Glossary

In object-oriented programming, a class that is designed only as a parent class from which sub-classes may be derived but which is not itself suitable for instantiation. Abstract classes define special features to be included in all inherited classes. Also called interface.

The part of an IAM system that performs real-time enforcement of the security policies established for each user of the enterprise IT infrastructure. Access management processes include authentication, authorization, and audit.

A policy that defines access rights within DirX Identity itself. Access policies form the basis of delegated administration and can be optionally controlled through privileges. See also delegated administration, privileges.

The rights granted to a user that define how that user is allowed to access a resource on an IT system (a connected system or DirX Identity itself). In DirX Identity:

A user’s representation in a target system. A user can have accounts in many different target systems. See also personal account and privileged account.

The process of monitoring Identity Server operation in a high availability scenario and then manually transferring functions from a failed Identity Server to a working Identity Server. DirX Identity administrators can use the Identity Server Admin tool to perform these tasks.

A DirX Identity component that enables data exchange between a specific connected system and the target system in the identity store during meta directory integration and synchronization operations. Agents work with batch-oriented metadirectory synchronization and provisioning services.

The interface (functions and classes) that an application presents to developers for adding new features or changing existing ones. See also connector server API.

A type of request workflow that handles approvals of user-role assignments by requesting authorization of these assignments by various approvers according to the access policies in force. See also request workflow.

The process of producing, collecting, cleansing and correlating data about IAM administration, authentication and authorization events and then transforming this data into actionable intelligence with respect to compliance regulations, business security policies and corporate risk management objectives. Identity audit provides the means to analyze and report on IAM functioning and deliver the information necessary to support IAM governance of users and their entitlements. "Audit" is called "identity audit" in the context of IAM.

A message in an audit trail that DirX Audit has extracted, transformed into DirX Audit data format and stored in the DirX Audit Database. The data in the audit message includes the original message in the format of the audit producer plus the "who", "what" and "where from" information and a message identification.

A chronological sequence of audit messages, where each message contains evidence that directly pertains to and results from the execution of an IAM transaction. See also audit message.

The process of identifying users and validating their identity.

The real-time enforcement of user access requests to the enterprise resources. Authorization ensures that users can only access the IT systems in the enterprise and their corresponding resources according to their access rights.

The process of monitoring Identity Servers in a high availability scenario and then automatically transferring functions from a failed Identity Server to a working Identity Server. Administrators configure Identity Servers to perform these tasks.

A collection of data related to a business structure in the enterprise such as an organizational structure, a cost center structure or a project structure. Business objects in an identity management system help to automate user-role assignment and reduce identity data redundancy.

A connector written in the C++ programming language. See also connector.

The process of periodically checking user-privilege assignments to ensure that these assignments continue to comply with business policies.

A set of objects and subtrees within a domain that can be exported to an LDIF file for subsequent transfer to another domain.

The clear and demonstrable observation of legal regulations.

An IT system in an enterprise that authenticates and authorizes users and is provisioned by DirX Identity according to identity information about the system which is stored in the Identity store. Examples of connected systems are operating systems, messaging systems, directories and databases, ERP applications, Web portals and e-business applications, groupware applications, and mainframe security systems. DirX Identity represents connected systems as target systems in its Identity store.

The ability to connect to a connected system for provisioning or to handle a connected system through its API. In DirX Identity, connectivity is accomplished through agents or connectors.

A DirX Identity component that enables data exchange with a specific connected system. Connectors are used by event-triggered provisioning services. Agents can be built by integrating a specific connector with the identity integration framework to a stand-alone program.

The interface classes, macros and libraries that third-party developers can use to create customer-specific connectors.

The process of permitting users to assign their access rights to data in DirX Identity’s identity store (or a subset of these access rights) to other users through a Web-based interface.

An isolated area under DirX Identity control that has its own set of users, roles, and policies. DirX Identity can support several domains (called "multi-tenant capability").

The access right of a user in a target system; for example, a group assignment. Identity governance functions discover entitlements in target systems and then use them to create aggregated privileges like permissions and business roles. Privilege resolution determines, as a consequence of role assignment and user context information like attributes and role parameters, the set of entitlements that need to be provisioned. See also group, privilege.

An error condition that changes the normal flow of control in a program. In the C programming language, an exception is a special C construct that allows developers to define specific error-handling for an application, called "throwing an exception". The C++ connector server expects a connector to throw an exception when an error occurs.

A method that defines an interface for creating objects but allows a class to defer instantiation to subclasses. A factory method creates instances of the class in which it is declared, as opposed to creating a class instance by calling its constructor after the new operator, for example.

An application of authentication that permits an enterprise to share trusted identities with autonomous organizations outside the enterprise, like trading partners or suppliers. Also, called federated identity.

A method for modeling a resource that can be assigned to a user; for example, a global mailbox, a group mailbox, a physical room with a phone connection or a working student entry. A functional user represents the resource and is managed by the user who sponsors it. See also user and persona.

