible. However, due to complexity, maintenance effort and other factors, strict adherence to the principle is surprisingly difficult to achieve.
Alternative terms: Principle of Least Privilege, Default deny
See also: Over-provisioning
Ability to determine that two digital identities represent the same entity. Linkability is usually deterministic, based on a reliable identifier.
X.1252 term: linkability
See also: Identity Correlation
Management is a broad set of systematic activities, methods and other means to direct and control activities in an organization, in order to achieve its objectives. It is meant to provide efficient, systematic method to achieve objectives, which can be controlled and monitored. Management operates within the constraints given by governance activities. While governance is a process of establishing policies and rules, management is concerned with efficient implementation of the activities within established rules.
Alternative terms: Management system
ISO 27000 term: management system
See also: Information security management system, Identity Management, Cybersecurity governance
Manual Fulfillment
Manual process of creating, updating and deleting accounts, entitlements and similar objects, driven by identity management system, but exexcuted by human operator. Manual fulfillment is initiated by an identity management system, usually as a consequence of change in user privileges or policies. Identity management system creates a ticket for system administrators, containing instructions to create/modify/delete an acccount or entitlement in a specific information system. Actual action is executed manually, by the system administrator. Manual fulfillment is used for systems, for which automatic identity connector is not available.
Alternative terms: Manual Provisioning/deprovisioning, Manual resource, Manual connector
See also: Fulfillment, Identity Provisioning, Identity Deprovisioning, Identity Connector
Data about data. Metadata describe properties of data, such as the method how the data were acquired (a.k.a. "provenance"), how reliable the data are (e.g. level of assurance) and so on.
Alternative terms: Meta-data, Meta data
See also: Data Origin, Data Provenance, Level of Assurance
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) is a composite mechanism, combining several independent authentication factors in a single authentication session. MFA is meant to counteract vulnerability of individual credential types. E.g. what-you-know credentials (such as passwords) are easily phished, while what-you-have credentials may be lost or stolen. Multi-factor authentication solves the problem by combining several credential types, making combined authentication stronger.
See also: Authentication, Credential
Microcertification is a form of access certification (access review), limited to a single user or privilege. The basic idea of micro-certification is to limit the huger effort associated with traditional certification campaigns. Microcertifications are usually automatically triggered by specific events, such as user re-assignment in organizational structure, or increase of user's overall risk above tolerable threshold.
See also: Access Certification, Least Privilege Principle, Over-provisioning
Minimal Disclosure
A principle, stating that only the minimal amount of information is disclosed as is required to perform a specific function or provide a service. Minimal disclosure principle is often used in cross-domain data transfer, such as when using identity providers or identity federations. Only the information required to perform a service is disclosed to the other party, no extra information is provided.
Alternative terms: Minimal Disclosure of Personal Information
ISO 24760 term: minimal disclosure
See also: Digital Identity, Personal Data Protection, Privacy, Identity Provider, Identity Federation, Selective Disclosure
Systematic effort to continuously determine status of a process, system or activity.
ISO 27000 term: monitoring
Mutual Authentication
Authentication process in which all involved parties authenticate to all other parties. Usually a two-sided process, where both sides of a connection authenticate to each other, i.e. server authenticates to client and client authenticates to server.
X.1252 term: mutual authentication
See also: Mutual Authentication
Near miss
An event that could have compromised the security of systems, data or services that did not materialise.
See also: Cyberattack, Cybersecurity incident
Next Generation Access Control (NGAC)
A graph-based mechanism for managing of user access to information systems. NGAC specifies directed acyclic graph for user and concepts related to them (e.g. organizational units), and a separate directed acyclic graph for objects and and concepts related to them (e.g. folders). Access control decisions are reached by evaluating the two directed acyclic graphs with respect to policy classes, and operations specified as relations between the graphs. NGAC is specified in NIST publications (e.g. INCITS 499: Information technology - Next Generation Access Control - Functional Architecture)
See also: Access Control, Relationship-Based Access Control
State of non-fulfilment of a requirement, such as violation of a requirement stated in a policy, regulation or standard.
Alternative terms: Noncompliance, Nonconformity, Violation
ISO 27000 term: nonconformity
Non-repudiation is an ability to prove that an event happened, including proof of the originating parties. Non-repudiation is a property of a system, protecting against denial from one of the parties. The involved parties cannot deny that an action took place.
X.1252 term: non-repudiation
ISO 27000 term: non-repudiation
Intended result of an activity or process.
Alternative terms: Goal
ISO 27000 term: objective
Business process that takes place when a person leaves an organization. The aim of offboarding is making sure that the person no longer has access to sensitive data and premises of the organization. From IT point of view, this often means identity de-provisioning, e.i. deactivation of user accounts in various applications, databases and identity data stores. This process is often automated using an identity management system. However, a complete offboarding process is usually more complex, including non-IT steps such as returning the provided equipment.
Alternative terms: Off-boarding
See also: Identity Deprovisioning, Joiner-Mover-Leaver Processes
Business process that takes place when a new person enters an organization. The aim of onboarding is making sure that the person is well-equipped for any tasks and activities within the organization. From IT point of view, this often means identity provisioning, e.i. creation of user accounts in various applications, databases and identity data stores. This process is often automated using an identity management system. However, a complete onboarding process is usually more complex, including non-IT steps such as providing the person with appropriate equipment and training.
The terms "enrollment", "registration" and "onboarding" are overlapping and they are often used as synonyms. Strictly speaking, "enrollment" is the verification process, "registration" is an act of recording information to data store, and "onboarding" is a complete business process making sure that a new person in an organization is well-equipped for activities within the organization.
Alternative terms: On-boarding
See also: Enrollment, Identity Registration, Identity Provisioning, Joiner-Mover-Leaver Processes
Open Source (OSS)
The meaning of this term is very simple - it is something people can wilfully modify according to their own needs or wishes. Firstly, this term was known in the context of software, which code was publicly exposed and available for modification. Later open source spread widely. There are open source projects, products, participations and many others.
Many organizations and people choose open source software, hence it is considered to be more secured and grants people more control over it. This software can also be more stable as many other people may contribute their own ideas, correct it or improve it.
