Access
Request
Systems
or processes used to request new access, make changes to existing access, or
remove access to resources within an organization.
Access
Review
A
component of a Certification. See Certification.
Activity
The
normalized representation of the raw activity data collected from an activity
data source such as a Windows Event Log or Syslog. Activity is represented as a
java object (ApplicationActivity) and persisted in the database.
Additional
Entitlement
Additional
entitlements are any entitlements to which the identity has access but that do
not comprise a complete role. For example, if a role is comprised of
entitlements A, B, and C, but the identity only has access to entitlements A
and B, A and B are included in the list of Additional Entitlements. Also, if
the identity is assigned entitlements A, B, C, and D, and A, B, and C are
grouped as the role, D is added to the Additional Entitlements list.
Aggregation
Aggregation
refers to the discovery and collection of information from the applications
configured to work with IdentityIQ. For example, IdentityIQ uses an Identity
Aggregation task to pull the values associated with the identity attributes
specified during the configuration process from user accounts on the designated
applications. That information is then used to create the foundation of the
IdentityIQ Identity Cubes.
Application
1. The generic term used to refer to
any data source with which IdentityIQ communicates to manage governance, risk
management and compliance for your enterprise.
2. The term used to refer to an
instance of a configured IdentityIQ connector. Applications encapsulate the
details of how a targeted system is accessed (Connector parameters), how the
accounts and entitlement data on that system is classified (Schema) and how the
accounts on that system are correlated to existing Identity Cubes.
Authoritative
Application
The
identity authoritative application is the main repository for employee
information for your enterprise, for example a human resources application.
This might not be an at risk application, but it is the system of record from
which the majority of the IdentityIQ Identity Cubes are built.
Business
Process (aka Workflow)
A
Business Process is a sequence of operations or steps executed to perform work.
The IdentityIQ Business Processes ‐ both the standard “out of the box” and
custom, written for a specific installation ‐‐ are triggered by system events
or by a user request. A business process is launched as a side effect of some
IdentityIQ operation such as editing a role, updating an identity, or the
discovery of a policy violation. The available triggering events include: •
Role creation • Identity update • Identity refresh • Identity correlation •
Deferred role assignment/deassignment • Deferred role activation/deactivation •
Any Lifecycle Manager event • Any Lifecycle Event (marked by changes to an
Identity's attributes)
You
cannot schedule a business process, but you can schedule a custom task that launches
a business process.
Capabilities
Capabilities
control access within the IdentityIQ product. Access is controlled at the page,
tab, and field level.
Certification
Certification
enables you to automate the review and approval of identity access privileges,
account group membership and permissions, and role membership and composition.
IdentityIQ collects fine-grained access (or entitlement) data and formats the
information into reports (called Access Reviews), which are routed to the
appropriate reviewers. Each access review is annotated with descriptive
business language - highlighting changes, flagging anomalies and calling out
violations where they appear.
Identity
certifications enable reviewers to approve certifications for identities, or take
corrective actions (such as removing entitlements that violate policy).
Role
membership and composition certification enables reviewers to approve the
composition of roles - the entitlements and roles that define the role being
reviewed, and the identities to which the role is assigned, or take corrective
actions.
Account
group membership and permission certification enables reviewers to approve the
permissions assigned to account groups and the members that make up the group,
or take corrective actions.
Certification
Periods
Certifications
progress through phases as they move through their life-cycle: Staging, Active,
Challenge, and Revocation. The phases associated with each certification are
determined when the certification is scheduled.
Connector
Connectors
provide the means by which IdentityIQ communicates with targeted platforms,
applications and systems. Connectors are Java classes that implement the
IdentityIQ Connector interface.
There
are two types of connector in IdentityIQ, application-type connectors that
collect account information, and activity-type connectors that collect activity
information. IdentityIQ uses the information from both types to maintain the
identity cubes.
