IAM / IdM Definitions, Acronyms and Abbreviations
July 10th, 2006 by Administrator- Access Management
- The process of:
- Determining a set of authorizations and privileges that a validated identity may have on a computing resources
- Controlling entitlement by granting or denying access to resources
- Access Manager
- The portion of IAM that authorizes and control access to computing resources based on predefined or customized policies
- Adaptors
- Provide an interface between targets (systems to which access is granted or denied,) and the Access/Authorization modules within an Identity Management System.
- Auditing & Reporting
- Comprehensive, enterprise-wide auditing and reporting of identity profile data, change histories, and user permissions, ensuring that security risks are detected early, allowing proactive response by administrators. The ability to review the status of all identity access privileges at any time improves audit performance and helps achieve compliance with regulatory requirements. Reporting on usage of self-service password resets and time metrics for the provisioning and de-provisioning of users provides management with high visibility into key operational metrics and operational improvements.
- Authentication
- The process of establishing whether an identity is valid in a particular context or system. A client can be an end user, a machine, service, or an application. If credentials provided by the client are valid, then the client is considered to be an authenticated client. It is important to note that authentication is simply the act of validating that an identity is active and valid within the Identity Management System. Once authenticated, the identity requires authorization to do meaningful work.
- Authorization
- The process of verifying whether the authenticated client has sufficient rights to access the requested resource.
- Authorization Decision Assertion (ADA)
- Specific to SAML (Security Assertion Markup Language). An ADA is an assertion, or credential, which determines what actions an identity is able to perform.
- Credentials
- A dataset attached to an identity that prove that the identity belongs to the subject (or entity). To use an identity to access a resource, the entity must present proof the identity belongs to the person, system, or process. When credentials are presented to a security authority at the Policy Enforcement Point (PEP), the authority will authenticate the credentials, thereby validating the identity.
- Directory Service
- A directory service associates names and identities with objects and attributes. Depending on implementation, a directory service can encompass access, authorization, auditing, policies, white and yellow pages. Thus, you not only can look up an object by its name but also get the object’s attributes or search for the object based on its attributes. A directory service, whether standalone, federated, meta, or virtual, provides the backbone of an Identity Management System.
- Entitlements
- A set of authorized accesses that are attached to an authenticated entity. This set may also be referred to as “grants” or “entitlement grants.” Entitlements can be highly specific, and refer to applications, parts of applications such as specific web pages, or even individual functions within the application code, such as transactions. Entitlements tend to be application specific, while credentials are more generic and system specific.
- Federation
- A module or standalone component of an Identity Management System (IMS), which provides a “web of trust.†Provides a method for business partners to mutually agree on how to authenticate and authorize users, and which users to trust. Users authenticated by one organization’s Identity Management System can pass transparently to a partner business without having to re-authenticate. (A form of multi-partner single sign on.)
- IAM
- Identity & Access Management. Often used interchangeably with the term “IdM,” depending on vendor, and context.
- Identity
- A unique set of data, such as a token, username, fingerprint, or social security number, combined with attributes that uniquely describe an entity. The entity may be a user, an application or a service. Identities are mapped or associated with specific individuals and services, and then managed within the context of an Identity Management System. A unit of identity uniquely identifies who and what can access the system.
- Identity Management System (IMS)
- Comprehensive framework, typically existing within a set administrative boundary such as a domain or organization, which provides Access and Authorization Management, Auditing, Reporting, Strong Authentication, Federation, Identity Lifecycle Management, Adaptors, and Directory Services. Note that the IMS refers to the infrastructure, framework, software, servers, networks, and systems which collectively provide comprehensive Identity Services.
- Identity Manager
- The component of the Identity Management System that allows users, groups, roles, and entitlements to be added, modified, or removed. Specifically provides application provisioning services, and user self-service functions such as password changes and resets.
- IdM
- Industry-standard acronym which stands for “Identity Management.” The terms “IAM” and “IdM” are often used interchangeably, though “IAM” is more descriptive in that it includes external access controls, in addition to identity lifecycle management.
- Infrastructure
- Composite combination of physical systems, networks, applications, and operating systems which provide the plumbing for IAM.
- LDAP
- Lightweight Directory Access Protocol. LDAP takes the “lightweight†in its name from the fact that is essentially a trimmed down version of the X.500 directory standard. LDAP is both a directory service (implemented as a physical database and related services,) and a protocol which defines the means of accessing the LDAP store. LDAP is used for yellow/white pages, authentication, authorization, and “grouping†services.
- Meta Directory
- Collection of directory information from various, diverse directory sources that is aggregated to provide a single, unified view of data. Meta directories often uni or bi-directionally synchronize identity and classification data with multiple directories, building the master “book of record†which can be used by people, systems, and services. Meta directories are often used as the transitional step toward a single, unified, directory store of information. One of the key differentiators between meta directories and virtual directories is that meta’s store and synchronize data between multiple different directories, whereas virtual directories do not store data. See “Virtual Directory” definition below.
- Policy Decision Point (PDP)
- The service with an Identity Management System that makes policy-based decisions, such as what user can access which resources, at which times of the day. The PDP answers queries from the PEP, and returns ‘decisions’ back to the PEP.
- Policy Enforcement Point (PEP)
- Asks or interrogates the Policy Decision Point (PDP) if the user, service, or requested operation has access and permission to perform an action. Example, can user “jdoe†access file “12345.doc†The PEP allows or disallows the user action based on the PDP decision.
- Privacy
- State or degree to which an identity is shared, hidden, or obfuscated from other identities, or non-identity holders.
- Trust
- A determination of a system or service to authenticate or authorize a “foreign” (an authentication/authorization request initiating from outside the organization’s native Identity System) identity or service. In the Identity Management context, trust often refers to federated entities, which have agreements on which entities to trust (authenticate) or deny.
- User Provisioning
- The function of an Identity Management System that creates identities in target systems, and removes identities from the targets when no longer needed. Provisioning refers both to the service delivered by an Identity Management System, and the action of creating, adding, or removing an identity.
- Virtual Directory
- Similar in concept to a meta directory in both directories create a single directory view from multiple independent directories — such as Active Directory, LDAP, and relational databases. However, a virtual directory is fundamentally different, in that it does not store data internally. Meta directories maintain their own data storage unit, such as a database, while the virtual directory collects and caches information dynamically. /dd>
- X.500
- The “father†of LDAP, and the original suite of directory services protocols and standards. X.500 comprises a broad set of services which include name resolution, directory access protocols (DAP), query resolvers, schemas, naming mechanisms, and physical storage structures. In real-world implementations, X.500 became cumbersome over time, providing a monolithic directory view, placing heavy loads on the clients, and pure OSI-based protocols over TCP. X.500 and has been mostly replaced with the newer LDAP.
Posted in Identity and Access Management |