Open source products are free and the creators usually charge other organizations for support or software services as implementation or deployment.
Alternative terms: Open Source Software, FOSS, Free and Open Source Software
In midPoint terminology: Org is a type of midPoint objects, object that represent various forms of organizational units and structures. Org can represent company, division, section, project, team, research group or any other grouping of identities. Orgs are not limited to grouping people, orgs can be used to group most midPoint objects (any assignment holder object).
Read more ...
See also: Organization, Organizational Structure
Organization is an entity, usually representing a group of people, that has its objectives and methods to achieve them. Organizations may be or may not be legal entities.
ISO 27000 term: organization
See also: Org, Organizational Structure
Organizational Structure
A hierarchical arrangement of authority, rights or duties in an organization. It determines the assignment, control or coordination of roles, responsibilities and power. A character of the organizational structure is highly dependent on the organization’s strategy and goals.
The theme of organizational structure is closely linked to identity management. Organizing the company into this structure, assigning rights to individuals, working groups or project and controlling everything from one place – that are advantages that any high quality IDM solution is supposed to provide.
See also: Organization, Org
Orphan Account
An account without an owner, an account that does not seem to belong to anybody. In identity management, each account is supposed to have an owner, a user to whom the account belongs. An account without an owner is considered to be "orphaned", and it is usually deprovisioned (disabled or deleted).
Orphan accounts often originate as testing accounts that are not deleted after the testing is done. They may also belong to former users, but were not properly deleted or disabled. Orphan accounts are almost always a security risk, especially testing accounts with weak passwords. Most identity management systems have processes that scan systems for orphan accounts.
Alternative terms: Orphan, Orphaned Account
See also: Account, User, Reconciliation
Outsourcing is a practice of delegating functions, tasks and responsibilities to an external organization.
ISO 27000 term: outsource
Situation when an identity has more privileges than are necessary for the tasks that the identity is supposed to carry out.
Over-provisioning is generally undesirable, as it is a violation of least privilege principle which is introducing unnecessary risk. However, over-provisioning is a common occurrence, mostly due to high complexity of access control models, limited visibility, huge privilege maintenance effort or lack of appropriate security management practices.
Alternative terms: Over-permissioning, Over-privileged Access
See also: Identity Provisioning, Identity Deprovisioning, Under-provisioning
Policy Administration Point (PAP)
Functional component with a responsibility to specify, manage and maintain the policy. The "policy" usually refers to access control and/or authorization policy. PAP is an administrative point, which is creating and managing the policy. The policy is then stored at policy retrieval point (PRP). Policy administration point (PAP) can be part of applications, or they may be provided by dedicated infrastructure components (identity management and governance components). PAP specifies the policy, usually as a result of interaction with an administrator by the means user interface. PAP does not make policy decisions or enforce them, that is a responsibility of policy decision point (PDP) and policy enforcement point (PEP) respectively.
Note: The acronym PAP may also refer to Policy Access Point, which is an alternative name for Policy Retrieval Point (PRP), making the terminology somehow confusing.
Alternative terms: Policy Management Point
See also: Authorization, Access Control, Policy Enforcement Point, Policy Decision Point, Policy Information Point, Policy Retrieval Point, Identity Governance and Administration
Passkey is a type of strong digital credential. They are used to authenticate a user to information systems, identity provides and applications. Passkeys are based on public key cryptography, making them relatively strong and secure. They may be provided in a hardware form (e.g. a small USB device), or managed entirely in software (e.g. mobile application). Passkeys are bound for each website or application, making them phishing-resistant.
See also: Credential, Personal identification number
Password is a type of (usualy weak) digital credential. Passwords are meant to be secret, known only to a single user. They are usually selected by users, meant to be remembered. Therefore, they are often short strings in a human-friendly form, such as simple words or names. Simplicity of passwords makes them vulnerable to dictionary attacks. Recently, passwords are randomly generated, managed by password management applications. However, even randomly-generated passwords may still be vulnerable to phishing attacks. Therefore organizations are moving towards authentication methods that do not depend on passwords (e.g. passkeys), or enroll multi-factor authentication schemes.
Alternative terms: Passcode
See also: Credential, Password Management, Password policy, Passkey
Passwordless authentication
Passwordless authentication is an authentication that does not use passwords, or similar knowledge-based credential. It is usually considered to be a stronger form of authentication that the usual password-based authentication. Password-less authentication mechanisms usually rely on public-key cryptography mechanisms.
Alternative terms: Passwordless
See also: Authentication, Password, Passkey, Multi-factor authentication
Password policy
Password policy constraints the selection and use of passwords with an aim to make them more secure. It almost always sets requirements for password complexity, such as minimal length of passwords and characted classes used in the password (e.g. letters, numbers, punctuation). Password policies often specify constraints on password lifetime, such as password expiration intervals.
Alternative terms: Password complexity policy
See also: Password, Password Management
Password Management
Gives the organization an opportunity to meet the highest security standards thanks to the ability of having access to business systems and networks under control. Most of the employees usually pick just simple passwords and use same ones in multiple systems or applications. Password management helps to compose strong and unique passwords for both users and resources and ideally takes care of them during the whole user life cycle.
The term "password management" may also mean management of password on the user side, such as generating and storing of random passwords.
Alternative terms: Credential management
See also: Password, Credential
Policy-Based Access Control (PBAC)
A mechanism for managing of user access to information systems based on policy. In PBAC, authorizations are supposed to be dynamically evaluated, based on policy specified in a machine-processable form. PBAC policy is an abstract concept, it is not clearly defined how it is expressed or evaluated. PBAC is meant to solve problems of static access control models such as RBAC.
PBAC seems to be technically equivalent to ABAC. However, in contrast to ABAC, PBAC is supposed to contain "policy management" layer, which is not clearly defined either.
Overall, PBAC is an conceptual idea rather than a concrete access control model. It is still in early stages of development.
Alternative terms: Dynamic Authorization Management, Policy as Code
See also: Authorization, Attribute-Based Access Control, Role-Based Access Control, Policy-Driven Role-Based Access Control
Policy Enforcement Point (PEP)
Functional component with a responsibility to enforce policy decisions. The "policy" usually refers to access control and/or authorization policy. Policy enforcement points are usually part of applications or infrastructure components, with an ability to analyze and intercept policed operation. Policy enforcement point only enforces the policy, it does not interpret or decides the policy. PEP depends on policy decision point (PDP) to interpret the policy and make a decision.