Correlation
Correlation
refers to the process of correlating, or combining, all of the information
discovered by IdentityIQ (identity attributes, entitlements, activity, policy
violations, history, certification status, etc.) to create and maintain the
IdentityIQ Identity Cubes. Correlation does not involve accessing external
application to discover information. Correlation reviews the information
contained within the IdentityIQ application and updates identity cubes as
necessary.
Correlation
Key
The
attributes that IdentityIQ can use to correlate activity discovered in the
activity logs for this application with information stored in identity cubes.
For
example, activity logs might contain the full name of users instead of unique
account ids. Therefore, correlation between the activity discovered by an
activity scan and the identity cube of the user that performed the action must
key off of the user’s full name.
Data
Source
A data
source is a file, database, or repository of the HR and/or entitlement
information required to determine a user’s accounts and access to an
application. An application can have entitlement information stored in several
data sources. For example, a user might need to be a member of a particular
Active Directory group in order to get access to the application, then the specific
application role for the user might be defined in a relational database, and
certain administrative functions might require access to a Windows file share.
Entitlement
An
entitlement is either a specific value for an account attribute, most commonly
group membership, or a permission.
Entitlement
Catalog
A
business friendly dictionary of user access descriptions that can be associated
with individual entitlements and permissions.
Group
Groups
are used to tracked accessibility, activity, and monitored risk by group
membership. Risk scores are displayed on the Dashboard. Groups are defined
automatically by values assigned to identity attributes or by account group
membership. Account groups are based on common entitlement within an
application, not common qualities as defined within IdentityIQ.
Group
Factory
The
Group Factory defines groups automatically by values assigned to identity
attributes such as Department, Location, Manager and Organization.
Hierarchical
role model
In role
based access control, the role hierarchy defines an inheritance relationship
among roles. For example, the role structure for a bank may treat all employees
as members of the 'employee' role. Above this may be roles 'department manager'
and 'accountant,' which inherit all permissions of the 'employee' role
Identity
Cube
Multi-dimensional
data models of identity information that offer a single, logical representation
of each managed user. IdentityIQ automatically builds, manages and securely
stores Identity Cubes, including both current and historical views. Each Cube
contains information about entitlements, activity, and associated business
context.
Integration
Modules
An
Integration Module is an interface from IdentityIQ to a provisioning product
from another vendor (e.g., Oracle Identity Manager or IBM Tivoli Identity
Manager) or a service desk product (e.g., BMC Remedy or ServiceNow). These two
types of integration modules are called Provisioning Integration Module (PIM)
and Service Desk Integration Module (SIM) respectively.
Lifecycle
event
An
identity-related event in which a user's relationship with the organization
undergoes a chance - e.g. new user is on boarded, existing user is promoted.
Lifecycle
management
The
end-to-end process of managing user access throughout a user's lifecycle within
the organization.
Logical
Application
A
logical application is a way to define an application “logically”, simplifying
searches, certifications, etc. by treating these special types of applications
as a logical entity.
Logical
applications allow for two types of functionality:
Combining
-- treating
multiple applications as a single logical application. For example, an
application may be defined by Web Application access, Mainframe application
access and SQL database access
Subdividing
-- treating
users with a certain LDAP or AD group as account holders on an application. For
example, an AD group may control access to a web application at company XYZ.
They want to treat this web application as a logical standalone application for
requesting access and certifications.
Managed
Attribute
An
attribute that has been defined on an application schema to have additional meta-data
maintained about that attribute. For each value read for the attribute from the
Application during aggregation, an entry will be created in the Entitlement
Catalog.
Mitigation
Mitigation
refers to any exceptions that are allowed on policy violations discovered
during a certification process.
Offboarding
(aka “Leaver” processing)
The
process initiated when IdentityIQ determines that a worker has left the
company, whether through aggregation from an authoritative source like the HR
system or through someone using a “Terminate Immediately” button. This process
usually includes disabling or deleting all of the worker’s accounts and sending
notifications as appropriate.
