Abstract

Editor’s Note: This is a consolidated list of the terminology highlighted in each of the articles published in the BoK. It is not, by any means, a definitive or even broadly supported set of definitions; the context an individual reader brings to the table will influence how accurate the terminology for their use case. We offer the consolidated list here as a touchpoint for discussion. Please consider offering feedback to the articles that use these terms via the IDPro GitHub repository: https://github.com/IDPros/bok

Keywords: Terminology

How to Cite:

Flanagan (Editor) H., (2020) “Terminology in the IDPro Body of Knowledge”, IDPro Body of Knowledge 1(4).

Terminology in the IDPro Body of Knowledge

Terminology in the IDPro Body of Knowledge

Heather Flanagan, editor - @ 2021 IDPro

Term Definition Source
Abstraction the practice of identifying and isolating repeated aspects of operations or business logic so that they can be maintained in one place and referenced in many places. Policy-Based Access Controls
Access Control Controlling who can have access to data, systems, services, resources, locations. The ‘Who’ can be a user, a device or thing, a service Introduction to Access Control
Access Control System a structure that manages and helps enforce decisions about access within an organization. Policy-Based Access Controls
Access Governance The assurance that all access has been given based on the correct decision criteria and parameters Introduction to Access Control
Access Management Use of identity information to provide access control to protected resources such as computer systems, databases, or physical spaces. Introduction to IAM Architecture
Access Policy Definition of the rules to allow or disallow access to secured objects. Introduction to Access Control
Access Requester The person, process, system, or thing that seeks to access a protected resource. Introduction to Access Control
Access Supplier The component granting access to data, systems, services after the access policy requirements (set in the Policy Administration Point) have been met by the Access Requester. Introduction to Access Control
Account Owner An entity that “owns” or claims responsibility for an account. Generally, an account is issued in the name of the owner(s) or their delegate(s) in the case of enterprises. Account Recovery
Account Recovery The process of returning account access to an account owner when they lose, forget, or cannot otherwise produce the account’s nominal credentials. This may be accomplished in person, remote, or in a hybrid format. Account Recovery
Account Recovery The process of updating a user’s credentials within a scenario where the user cannot validate those credentials   Managing Identity in Customer Service Operations
Account Takeover Account takeover is a form of identity theft and fraud, where a malicious third party successfully gains access to a user’s account credentials. Designing MFA for Humans
Accountability The obligation of a person to accept the results of one’s actions, be they positive or negative. This person is probably also a species of an owner. Introduction to Access Control
Action a protected operation available for a resource, such as “view”, “edit”, or “submit”. Policy-Based Access Controls
Adaptive Authentication Adaptive authentication aims to determine and enforce the authentication level required at any time during a user session - when the session is commenced, during the session when access requirements force a re-evaluation, or when the session token expires. The factors to be used in achieving that authentication level are determined dynamically based on the access control policy governing the resources being accessed, and a variety of environmental conditions and risk factors in effect at that time for that user. Designing MFA for Humans
Agent (also “Customer Service Agent”) The person responsible for communicating with and solving problems on behalf of customers or end-users.  Managing Identity in Customer Service Operations
Agile Project Management A framework that uses a continuous, iterative process to deliver a defined piece of functionality, typically a component of a product or service. Scrum is a popular framework (https://www.scrumalliance.org/about-scrum/overview) Introduction to IAM Project Management
Architecture Framework for the design, deployment, and operation of an information technology infrastructure. It provides a structure whereby an organization can standardize the technology it uses and align its IT infrastructure with digital transformation policy, IT development plans, and business goals. Introduction to IAM Architecture
Architecture Overview Describes the architecture components required for supporting IAM across the enterprise. Introduction to IAM Architecture
Architecture Patterns Identifies the essential patterns that categorize the IT infrastructure architecture in an organization and will guide the deployment choices for IAM solutions. Introduction to IAM Architecture
Attribute-Based Access Control (“ABAC”) / Claims-Based Access Control (“CBAC”) a pattern of access control system involving dynamic definitions of permissions based on information (“attributes”, or “claims”), such as job code, department, or group membership. Policy-Based Access Controls
Attributes Key/value pairs relevant for the digital identity (username, first name, last name, etc.). An Overview of the Digital Identity Lifecycle
Authentication The ability to prove that a user or application is trustworthy and has the authority to access a protected resource by validating credentials of an access requester (a user, a process, a system, or a thing). Introduction to Access Control
Authorization Determining a user’s rights to access functionality with a computer application and the level at which that access should be granted. In most cases, an ‘authority’ defines and grants access, but in some cases, access is granted because of inherent rights (like patient access to his/her own medical data) Introduction to Access Control
Bilateral Federation A bilateral federation is one that consists of only two entities: one Identity Provider (IdP) and one Service Provider (SP). This is the most common model for an enterprise identity federation. Federation in the Enterprise
Bot Sometimes called an Internet bot, short for ‘robot’ but referring to a software routine that performs automated tasks over the Internet or a web robot referring to an autonomous network application, or simply a ‘bot’ referring to an automated, typically repetitive, task used for a specific purpose. Non-Human Account Management
Ceremonies Predictable interactions that users can infrequently navigate in a well-watched place Introduction to Identity – Part 2: Access Management
Channel The communication avenue between you and your end-user, or your agent and their customer. This could be phone, chat, social media, or others.  Managing Identity in Customer Service Operations
CIA Triad The fundamental Information security concepts of risk classification of resources from the perspectives of Confidentiality, Integrity, and Availability. Non-Human Account Management
Claims-Based Access Control (CBAC) See Attribute-Based Access Control (ABAC) Policy-Based Access Controls