See also: Authorization, Access Control, Policy Decision Point, Policy Administration Point
Performance is a measure of a result. In process management, it a measure of how well is a process or activity achieving its objectives. The term "performance" may also meat a measure of efficiency of a computer system, describing how quickly it can provide results and how much resources it needs to perform a task.
ISO 27000 term: performance
Persistent Identifier
An identifier that cannot be changed or re-assigned to another identity. Once assigned, the identifier always references the same identity. Persistent identifiers are usually used as reference identifiers, and reference identifiers are usually persistent, resulting in "persistent reference identifiers".
Depending on a policy, persistent identifiers can be re-assign to another identity after the original identity was deleted (identifier re-use). However, there is usually relatively long interval during which the identifier cannot be re-assigned.
Alternative terms: Non-reassignable identifier
See also: Identifier, Reference Identifier
Personal Data
Data about a person, usually processed in an information system. The definition of "personal data" slightly differ from case to case. For example, GDPR defines personal data as "any information which are related to an identified or identifiable natural person". However, the general understanding is that "personal data" are any data that relate to a natural person, that describe the person in some way. This is different from personally identifiable information (PII), as personal data may not uniquely identify a person. For example, person's full name is considered personal data, however, a name such as "John Smith" is not entirely unique or identifiable in most contexts.
Alternative terms: Personal information, Identity data, Identity information, Personal profile
See also: Personal Data Protection, Personally Identifiable Information, General Data Protection Regulation
Personal Data Erasure
Erasure (deletion) of personal data, usually due to explicit request from user (e.g. "delete account" request), or due to lack of lawful basis for personal data processing.
Alternative terms: Erasure, Data erasure
See also: Personal Data Protection, Personal Data, Personal Data Processing Basis, General Data Protection Regulation
Personal Data Processing Basis
Basis for processing of personal data. Legal data protection frameworks (such as GDPR) usually mandate that personal data cannot be processed unless there is a basis for that processing. The basis may be a contract, legal obligation, consent, or similar legitimate interest for processing of the data. Some frameworks (such as GDPR) are enumerating the available processing bases.
Alternative terms: Basis for processing, Legal basis, Lawful basis
See also: Personal Data Protection, Personal Data, General Data Protection Regulation
Personal Data Protection
Personal data protection is a field dealing with protection of personal information, rules for their processing, storage and erasure. It is closely related to privacy, as one of the main goals of personal data protection is to limit exposure of personal data, thus minimizing potential for their abuse.
Alternative terms: Data Protection, DP
See also: Personal Data, General Data Protection Regulation
Personally Identifiable Information (PII)
Information that allows a person to be (directly or indirectly) identified. Obviously, government-issued identifiers, such as birth numbers, social security numbers or serial numbers of various identity documents are usually considered to be personally identifiable information. However, interpretation of what information is "personally identifiable" depends on the context. Even a simple full name of a person may be considered personally identifiable information in some contexts. Personally identifiable information usually require special protection or processing regime. Personally identifiable information should not be confused with personal data. PII are used as an identifier, pointing out a specific person in a group of other persons. Personal data describe certain person, there is no requirement for personal data to be "identifiable".
Alternative terms: Personal identifiers
X.1252 term: personally identifiable information
See also: Personal Data
Policy Decision Point (PDP)
Functional component with a responsibility to interpret policy and make decisions. The "policy" usually refers to access control and/or authorization policy. Policy decision point (PDP) can be part of applications, or they may be provided by dedicated infrastructure components (authorization services). PDP interprets the policy and make a decision, which is usually allow/deny decision. PDP does not enforce the decision, it relies on policy enforcement point (PEP) to enforce it. PDP does not define or manage the policy either, it depends on policy administration point (PAP) to set the policy.
See also: Authorization, Access Control, Authorization Service, Policy Enforcement Point, Policy Administration Point, Policy Information Point
Policy-Driven Role-Based Access Control
A mechanism for managing of user access to information systems based on a concept of dynamic roles and policies. It is an extension of traditional Role-Based Access Control (RBAC), applying dynamic policies to govern behaviour and assignment of roles. In policy-driven RBAC, roles are no longer static, they contain logic that determines set of privileges given by the role. The user-role assignments are also dynamic, controlled by automatic role assignment policies.
Read more ...
Alternative terms: PDRBAC
See also: Role-Based Access Control, Role, Entitlement, Role Management, Access Control
Personal identification number (PIN)
Personal identification number (PIN) is a type of digital credential. PINs are meant to be secret, known only to a single user. They are almost always in a form of short numbers (4-8 digits) Even though most PINs are randomly generated, they are meant to be remembered by the users. Simplicity of PINs makes them vulnerable to enumeration attacks when used on their own. Therefore PINs they are almost exclusively used in combination with other credentials. E.g. PINs are often used to protect strong credentials, such as passkeys or public key credentials stored on smart cards.
See also: Credential, Passkey
Policy Information Point (PIP)
Functional component with a responsibility to provide additional information for policy decision point (PDP). PIP is usually retrieving data from identity data stores, providing them to PDP in form of attributes.
See also: Authorization, Access Control, Policy Decision Point, Policy Administration Point, Policy Enforcement Point, Identity Data Store, Digital Identity Attribute
Policy is a system of guidelines or rules used to reach an objective or a decision.
Unfortunately, "policy" is a heavily overloaded term with numerous of meanings. It may mean organizational policy, a set of high-level guidelines interpreted by people to guide their decisions. Policy may be formal, written down in a form that can be strictly followed, where compliance with a policy can be evaluated. It may also be informal, expressed in non-exact form, specifying a vague objective and methods. Policy may also mean machine-processable and executable code, used to quickly reach authorization decisions in run-time.
ISO 27000 term: policy
See also: Policy Management, Access Control, Authorization
Policy Management
Set of operations defining the authorization roles or policies, or assigning roles to the particular users. This is often manual or semi-manual operation performed in identity management system or identity data store. Policy management is implementing the functionality of Policy Administration Point (PAP).
