SailPoint IIQ Terminology
The following is a list of useful program terms and their definitions.
Access Management - Process of granting authorized users the right to use a service while preventing access to non-authorized users.
Account - The digital representation of a user’s attributes, entitlements, and permissions within a specific application. A user may have multiple accounts on different systems. It is important to note that an account is different from an identity, as a user can have many accounts but only one true identity.
Approval - The process for approving an access request. In certain circumstances, approvals can be bypassed if certain conditions are met. This would be known as an auto-approval.
Authentication - The process of validating that a person is who they claim to be when attempting to access a secure information system. Passwords are the most common authentication mechanism. Single factor authentication is commonly defined as a process that requires users to enter a password. Multi-factor authentication requires users to provide additional credentials such as a one-time PIN number or biometric factor.
Authorization - The process of determining what a user is permitted to do within a secure information system.
Automated - Self-driven computing of a process from which human interaction has been excluded.
Certification - The automation of reviewing and approving identity access privileges, account group membership and permissions, role membership and role composition.
Consumer - Services, systems, and applications that utilize identity information.
Entitlement - An account attribute that grants permissions within a system or application based on the attribute value. Common examples of an entitlement attribute include group memberships in Active Directory or a role code in a business application.
Group - A collection of permissions on the target application that models business functions or application-level access.
Identity - The collection of information that uniquely identifies a person.
Identity and Access Management - The overall framework for managing user lifecycle and their system access across all populations through automated solutions.
Identity and Access Management Modernization Program (IAMMP) - A set of projects whose goal is to modernize the University of Texas at Austin’s Identity and Access Management systems, business processes, data management and technical architecture. IAMMP consists of the implementation of SailPoint IdentityIQ (IIQ) to transition and/or retire legacy identity and access management tools as UT Austin’s computing landscape transitions during the Administrative Systems Modernization Program.
Identity Hub - A service-level abstraction that encompasses the core identity management infrastructure, including SailPoint IdentityIQ and TIM.
Identity Lifecycle - Describes various events that can have a material effect upon the characteristics of an identity. Lifecycle events are typically triggered by changes to authoritative source data. SailPoint IdentityIQ is configured to invoke the appropriate identity lifecycle workflow when certain changes are detected. The most common types of lifecycle events are: joiner , mover, and leaver.
Joiner - A person who is joining the university for which an identity record will be created in the IAM Application and access will be provisioned based on his/her job function and responsibilities.
Least Privilege - Designing roles with the concept of assigning the fewest amounts of permissions necessary in order for the role to execute the appropriate business process tasks to ensure that application roles do not have unnecessary access.
Leaver- A person who is separating from the university and whose access is meant to be revoked.
Methodology - Structured, sequenced set of activities that need to be completed to affect the desired change(s) by using a system of principles and procedures applied to a process or discipline.
Monitoring - Automated tools to provide real-time notification of detected wrongdoing and vulnerability exploitation. When applicable, a security baseline will be developed and the tools will report exceptions.
Mover - A person who is an existing member of the university that is undergoing a transition of job function and responsibilities. This includes departmental transfers, promotions, inter-departmental transfers, and conversions. Access for movers will need to be provisioned/de-provisioned and certified based on his/her new job function and responsibilities.
Password Management - The process by which password policy is enforced.
Permission - In an IAM data model, each entitlement may implicitly grant one or more associated permissions to a user. For example, an Active Directory group called “Compliance Officers” may grant read-write permissions to a Compliance file share. These permissions would be conferred upon any member of the group.
Policy - Describes a type of rule that is used to identify and prevent inappropriate access scenarios.
Privileges - Access rights given to a particular person or group. Privileges may represent what a user is allowed to see or do at the application level or across the enterprise. Comprises access control, which determines the repository objects that a user can read and modify, as well as privileges, which enable a user to perform operations, such as system administration and auditing.
Process - A series of steps that define the order in which actions should be carried out to achieve a particular output.
Provisioning - Any kind of change (e.g. Create, Update, Disable, Enable, Delete) to a user account on a connected system. Provisioning can be performed either manually or automatically. The word “deprovisioning” is often used to describe access revocation processes. This term is technically inaccurate. In fact, access revocation is simply another form of provisioning that encapsulates the disabling or deletion of a user account.
Reconciliation - A process run on a periodic basis to identify and report differences in the user access portfolio by comparing user entitlements in IIQ to the actual entitlements as reported by the application.
Reporting - The ability to generate access reports on a scheduled or ad-hoc basis. Reports are delivered to identities via email. Some standard reports contain information on identity access, role membership, and access requests.
Role - A set of entities that may be systems, services or applications that share a common function, responsibility, or relationship or a set of related privileges which are to be assigned or denied together.
Role Based Access Control (RBAC) Model - The Role Based Access Control Model represents the matrix of accesses (i.e. permissions) for a given business process, business area, etc. The model is defined by the logical groupings of Business Roles, application roles, business process tasks, and permissions associated with those tasks.
Role Governance - The system and structure for defining policy, determining ownership and managing and coordinating procedures for an application or resource. Role Governance defines the process by which the organization is directed, controlled and held accountable in the role management process. The program focuses on the clear definition of roles and responsibilities in the decision making process and outlines the set of principles and practices that guide the Role Governance Board.
Role Maintenance - Change management for role creation, modification and removal.
SailPoint IdentityIQ (IIQ) - A governance-based identity and access management software solution selected as the foundation to close the functional gaps IAM services currently face. SailPoint IIQ will also be replacing many of the features and services that are provided by TIM and the legacy authorization systems. Read more about SailPoint IIQ on the service page.
Segregation of Duties (SOD) - SOD is used to explain a separation of certain job functions that cannot or should not be performed by the same individual in order to prevent the possibility of fraud, misappropriation of company assets or other acts that would bear negatively on the company, regardless of whether or not the person would actually commit fraud.
Self-Service - Enabling user self-service to prevent Service Desk involvement (Account Request, Passwords).