Consent Permission for something to happen or agreement to do something. Introduction to Privacy and Compliance for Consumers
Consumer Protection Law Laws and regulations that are designed to protect the rights of individual consumers and to stop unfair, deceptive, and fraudulent business practices. Laws Governing Identity Systems
Context conditions under which an action on a resource is authorized for a subject, such as time of access, location of access, or a compliance state. Policy-Based Access Controls
Continuous Authentication Continuous authentication is a mechanism that uses a variety of signals and measurements to determine during a user session if there is any change in the confidence that it is still the same user that authenticated at the beginning of the session, and trigger an authentication action if there is a drop in confidence. Designing MFA for Humans
Contract Law Laws that relate to making and enforcing agreements between or among separate parties. Laws Governing Identity Systems
Credentials Any attribute or shared secret that can be used to authenticate a user. Account Recovery
Data Controller Defined in Article 4(7) of the GDPR: “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;”. This article uses the term “organisation” as a synonym for “data controller”, since organisations involved in IAM will normally be data controllers. An Introduction to the GDPR
Data Mapping “a system of cataloguing what data you collect, how it’s used, where it’s stored, and how it travels throughout your organization and beyond.” Impact of GDPR on Identity and Access Management
Data Processor Defined in Article 4(8) of the GDPR for situations where an organisation processes personal data solely on the instructions of others. A Data Processor must not determine the purposes of processing, for example by processing in its own interests, or, beyond limited technical choices, the means of doing so. Data Processors are regulated by Article 28: in particular they must have a contract with the Data Controller that covers all the subjects listed in Article 28(3). Data Processors are excluded from some, but not all, of the liabilities and duties of Data Controllers. An Introduction to the GDPR
Data Protection by Design Data protection through technology design. See GDPR Article 25 for more detail Impact of GDPR on Identity and Access Management
Data Protection Officer An individual who must be appointed in any organization that processes any data defined by the GDPR as sensitive. The DPO is responsible for “Working towards the compliance with all relevant data protection laws, monitoring specific processes, such as data protection impact assessments, increasing employee awareness for data protection and training them accordingly, as well as collaborating with the supervisory authorities.”(See GDPR Articles 35, 37, 38, and 39 for more detail) Impact of GDPR on Identity and Access Management
Data Subject Defined in Article 4(1) of the GDPR (see “Personal Data” above) as the formal term for the human to whom personal data relates. This article uses the term “individual” as a synonym for “data subject”. An Introduction to the GDPR
Decentralized Identifier (DID) An identifier that is created and anchored in a decentralized system such as a blockchain or ledger and can represent any entity in the ecosystem – an issuer, a holder, a verifier, and even an identity hub. A Peek into the Future of Decentralized Identity
Delegated Authorization Framework An access control framework that decouples authentication from authorization, allowing the password to stay local and protected Introduction to Identity – Part 2: Access Management
Digital Cards Represent verifiable credentials that users collect over time and are stored as part of the user agent or the identity hub of the user. It’s somewhat simpler to refer to them as digital cards rather than verifiable credentials when speaking about them. A Peek into the Future of Decentralized Identity
Digital Identity A unique identifier that, together with relevant attributes, is required in the context of a digital transaction to generate value. An Overview of the Digital Identity Lifecycle
Digital Wallet represents a digital metaphor for a physical wallet and is generally represented by the combination of the user agent and the underlying capabilities of the computing device, such as secure storage and secure enclaves on a mobile phone. The digital wallet contains digital cards. A Peek into the Future of Decentralized Identity
Discretionary Access Control a pattern of access control system involving static, manual definitions of permissions assigned directly to users. Policy-Based Access Controls
dPKI A decentralized public key infrastructure and is usually implemented via an immutable blockchain or ledger – a place where DIDs can be registered and looked up alongside the associated public keys of the DID and its metadata. dPKI can be described more generally as the verifiable data registry, as the dPKI is just one of many possible implementations for a verifiable data registry. While this paper refers to dPKI, the reader should be aware that a verifiable data registry need not necessarily be “decentralized”. A Peek into the Future of Decentralized Identity
Enterprise Architecture An architecture covering all components of the information technology (IT) environment Introduction to IAM Architecture
External identifier The means by which a person in control of a digital identity refers to that identity when interacting with a system Identifiers and Usernames
Federated Access Controls an access control architecture that accommodates separation of user/subject authority and resource/object authority. Policy-Based Access Controls
Federated Identity The means of linking a person’s electronic identity and attributes, stored across multiple distinct identity management systems Introduction to Identity – Part 2: Access Management
Fractured Identity A case where a single end-user has multiple disparate digital identities. Managing Identity in Customer Service Operations
Fraud Law Laws that protect against the intentional misrepresentation of information made by one person to another, with knowledge of its falsity and for the purpose of inducing the other person to act, and upon which the other person relies with resulting injury or damage. Laws Governing Identity Systems
Gantt Chart A popular schedule format that displays both activity and timeframes in a single chart Introduction to Project Management for IAM Projects
General Data Protection Act (GDPR) Formally, Regulation 2016/679 of the European Union, in force May 25, 2018. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679 An Introduction to the GDPR
Holder The entity that holds verifiable credentials. Holders are typically users but can also be organizations or devices. A Peek into the Future of Decentralized Identity
Identification Uniquely establish a user of a system or application. Introduction to Access Control
Identity Defining attributes for a human user that may vary across domains, e.g., a user’s digital identity will have a different definition in a work environment as opposed to the user’s bank. A device identifier is sometimes referred to as its identity. Non-Human Account Management
Identity Federation