This term is often confused with authorization itself. However, policy management aims at definition of the policy, while authorization is interpreting the policy.
Read more ...
Alternative terms: Management of Authorization Policies, Policy and Role Management
See also: Policy, Authorization
A built-in data type for polymorphic string maintaining extra values in addition to its original value. The extra values are derived from the original value automatically using a normalization code. PolyString supports national characters in strings. It contains both the original value (with national characters) and normalized value (without national characters). This can be used for transliteration of national characters in usernames. All the values are stored in the repository, therefore they can be used to look for the object. Search ignoring the difference in diacritics or search by transliterated value can be used even if the repository itself does not support such feature explicitly.
An entity or identity, information about which is managed in an information system.
Usage of the term "principal" varies significantly. Depending on context, it may refer to entity (person), its identity or data structure describing parts of the identity (digital identity). In information security frameworks (such as X.509), "principal" usually refers to entity or identity, such as owner of credentials. In programming frameworks, "principal" usually refers to ephemeral information about user, maintained during user's session. This is usually different from "account", as accounts are usually persistent (stored in database), while principal may be ephemeral, or may refer to entities that are not users of the system (may not be able to log in). In some contexts, "principal" is equivalent to "subject".
Alternative terms: Subject
ISO 24760 term: principal
X.1252 term: principal
See also: Subject, Holder, Entity, Identity, Account
In midPoint terminology: Prism is a name of a data representation library, which is used by midPoint to access data in its repository. The concepts of Prism permeates all of midPoint, giving structure to midPoint objects, and their representation in XML/JSON/YAML. Prism defines a concept of object, container, property, item, delta and many other useful concepts.
Read more ...
See also: Delta
The right to be left alone. In IT context, privacy is an ability of individuals to control the information about themselves, to choose how the information is used to express their individuality. Technologies that support the concept of privacy are known as privacy-enhancing technologies (PET).
See also: Privacy-Enhancing Technology, Personal Data Protection
Privacy-Enhancing Technology (PET)
Technologies that support and enhance privacy. This usually means technologies that give an individual an effective control over personal data, and the way how these data are used to express one's individuality.
Most privacy-enhancing technologies are focused on limiting the spread of personal data, making sure that only a minimal amount of data is disclosed (minimal disclosure), making sure that user approves data transfer (consent), using pseudonyms and various anonymization techniques to limit data exposure.
Privacy-enhancing technologies are somewhat different from personal data protection technologies. While privacy-enhancing technologies are focused on limiting exposure of the data (secrecy), data protection technologies are focused on controlling the way how data are used.
See also: Privacy, Personal Data Protection, Minimal Disclosure, Pseudonym
Privacy Policy
A policy that sets rules for processing of personal data, respecting privacy of an individual.
X.1252 term: privacy policy
See also: Privacy, Privacy-Enhancing Technology
Private Key
In an asymmetric cryptosystem (a.k.a. "public-key cryptosystem), a part of the key pair that is known only to the key owner.
X.1252 term: private key
See also: Public Key
Privileged entitlement
Entitlement (access right, privilege) that allows the performance of activities that typical entities in the system cannot perform. User with privileged entitlement can usually perform activities that goes far beyond usual usage of the system. Privileged entitlements may allow unrestricted access to data, allow modification of entitlements of other users, and often include destructive operations such as deletion of data sets. System administration privileges are almost always considered privileged entitlements.
Alternative terms: Privileged access rights, Privileged access
See also: Entitlement
Measure of a chance of an event happening.
Alternative terms: Likelihood
ISO 27000 term: likelihood
See also: Risk, Risk level
Process is a structured and repeatable activity. Process usually consists of a sequence of steps, which may be interrelated and interactive, involving several parties. Unlike one-off activities such as projects, processes are meant to be repeatable, conducting the same or similar activities more than once, delivering similar results.
ISO 27000 term: process
See also: Project, Program
Product Architecture
Concept, design and description of the products part which are assigned into subsystems. It is also way how these subsystems interact with each other.
Program is a structured and continuous activity meant to maintain and improve a state. Programs are continuous, never-ending activities. They are often executed in cycles: analyzing situation, planning, implementing and validating the results. Programs are meant to continuously maintain and improve a certain state, such as appropriate level of cybersecurity.
See also: Process
Project is a structured and unique activity meant to reach specific objectives. Process usually consists of a sequence of steps, which may be interrelated and interactive, involving several parties. Unlike repeatable activities such as processes and programs, projects are not meant to be repeated. Projects are designed to deliver a specific outcome, and to deliver it only once.
See also: Process, Program
In midPoint terminology: Projection is a part of midPoint computation that represents the objects in identity resources, usually accounts, entitlements or organizational units. Projection are the "spokes" in hub-and-spoke (star) data synchronization in midPoint. Projections are represented in the computation in a form of shadows (shadow objects), usually supplemented with real-time data from the resource objects.
Read more ...
See also: Shadow, Focus, Assignment
Policy Retrieval Point (PRP)
Functional component with a responsibility to store and distribute policies for use by policy decision points (PDP). PRP acts as an repository for policy. The policy is usually stored persistently at PRP, e.g. in a form of a file or database. Primary responsibility of PRP is to make policy available to policy decision points (PDP), either by "pull" (PDP retrieving the policy from PRP) or by "push" (PRP sending the policy to PDP). PRP is instrumental in enabling distributed architecture with several PDPs.
Note: PRP is only storing and distributing the policy, it is not responsible for policy creation or management. Policy management is responsibility of policy administration point (PAP).
Alternative terms: Policy Access Point
See also: Authorization, Access Control, Policy Decision Point, Policy Administration Point, Policy Enforcement Point, Policy Information Point
An identifier designed to avoid any inherent information about identity or entity. Pseudonyms are meant to hide or modify perception of the entity or identity, as presented to other parties.
In user experience sense, pseudonyms can be chosen by the user to hide or alter their real identity in information systems.
In implementation sense, pseudonym is often a randomly-generated identifier, used selectively for communication with specific domain or system. The pseudonym is used instead of other identifiers to avoid possibility of the other party to reveal parts of user's identity or correlate user's actions.