Onboarding
(aka “Joiner” processing)
The
process initiated when a new employee, contractor, or other type of worker is
made known to IdentityIQ, whether through aggregation from an authoritative
source like the HR system or through someone using the Create Identity
functionality in LCM. This process usually includes creating accounts, adding
group memberships, and granting other access required for the new worker to be
productive when he/she starts his/her new job. The basic access required for a
new worker is sometimes referred to as “birthright” access.
Permissions
The
authorization given to users that enables them to access specific resources on
the network, such as data files and applications. They also designate the type
of access: for example, can data only be viewed (read only) or can they be
updated (read/write). Also called user rights, user authorizations and user
privileges.
Permitted
(optional) Role
A role
that is not automatically granted to a user, but may optionally be requested or
assigned. Permitted roles are associated with higher-level business roles and
allow the organization to enforce least privilege while controlling the total
number of roles required to model access rights within the enterprise.
Policy
Policies
are comprised of rules used to enforce any policies, separation of duty, activity
or risk, defined within your enterprise. For example, a rule might be defined
that disallows a single IdentityIQ identity from having roles that enable them
to both request and approve purchase orders.
Population
Populations
are query based groups created from the results of searches run from the
Identity Search page. Searches that result in interesting populations of
identities can, optionally, be saved as populations for reuse within
IdentityIQ. Members of a population might not share any of the same identity
attributes or account group membership. Population membership is based entirely
on identity search parameters.
Profile
A
profile is a set of entitlements on an application. An entitlement is either a
specific value for an account attribute, most commonly group membership, or a
permission. Profiles can be used in multiple roles.
Profile
Class
An
optional class used to associate an application with a larger set of
applications for role modeling purposes.
For
example, you might set a profile class of XYZ on all of the applications on
which any user that has read account privileges should be assigned the role XYZ
Account Reader. You can then create a single profile for that role instead of a
separate profile for each instance of the applications. During the correlation
process any user with read account privileges on any of the applications with
the profile class XYZ is assigned the role XYZ Account Reader.
Provisioning
The
process of granting, changing, or removing user access to systems, applications
and databases based on a unique user identity. Automated user provisioning is
intended to make the creation, management and deactivation of login IDs, home
directories, mail folders, security entitlements and related items faster, cheaper
and more reliable. This is done by automating and codifying business processes
such as onboarding and termination and connecting these processes to multiple
systems.
Reassign
Use the
reassign feature to reassign certifications to the appropriate owner. Access
reassignment is performed at the identity level. Identities that are reassigned
are removed from the identities list and do not reflect as part of the
completion status for this certification. All reassigned identities must be
acted upon, however, before you can sign-off on the certification.
Bulk
reassignment enables you to reduce cumbersome identity certification lists by
reassigning identities to appropriate certification approvers. For example, if
you are the owner of an application with thousands of accounts, you can use
this feature to reassign identities for certification by department or manager.
Refresh/Identity
Refresh
Refresh
refers to the process of updating the values on the Identity Cube through
promotion of Identity Attributes as defined in the Identity Mappings. The
default Refresh Identity Cube task includes promotion of account entitlements
to the cube and calculation of risk and policy violations.
Refresh
does not involve accessing external applications to discover information.
Refresh reviews the information contained within the IdentityIQ application and
updates identity cubes as necessary
Report
A report
is a special type of task that extracts data from the IdentityIQ database and
presents it on the screen, with an option to export as PDF and/or CSV.
Required
Role
A role
that is automatically provisioned to a user once the user is assigned to the
higher-level role containing the required role.
Revocation
Use
revocation to request the removal of an identities access to a specified role
or entitlement. No action is taken on a revocation request until the
certification containing the request is completed and signed off on. This is
done to ensure that no entitlement is removed until final confirmation has been
received from the requestor.
Entitlements
that are assigned to more than one role are not revoked with the role. For
example, if role A is made up of entitlements X, Y and Z, and role B is made up
of entitlements W and X, revoking role A only revokes entitlements Y and Z.