A set of access rights in a specific target system. The group is the basic building block in the DirX Identity privilege model. Its semantic is specific for each connected system; more generic privileges are built by aggregating groups. See also entitlement, privilege.

A single unique view of a user to be provisioned in the enterprise IT infrastructure that is aggregated from multiple authoritative sources of user data in the enterprise IT infrastructure by the IAM system’s metadirectory services. Also called digital identity. The representation of an identity in a connected system is an account.

An integrated solution for user and access management across the heterogeneous systems that constitute the IT infrastructure of an enterprise.

The functions in identity management that provide a high-level, transparent business-oriented way to define, create, manage, assign, review and remove digital identities and their entitlements to resources.

The set of interfaces and common utilities that permit customers to extend DirX Identity connectivity to new connected systems and to customize the Identity Web Center.

The part of an IAM system that ensures a consolidated, enterprise-wide view and way to manage user access to resources in the enterprise IT infrastructure. Identity management processes include user self-service and delegated administration, password management, user management, privilege and policy management, provisioning, and metadirectory.

The DirX Identity component that provides a graphical user interface (to the configuration information in the identity store) to manage DirX Identity connectivity and provisioning.

The functions in identity management that dynamically and automatically realize the results of identity governance functions into entitlements in the IT infrastructure.

The runtime environment for all DirX Identity services and workflows.

The DirX Identity Web application that allows DirX Identity administrators to perform administrative fail-over of Identity server operations. See also administrative fail-over.

An LDAP-enabled directory in the enterprise IT infrastructure that is used as the identity consolidation and distribution point for the other connected IT systems in the enterprise. The identity store contains consolidated identity data from different authoritative sources and connected systems and manages DirX Identity’s configuration data in a separate tree.

A Web-based DirX Identity component for monitoring server processes, including status, logging, and statistics. Web Admin also permits server optimization and error-handling via a dead letter queue.

The DirX Identity component that provides a Web interface for self-service user management and selected administrative tasks - for example, privilege management, password policy management and delegation - from a Web browser.

The set of classes that implement the SPML constructors for use in C++ connectors. These classes form the connector server API and carry the data that is delivered to and from the connectors. See also Service Provisioning Markup Language, connector server API.

The process of provisioning a target system that is not directly connected to DirX Identity 's provisioning processes via event-triggered request workflow notifications sent to the target system’s administrator, who then performs the provisioning by hand. See also provisioning.

See agent.

The identity management component that integrates the different directories, user databases, and application-specific repositories in the enterprise IT network. It provides the connectivity, management and interoperability functions that unify the user data ("join") and ensures the bidirectional attribute flow (synchronization) in this fragmented, heterogeneous environment.

An application whose program execution consists of multiple threads executing in a shared address space. The C++ connector server is a multithreaded application: its components (for example, its connectors) run independently of each other but share the same application resources (for example, memory space). See also threads.

An aspect of role-based access control (RBAC) that permits the access rights modeled by a generic role or permission to be customized on assignment to a specific user. See also role parameter, permission parameter, role-based access control.

A specialized application of an identity management system that allows users to maintain a single password that is automatically synchronized to all relevant IT systems in the enterprise, to change and reset their passwords in one or more systems (for example, an LDAP directory or in Windows) and to notify users when they need to change their passwords to comply with password policies established for the enterprise (for example, expiration of a password’s lifetime).

A policy for controlling the requirements that DirX Identity places on user passwords, such as password complexity, expiration dates, and the behavior of the system after failed logins.

A connected-system-neutral set of access rights that aggregates a collection of groups from one or more connected systems. The permission is the intermediate building block of the DirX Identity privilege model. See also privilege.

A critical attribute in a user entry that indirectly influences the user’s access rights via rules or other mechanisms. Because permission parameters have system-wide effects on user access rights, the ability to change permission parameters should be secured by approval processes.

A method for modeling a user’s different functions in an enterprise - for example, "system administrator" or "project manager" - where each function requires a different set of accounts and entitlements. See also user and functional user.

An account in a target system that is related to one specific identity (user). See also account and privileged account.

A high-level directive that is used to control the decision-making behavior of the DirX Identity system. Policies are composed of one or more rules; each rule implements a part of the policy.

The parameters used in DirX Identity that affect the assignment of access rights or privileges, especially permission and role parameters.

Any set of access rights modeled and used in DirX Identity. The term "privilege" is used as a generic designation for group, permission, or role. In this model, access rights to IT systems and resources are controlled by privileges, which in turn are associated/assigned to users. See also group, permission, role.

An account in a target system that entitles users to perform high-risk, security-critical operations on the target system. An example of a privileged account in a UNIX operating system is the "root" account. An example of a privileged account in a Windows operating system is the "Administrator" account. See also account and personal account.