ISO 24760 term: pseudonym
X.1252 term: pseudonym
See also: Identifier, Personal Data Protection, Privacy
Public Key
In an asymmetric cryptosystem (a.k.a. "public-key cryptosystem), a part of the key pair that can be shared with other entities.
X.1252 term: public key
See also: Private Key
Role-Based Access Control (RBAC)
A mechanism for managing of user access to information systems based on a concept of roles. Role-Based Access Control (RBAC) is using roles to group permissions. Roles usually represent meaningful entities, such as job positions, organizational affiliations or similar business concepts. One of the basic assumptions of RBAC is that management of roles is much easier than management of individual permissions.
A form of RBAC is standardized in a series of NIST standards (ANSI/INCITS 359-2004, INCITS 359-2012).
RBAC is mostly concerned with using the roles to control user access to the system and other information assets. Role definitions are usually maintained using a somehow separate "Role Management" mechanisms.
Traditional RBAC models are static: user-role and role-permission relations are fixed, set up by system administrator. Newer RBAC models are dynamic (policy-driven): user-role and role-permission relations may be dynamic, determined by policy (algorithm).
Read more ...
See also: Role, Entitlement, Role Management, Access Control, Role Explosion, Policy-Driven Role-Based Access Control
In identity management, reconciliation is a process of comparing recorded state od identity management system with a real state of identity resources. In the most common form, reconciliation is comparing user data stored in identity management database with account data stored in identity resource (source or target systems). Reconciliation is meant to detect differences in the data, including detection of orphaned accounts.
Reconciliation is usually quite heavyweight, yet very reliable mechanism of identity data synchronization.
See also: Account, User,
Relationship-Based Access Control (ReBAC)
A mechanism for managing of user access to information systems based on a concept of relationship. Relationship-Based Access Control (ReBAC) is defined by presence of relationship between objects, such as "owner" or "editor". The relationships are interpreted by an access control policy to form access control decisions.
In midPoint terminology: MidPoint has a concept of "relation" that can be used together with assignment/inducement mechanism to implement ReBAC access control structures.
See also: Access Control, Relation, Next Generation Access Control
Reference Identifier (RI)
An identifier that reliably references an identity in a particular scope. Once assigned, the identifier always references the same identity, it cannot be assigned to a different identity. Reference identifiers are often persistent, however, they can change, as long as the identifier is not re-assigned to other identity.
Depending on a policy, reference identifiers can be re-assign to another identity after the original identity was deleted (identifier re-use). However, there is usually relatively long interval during which the identifier cannot be re-assigned.
Alternative terms: Non-reassignable identifier
ISO 24760 term: reference identifier
See also: Identifier, Persistent Identifier, Reference Identifier Generator
Reference Identifier Generator
ISO 24760 term, used to describe the tool that generates reference identifier, usually during an enrollment and registration.
ISO 24760 term: reference identifier generator
See also: Reference Identifier, Enrollment, Identity Registration
Referential Integrity
Consistency constraint in a database, mandating that every reference points to a valid object. Simply speaking, when an identifier is used to reference another object, such objects should exist.
Referential integrity is often a concern in group management and directory services. Systems that provide referential integrity make sure that a group points to valid members (user that exist), or that a list of user groups points to valid groups. In case a user who is a member of a group is removed, a system with referential integrity will either automatically remove the user from the group, or it will deny the operation until user is explicitly removed from all groups first. Systems that do not provide referential integrity would allow such operation, leaving invalid identifier in the database, an identifier that does not point to any existing object.
See also: Schema, Digital Identity Attribute, Verification
Registration Authority (RA)
An entity that gathers and verifies identity information, for the purposes of enrollment and identity registration. Registration authority is usually the organization that carries out identity proofing by verifying identity evidence, such as national identity cards.
ISO 24760 term: registration authority
See also: Identity Registration, Enrollment, Identity Proofing, Identity Evidence
In midPoint terminology: MidPoint concept of "relation" can parametrize a reference between two objects, further specifying the relation between them. It is usually used in assignment/inducement to provide details about the relationship of the holder and target objects. For example, relation is used to specify role owners, approvers and organizational unit managers. Relation can also be used to implement relationship-based access control (ReBAC) mechanism in midPoint.
Read more ...
See also: Access Control, Assignment, Inducement, Relationship-Based Access Control
Property of a system to behave consistently and deliver expected results.
ISO 27000 term: reliability
See also: Availability
Relying Party (RP)
System that relies on other party (identity provider) to provide identity information. Relying party (also known as "service provider") usually relies on identity provider to authenticate the user, and relay the information to the relying party. Relying party has no access to credentials (e.g. passwords), it only knows that the authentication was successful. Identity provider may transfer identity attributes and additional information (such as authorization decisions) to the relying party. Relying party usually has a trust relationship with identity provider.
Alternative terms: Service Provider
ISO 24760 term: relying party
X.1252 term: relying party
See also: Identity Provider, Single Sign-On, Identity Federation
Remediation is an action to eliminate violation of a policy, or a non-compliance with regulation or a standard. Remediation is usually a manual action that is addressing the effects, specific cases of non-compliance. E.g. violation of segregation of duties can be remediated by removing one of the conflicting roles or responsibilities.
Alternative terms: Correction
ISO 27000 term: correction
See also: Compliance, Corrective action
A database, often a database of self-contained objects. In identity and access management context, it usually means a database of identity information.
In midPoint terminology: MidPoint internal database. It is used to store all internal midPoint data and the vast majority of midPoint configuration.
Alternative terms: MidPoint repository
Requirement is a need or expectation that is stated or implied. Requirements are usually specified by legislation, regulation or standards. Also, requirements are usual part of software specifications or contracts. Although most of the requirements are expected to be explicitly stated, there may be implied requirements, given by usual practice or common expectations.
ISO 27000 term: requirement
See also: Compliance
Residual risk
Residual risk is a risk that remains after risk treatment. It is a risk that was not eliminated during a cybersecurity activities. As it is practically impossible to eliminate risk completely, some residual risk has to be accepted, as part of the usual cybersecurity program.