Risk
The
IdentityIQ risk-management scoring system applies analytics to identity and
activity data to pinpoint areas of risk and enable you to focus your compliance
efforts where they are needed most. IdentityIQ uses configurable algorithms to
assign a unique risk score. Scores are based on multiple factors and updated
regularly. Using this risk scoring system, you can configure IdentityIQ's
automated controls to lower user risk scores and their overall corporate risk
profile.
Role
(aka Bundle)
A role
is a collection of entitlements or other roles that enables an identity to
access resources and to perform certain operations within an organization. A
simple role is a collection of entitlements defined within the context of a single
system. For example, one role might enable the request of purchase orders and
another might enable the approval of purchase requests. Roles are used to
simplify security administration on systems and applications, by encapsulating
popular sets of entitlements and assigning them as packages, rather than
individually, to users. IdentityIQ uses roles to monitor these entitlements,
identify separation of duty policy violations, and compile identity risk scores
to enable you to maintain compliance.
Role Assignment
The
process of granting roles to users. Can be performed through self-service tools
or via an automatic assignment rule.
Role
Creation
The
process of defining roles within a role model and mapping those roles to the
appropriate set of access privileges based on business process and job function.
Role
Certification
The
periodic review of a role or roles in order to validate that the role contains
the appropriate access privileges and that members of the role are correct.
Role certifications are commonly used as an internal control and a way to
prevent role proliferation.
Rules
Rules
are the constuct through which IdentityIQ allows the addition of custom
business logic at specific points within the execution flow of the product.
Rules are written in BeanShell, a lightweight scripting language based on Java.
Rules are created as part of the configuration process of IdentityIQ. Rules are
used extensively throughout the IdentityIQ product.
Schema
A schema
is a component of an application defined in IdentityIQ. The schema defines what
data to read from the target resource and how to interpret that data. There are
two common types of schemas:
Account
– represent
individual accounts on a target resource (AD or SAP Accounts, for example)
Group
– represent
native account groups from target resource (LDAP Groups or AD Groups, for
example)
Scope
A scope
is a container within the product in which objects can be placed to restrict
access. IdentityIQ’s scoping functionality provides an additional level of
control over the segments of data on which a user can perform these tasks. With
scopes, customers can subdivide their data into logical groups and grant access
based on those subdivisions. For example, perhaps a Compliance Officer for the
Americas region should only be able to see details about the Identities within
the Americas region. This can be managed by defining scopes based on
Identities’ Region attributes.
There
are two subtypes of scopes that control access:
Controlled
Scope — a scope
over which an identity has access. This is combined with the identity's
capabilities to determine to which objects a user has access. Every identity in
the system can control zero or more scopes.
Assigned
Scope — a scope
in which an object lives and is used to control who can view and manage the
object. Every object in the product is assigned zero or one scopes. By default,
an object that does not have an assigned scope is available to everyone. The
default behavior can be changed during configuration.
Script
A script
is a segment of Beanshell code that is included in an object and only used
within the given location, such as a Workflow step.
Self-service
Software
that allows users to request access to resources using a self-service
interface, which uses workflow to route the request to the appropriate
manager(s) for approval.
Task
Tasks
are used to automate the processes which build, update, and maintain the
information contained within IdentityIQ. They can be launched from the
Monitorà Tasks UI or scheduled. Tasks invoke a compiled Java class and have
access to the IdentityIQ API, including the database where IdentityIQ stores all
of the identity information.
User
Anyone
who accesses the IdentityIQ User Interface is a user. This includes certifiers,
approvers, people requesting access for themselves or others, and people with
administrative access to IdentityIQ. Specialized terms such as administrators
(people with administrative access), help desk personnel (people with help desk
access), certifier (someone completing an access review), approver (someone
approving a request for access), and general user (the general population who
has no special access and no work items assigned) refer to users with specific
types of access (or lack thereof) or specific work to do.
Workgroup
A group
of users within IdentityIQ that can perform actions (e.g. approvals) or own
objects (e.g. roles, policies) within the system.
Work
Item
A work
item is anything that requires action by a human being before it is completed.
Work items can be entire processes, such as certifications, or any piece of a
process, such as the approval of one entitlement for one identity on one
application.