A list of selections displayed in a drop-down list when a user clicks the drop-down list icon for an attribute value field. The content of a proposal list can be derived from business object structures.

The process of automatically calculating user access rights and distributing them to IT systems based on the privileges assigned to the user. The provisioning process automatically grants, changes, and revokes access rights in IT systems in response to privilege assignment, re-assignment, and revocation.

A search filter that is intended for dynamic, frequent use for auditing purposes, such as searching for unassigned accounts (accounts that have no user assigned to them). Queries are stored as query folders in the DirX Identity store.

The periodic comparison of connected system accounts and group data to the identity store to detect local changes to the connected system’s data that have occurred independently of the changes initiated by DirX Identity. Deviations can be reconciled by hand or through automated policy-driven workflows.

A workflow that handles self-service and delegated administration requests that may require authorization by one or more approvers.

A set of access rights based on business semantics that allows the enterprise to structure access to resources according to job descriptions and functions. The role is the top-most building block of the DirX Identity privilege model and is based on the National Institute of Standards and Technology (NIST) role-based access control (RBAC) standard.

The process of assigning, either manually or with rules, a user one or more roles in order to implement a security policy. Role-based provisioning requires the existence of a role catalog and a role engineering process that reflects the enterprise business processes. Assigning a role to a user results in group memberships in various target systems.

A lower-level directive that implements a part of a policy.

The process of automatically assigning privileges (roles, permissions, but mostly groups) to a user based on one or more rules that implement a security policy. Also called policy-based privilege assignment.

The process of placing constraints on role assignment to enforce "conflict of interest policies", for example, a user with the role "accounts payable" cannot be assigned the role "accounts receivable". Also called separation of duties.

A form of self-service in which a user makes a request from the intranet or Internet for membership in an enterprise service.

The process of allowing users to manage their own data, passwords, and delegations and to request privileges for themselves through a Web-based interface.

See segregation of duties (SoD).

A platform for structuring information technology (IT) operations and IT-related activities such as problem resolution and change control according to business processes and user requirements. Also called IT service management (ITSM).

A methodology for defining functional elements as modular, interoperable services. Web Services are one method for implementing an SOA.

A standard XML-based language designed for use in provisioning databases. SPML is based on request-response scenarios; for more information on SPML, see http://www.oasis-open.org/specs/#spmlv1.0.

The standard protocol for calling network services and transmitting data between them. SOAP is based on request-response scenarios; for more information about SOAP, see http://www.w3.org/2000/xp/Group/2/06/LC/soap12-part1.html.

A component of Web access management that permits a user to access multiple IT systems and applications after being authenticated just once. Similar to Web SSO for the access of Web-based applications.

A policy that specifies the roles that cannot be assigned to a user at the same time. See also segregation of duties (SoD).

The user who is assigned to manage the resource represented by a functional user. See also functional user.

The process of extracting, transforming, and loading data from one repository to another, especially identity and access control data in the case of identity management systems, for example, from the authoritative sources of identity information to the identity store and vice-versa.

The representation of a connected system within DirX Identity. A target system is a partial copy of the data in a connected system that DirX Identity keeps synchronized with the actual data in the connected system. This data includes accounts (the users in the connected system) and groups (a representation of the access control objects or resources in the connected system).

The part of an application that can run independently of and concurrently with other parts of the application. See also multithreaded application.

A record of a service management request. See also service management system.

A person inside or outside the enterprise for the purposes of privilege assignment.

A method for modeling a user’s different positions within an organization - for example, "student", "tutor" or "teaching assistant" - where each position requires a different set of roles. See also user, persona and functional user.

Extensions made by customers to DirX Identity common code that are independent of this code and which therefore do not change with product updates. The DirX Identity default application code is divided into common code (control and central scripts that can change with product updates) and user hooks (customer routines that are protected from product updates).

The activities related to the creation, maintenance, and use of user accounts, user attributes, privileges, and so on that encompass the different directories, user databases, and application-specific repositories that make up the fragmented, heterogeneous enterprise IT environment. User management consists of two main tasks: maintaining an up-to-date and accurate directory of users to be provisioned and assigning users to privileges.

The process of comparing a connected system with its representation - the target system - in the Identity store to determine any deviations. The reconciliation process consists of a validation that is followed by manual or automatic handling of the detected deviations.

Access management for users and applications that attempt to access IT resources via a Web browser and/or Web protocols. See also access management.

(W3C definition) A software system designed to support interoperable machine-to-machine interaction over a network. It has an interface described in a machine-processable format (specifically Web Services Description Language (WSDL)). Other systems interact with the Web Service in a manner prescribed by its description using SOAP-messages, typically conveyed using HTTP with an XML serialization in conjunction with other Web-related standards. DirX Identity Web Services expose important identity management functionality for SOA environments.

An IT processing activity built from successive and parallel steps. Examples include request workflows, data synchronization workflows, event-triggered workflows, scheduled workflows, and so on.