Alternative terms: Retained risk
ISO 27000 term: residual risk
See also: Risk, Risk acceptance
In generic terms, a Resource is any information asset, system or a service that can be meaningfully used to obtain an information, or to initiate an action. Web resources are often used to access information across World Wide Web, e.g. in a form of RESTful interfaces. In IAM field, a Resource (Identity Resource) is usually a network-accessible asset capable of managing identity information.
In midPoint terminology: A Resource is a system that is either identity data source or provisioning target.
Alternative terms: Information Resource, Data Resource
See also: Identity Resource
Architectural style that describes fundamental principles of World Wide Web (WWW). REST architectural style was used to develop HTTP protocol, fundamental building block of WWW. REST specifies a concept of resource (web resource), identified by Unified Resource Locator (URL), access by unified interface. Although REST is designed for hypertext applications, some REST principles are used for general-purpose programming interfaces, known as "RESTful" services or APIs.
Alternative terms: Representational State Transfer
See also: RESTful Service, Application Programming Interface, Resource
RESTful Service
Usually a general-purpose programming interface (API) or network service, exposed by one application to be used by another application. RESTful services are based on operations of HTTP protocols such as GET, PUT and POST. RESTful services are using Unifier Resource Locators (URLs) as addressing scheme, and also for the purposes of conveying some parameters. Despite the name, RESTful services actually do not strictly follow principles of REST architectural style. REST architectural style is designed for use in hypertext applications, while most RESTful services are procedural in nature. Therefore most RESTful services adapt and bind the REST principles for their purposes. Despite such deformations, RESTful services provide a very popular method for application-to-application interaction over the Internet.
Alternative terms: REST Service, REST API
See also: REST, Application Programming Interface
Review is an activity that aims at evaluation whether certain subject matter is adequate to achieve its objectives. Review often evaluates performance of a process, program, project or policy.
ISO 27000 term: review
See also: Access Certification, Performance
Review object
Review object is the subject matter reviewed by a review. It is usually a process, program, project or policy.
ISO 27000 term: review object
See also: Review
Review objective
Review objective is a statement describing the intended results of a review.
ISO 27000 term: review objective
See also: Review
Effect of uncertain, unforeseen, unknown or unknowable effects on objectives. Risk may originate from the fact that the effects are inherently uncertain, such as short-term fluctuations of the markets. However, many forms of risk stem from lack of knowledge or understanding, such as lack of knowledge about capabilities of attackers. While risk includes both positive and negative uncertain effects, almost all activities in cybersecurity deal with negative effects of risk.
In cybersecurity risk assessment and modeling, risk is associated with the impact of threats, exploiting vulnerabilities of information assets.
ISO 27000 term: risk
See also: Risk level
Risk acceptance
Risk acceptance is a decision to accept a particular (residual) risk. As it is practically impossible to eliminate risk completely, some residual risk has to be accepted, as part of the usual cybersecurity program. Risk acceptance is usual part of risk treatment process. Even though a risk is accepted, it does not mean it is forgotten. Accepted is should be subject to monitoring.
ISO 27000 term: risk acceptance
See also: Risk, Residual risk, Monitoring
Risk analysis
Risk analysis is a systematic process to understand the nature and extent of risk, and to determine risk levels. It is a structured process, evaluating several aspects of risk. As risk is almost impossible to measure exactly, risk levels are often estimated during risk analysis.
ISO 27000 term: risk analysis
See also: Risk, Risk level
Risk assessment
Risk assessment is a comprehensive process consisting of risk identification, risk analysis and risk evaluation. Risk treatment is a necessary part of risk management process.
ISO 27000 term: risk assessment
See also: Risk, Risk analysis, Risk identification, Risk evaluation
Risk-based approach
Risk-based approach is an approach to cybersecurity management based on systematic management of risk. It is based on controlled method to manage of risk in an organization. One of the primary principles of risk-based approach is an acceptance that risk cannot be completely eliminated. The risk has to be assessed, subjected to appropriate treatment, and residual risk has to be accepted.
See also: Risk, Risk management
Risk communication
Risk communication is a set of activities to communicate information about risk with interested parties (stakeholders). Communication may take form of consultation, communicating risk and risk-related information both ways. Purpose of risk communication is to improve decision processes related to risk and its impact on organization objectives.
Alternative terms: Risk communication and consultation
ISO 27000 term: risk communication and consultation
See also: Risk, Risk assessment, Interested party
Risk criteria
Specification of requirements and other criteria used to evaluate risk. Legislation, regulation, standards and best practice are the usual baseline for risk criteria. However, specific risk criteria are determine by character, objectives and methods of a particular organization.
ISO 27000 term: risk criteria
See also: Risk, Risk evaluation, Compliance, Requirement, Policy
Risk evaluation
Risk evaluation is a process of comparing results of risk analysis to risk criteria. Result of risk evaluation is a decision whether risk is acceptable, or it has to be treated (eliminated or mitigated).
ISO 27000 term: risk evaluation
See also: Risk, Risk assessment, Risk criteria
Risk identification
Risk identification is a process of discovering and describing risks. It involves identification of risk sources and causes, which may be based on historical data or expertise.
ISO 27000 term: risk identification
See also: Risk, Risk assessment
Risk level
Magnitude or measure of risk. Expression of risk level is heavily influenced by context. Risk levels can be quantitative, expressing risk level in a measurable and generally comparable quantities, such as perceptual probability or weighted monetary cost. Risk levels can also be qualitative, expressing risk level in a relative terms, such as "low", "medium" and "high". Risk levels may consider impact (consequence) or a risk, or it may be concerned solely with probability of a risk occurrence.
Alternative terms: Level of risk
ISO 27000 term: level of risk
See also: Risk, Probability, Risk analysis
Risk management
Risk management is a broad set of coordinated activities aimed at control of risk in an organization. It includes formal risk management processes, as well as informal and implicit activities. Risk management is one of the basic mechanisms of cybersecurity.
ISO 27000 term: risk management
See also: Risk, Risk management process, Risk-based approach, Cybersecurity
Risk management process
Risk management process is a systematic application of processes and methods for controlled management of risk in an organization. It is supposed to be based on formal specification of processes and policies. It is usually a circular, iterative process, going through analytical, implementation, monitoring and review phases. Risk management is one of the most important processes in cybersecurity.
ISO 27000 term: risk management process
See also: Risk, Risk management, Risk-based approach, Policy
Risk owner
Risk owner is a person who is responsible for a particular risk. It may be an owner of the system, certain privilege in a system, or owner of business process that is a source of risk. Risk owner is supposed to have accountability as well as authority to properly manage the risk.
ISO 27000 term: risk owner
See also: Risk, Risk management process
Risk treatment
Risk treatment is an activity to address the risk. Ultimate goal of risk treatment is to lower overall risk to an acceptable level. Many methods can be used to treat the risk, including avoiding activities that are sources of risk, eliminating risk sources, lowering probability or impact of a risk, redirecting risk to another party, or accepting the risk. Risk treatment is a necessary part of risk management process.
Alternative terms: Risk mitigation, Risk elimination, Risk reduction, Risk prevention
ISO 27000 term: risk treatment
See also: Risk, Risk management process, Risk assessment
Abstract concept that usually groups entitlements (privileges, access rights) in a single object. The purpose of grouping entitlements in roles is to make access control policies manageable, usually using Role-Based Access Control (RBAC) principles.
X.1252 term: role
See also: Entitlement, Role-Based Access Control, Role Management
Role Explosion
Unreasonable multiplication of the number of roles in role-based access control (RBAC) systems. Role explosion occurs due to a combination of several causes, poor role management practices and cartesian product in role definitions are perhaps the most common. It occurs mostly in static RBAC models, dynamic RBAC models have methods to avoid role explosion.
Read more ...
See also: Role-Based Access Control, Role Management
Role Management
A process of managing role definitions. It usually includes creating role definitions, maintenance of role definitions, adapting to changed environment and decommissioning role definitions. Role management is concerned with role definitions only, in contrast with Role-Based Access Control (RBAC), which is mostly concerned in using the definitions to control the access.
Alternative terms: Role Modeling, Role Engineering
See also: Role, Role-Based Access Control
Description of a structure of information, such as description of data types, attribute names and types, attribute structure and multiplicity, often supplemented by additional information such as documentation and presentation metadata.
In information systems designed to process identity information, the schema usually refers to structure of digital identity data, names of identity attributes, their types, multiplicity, optionality and similar properties.
Alternative terms: Data model, Identity model
See also: Digital Identity Attribute, Verification, Referential Integrity
Security Audit
Independent review of a system, in order to assess adequacy of security controls, evaluate compliance with policies, regulations and operational procedures.
X.1252 term: security audit
Security Posture
Security posture is the security status of an enterprise’s networks, information, and systems based on cybersecurity resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes. It is a "big picture" of the state of cybersecurity in an organization.
Alternative terms: Cybersecurity posture
See also: Cybersecurity
Selective Disclosure
A mechanism that gives person a control over the sharing of data, usually between domains. Selective disclosure is sometimes applied in cross-domain data transfer, such as when using identity providers or identity federations. In case of data transfer, the user is prompted to select that data that can be disclosed to the other domain. This process is sometimes automatic, governed by a pre-defined data disclosure policy.
Alternative terms: Selective Disclosure of Personal Information
ISO 24760 term: selective disclosure
See also: Digital Identity, Personal Data Protection, Privacy, Identity Provider, Identity Federation, Minimal Disclosure
An assertion (claim) made by an entity about itself. It usually means a claim that was not verified or certified by any other party.
See also: Self-Asserted Identity
Self-Asserted Identity
An identity (usually a digital identity) that an entity declares about itself. It usually means a set of digital identity attributes that an entity claimed about itself, without being verified of certified by any other party.
X.1252 term: self-asserted identity
See also: Self-Asserted, Decentralized Identifier, Identity Assertion
In midPoint terminology: Shadow objects are objects in midPoint repository representing objects in identity resources, such as accounts or groups. Shadow objects are used by midPoint as a proxy objects, or data adapters for real accounts, groups or organizational units in identity resources. MidPoint stores identifiers of resource objects in shadow objects, together with meta-data, policy-related information and operational data that relate to the resource object that the shadows represent. The identifiers stored in shadow objects are used to locate the correct resource object even in cases that is renamed or it moves. Shadow objects may contain copies of the data of real resource objects. However, in default configuration, only identifiers are stored in shadow objects.
Read more ...
Alternative terms: Shadow Object
See also: Projection
Self-Sovereign Identity (SSI)
Self-sovereign identity is an approach to digital identity that gives individual control over their identity data. Without self-sovereign identity, individuals need to rely on (usually big and influential) organizations to manage their identity data, acting as identity providers. SSI systems are often decentralized, based on verifiable credentials stored in digital wallet which are under user's control.
See also: Decentralized Identity, Verifiable Credentials, Identity Provider
Single Sign-On (SSO)
Single sign-on (SSO) is an authentication process based on user logging into multiple systems with single set of credentials (usually username and password)s. It is used for systems that require authentication for each application while using the same credentials. SSO works on central service from where the user gains access to different applications without logging in again.
Unlike identity providers, SSO systems usually operate within a single domain. Both the SSO server and the applications being controlled by the same organization. Implicit trust of such arrangement allows SSO systems to be much simpler than identity federation systems, albeit both classes of systems provide similar services and mechanisms.
Alternative terms: Single Log-On
See also: Authentication, Identity Provider, Identity Federation
Technical specification, adopted by a recognised standardisation body, for repeated or continuous application, with which compliance is not compulsory.
Alternative terms: Technical standard, Technology standard, Official standard
See also: Technical specification
Static Entitlement
An entitlement that is statically assigned to a user or an account. The entitlement stays ("stands") assigned to a user indefinitely, until it is explicitly unassigned. Static entitlement is assigned to a user by an action of system administrator, by the means of access request process or by similar means.
Standing entitlement forms a basis of some access control models, most notably Role-Based Access Control (RBAC). Static nature of the entitlement assignment is often a target of critique, stating the lack of dynamics and flexibility of static entitlements. Policy-based access control models avoid use of standing entitlements in favor of entitlements that are determined dynamically in run-time.
While static entitlements may be necessary at higher levels (especially identity governance level), they may not necessarily be reflected to lower levels (e.g. directory services and operating systems). Eliminating low-level standing privilege has several advantages, including lower risk of misuse and less visibility for the attacker. Just-in-time or on-demand mechanisms for temporary assignment of privileged access provides a solution for bridging high-level and low-level static entitlements.
Alternative terms: Standing Privilege, Standing Entitlement, Persistent Privileges
See also: Entitlement, Access Control, Role-Based Access Control, , Attribute-Based Access Control, Policy-Based Access Control
An entity or identity, which is active in information system, typically a user. It is assumed that subject has an agency, directly or indirectly. Subjects can represent organizations or similar "legal persons" that cannot act on their own, users have to act on their behalf. In this case the organization is the "subject", while the person that acts on organization behalf is the "user".
The term "subject" is often used in context of authorization, as part of subject-action-object triple. Subject is the active part, a user executing certain action on a specific object. In some contexts, "subject" is equivalent to "principal".
Alternative terms: Principal
See also: Principal, User, Entity, Identity, Account, Authorization, Holder
Target System
In IAM field, it is any system in which identity management (IDM) system is managing identity data. IDM system is usually using identity connectors to manage data in target systems.
Some target systems can also be (partial) identity data sources, IDM system both managing and reading the data.
See also: Identity Management System, Identity Connector, Identity Data Source
Technical specification
Document that prescribes technical requirements to be fulfilled by a product, process, service or system and which lays down characteristics, production methods or assessment criteria. Unlike standard, it is not required that technical specification is adopted by a recognized standardization body.
See also: Standard
In cybersecurity, threat is a potential to cause harm or to endanger information assets or organization. Threats may be intentional, unintentional or completely natural. Many cybersecurity threats are materialized by motivated attackers, while other threats may be environmental (flooding, fire), or may be caused by a society or government actions.
Alternative terms: Cyber threat, Security threat
ISO 27000 term: threat
See also: Risk, Asset, Risk assessment, Cyberattack
Top management
Top management is a person or a group who controls the organization at the top level. Top management is ultimately responsible for allocation of resources, objectives and results of the organization.
Alternative terms: Executive management, Board, Board of directors
ISO 27000 term: top management
See also: Organization, Organizational Structure
Triangle Of Trust
Triangle of trust is a three-party relationship of issuer, holder and verifier. Issuer issues credential or claim to the holder. Holder presents the credential/claim to the verifier. Verifier verifies the credential/claim, using data provided by the issuer.
Triangle of trust is a frequently-used concept to support trust relationships in distributed information systems.
Alternative terms: Trust Triangle
See also: Issuer, Holder, Verifier, Trusted Third Party
Confidence in or reliance on some person or quality. In information technology world, it usually means a confidence in a correctness of an information. It is often a long-term relationship between entities, one of the entity trusting in correctness of a whole class of information claimed by other entity (trusted third party).
X.1252 term: trust
See also: Triangle Of Trust, Trusted Third Party
Trust service
Electronic service that issues a digital credentials, acting as a trusted third party.
See also: Trusted Third Party, Certificate Authority
Trusted Third Party
An entity which makes a claims, claims that are trusted by other parties. Usually a central entity in a system that is trusted by many entities. In scenarios involving Triangle of Trust, the issuer is considered to be trusted third party.
X.1252 term: trusted third party
See also: Trust, Triangle Of Trust, Issuer, Trust service
Situation when an identity has less privileges than are necessary for the tasks that the identity is supposed to carry out. For example, a user does not have all the necessary permission to carry out his usual work tasks. Under-provisioning is an operational risk, leading to low workforce efficiency.
Ideally, under-provisioning should be addressed by automated provisioning mechanism of identity management systems, such as utilization of birthright provisioning. However, due to a lack of clear access control policy, under-provisioning is often addressed by access request processes.
Alternative terms: Under-permissioning, Under-privileged Access
See also: Identity Provisioning, Birthright, Access Request Process, Over-provisioning
Generally speaking, a person that is using a computing system.
In midPoint terminology: A user means a data structure in midPoint that describes a person. Similar data structure in source/target system (identity resource) is called an "account".
Alternative terms: MidPoint User
X.1252 term: user
See also: Account, Principal, Subject
A system that is oriented towards the user, having user in control. In identity and access management context it usually means a system, where users are in control of their data.
X.1252 term: user-centric
Verifiable Credentials (VC)
Credentials that can be presented by the holder to the verifier, and independently verified by the verifier, without cooperation of any third party. Verifiable credentials do not require verifier to cooperate with credential issuer to verify every single credential issued. Only the holder and the verifier are aware about the transaction, no other party has any data about the transaction. Some verifier-issuer communication may be necessary to establish or renew the trust. However, such communication is in no way related to the holder-verifier transaction.
Verifiable credentials are often based on public key cryptography techniques. Holders keep verifiable credentials in digital wallets.
See also: Credential, Digital Wallet, Self-Sovereign Identity, Decentralized Identity, Triangle Of Trust
A process establishing that a particular information is correct, while the meaning of "information" and "correct" varies from context to context. When dealing with identity information, this usually means formal verification of identity attributes, checking the schema, identifier uniqueness and referential integrity. However, verification may mean deeper verification, such as checking that the information is true and up-to-date.
ISO 24760 term: verification
X.1252 term: verification
See also: Verifier, Digital Identity Attribute, Schema, Referential Integrity
Entity that performs verification, usually a verification of an credential or a claim. In Triangle of Trust scenarios, the verifier verifies credentials/claims provided by the holder. Verifier may need information provided by the issuer of credential/claim to be able to complete the verification process.
ISO 24760 term: verifier
See also: Verification, Triangle Of Trust, Issuer, Holder, Trusted Third Party, Credential, Claim
Vulnerability is an aspect of information asset that makes it vulnerable to damage or misuse. It is a weakness in the protection of an asset that can be exploited by a threat. In software development, vulnerability is a bug in software code that opens the software to cyberattacks.
Alternative terms: Weakness
ISO 27000 term: vulnerability
See also: Risk, Threat, Asset, Risk assessment, Cyberattack
Was this page helpful?
Thanks for your feedback