An identity federation is a group of computing or network providers that agree to operate using standard protocols and trust agreements. In a Single Sign-On (SSO) scenario, identity federation occurs when an Identity Provider (IdP) and Service Provider (SP) agree to communicate via a specific, standard protocol. The enterprise user will log into the application using their credentials from the enterprise rather than creating new, specific credentials within the application. By using one set of credentials, users need to manage only one credential, credential issues (such as password resets) can be managed in one location, and applications can rely on the appropriate enterprise systems (such as the HR system) to be the source of truth for a user’s status and affiliation.

Identity federations can take several forms. In academia, multilateral federations, where a trusted third party manages the metadata of multiple IdPs and SPs, are fairly common. This article focuses, however, on the enterprise use case where bilateral federation arrangements, where the agreements are one-to-one between an IdP and an SP, are the most common form of identity federation in use today.

Federation in the Enterprise
Identity Governance and Administration (IGA) Includes the collection and use of identity information as well as the governance processes that ensure the right person has the right access to the right systems at the right time. Introduction to IAM Architecture
Identity Hub or Repository The place where users can store their encrypted identity-related information. An identity hub can be anywhere – on the edge, on the cloud, or on your own server. Its purpose is to store personal data. Some implementations may allow other entities to access the identity hub of the user if the user specifically grants such access. You can think of an identity hub as the individual’s personal data store. A Peek into the Future of Decentralized Identity
Identity Provider (IdP) An Identity Provider (IdP) performs a service that sends information about a user to an application. This information is typically held in a user store, so an identity provider will often take that information and transform it to be able to be passed to the service providers, AKA apps. The OASIS organization, which is responsible for the SAML specifications, defines an IdP as “A kind of SP that creates, maintains, and manages identity information for principals and provides principal authentication to other SPs within a federation, such as with web browser profiles.” Federation in the Enterprise
Identity Theft Law Laws governing crimes in which the perpetrator gains access to sensitive personal information belonging to the victim (such as birth dates, passwords, email addresses, driver's license numbers, social security numbers, financial records, etc.), and then uses this information to impersonate the victim for personal gain, such as to commit fraud, establish credit in the victim’s name, or access the victim’s accounts. Laws Governing Identity Systems
Impersonation A scenario where a user is able to perform actions as though they are a known user other than themself. Managing Identity in Customer Service Operations
Intra-organizational (Single Sign-On): A central digital identity, such as an account in a directory, is linked by downstream systems as authoritative for authentication. An Overview of the Digital Identity Lifecycle
Inter-organizational (Federation) An organization relies on another organization’s digital identity and lifecycle management processes. An Overview of the Digital Identity Lifecycle
Internal identifier The way an identity management system refers to a digital identity Identifiers and Usernames
Issuer The entity that issues verifiable credentials about subjects to holders. Issuers are typically a government entity or corporation, but an issuer can also be a person or device. A Peek into the Future of Decentralized Identity
Journey-based Creation The process that guides a customer through a series of interactions prior to establishing a digital identity. For example, capturing the minimum basic information needed from a customer to enable creation of an identity. An Overview of the Digital Identity Lifecycle
Knowledge-Based Authentication (KBA) A method of authentication that uses information known by both the end-user and the authentication service but is not necessarily a secret. Managing Identity in Customer Service Operations
Least Privilege Also known as the Principle of Least Privilege; a resource, such as a user, must only be able to access the resources (e.g., applications, data) that are necessary for it to function. Introduction to Identity – Part 2: Access Management
Multi-Factor Authentication (MFA) An approach whereby a user’s identity is validated to the trust level required according to a security policy for a resource being accessed using more than one factor (something you know (e.g., password), something you have (e.g., smartphone), something you are (e.g., fingerprint). Introduction to Access Control
Multilateral Federation A federation that consists of multiple entities that have agreed to a specific trust framework. There are several forms of multilateral federations, including hub-and-spoke and mesh. Multilateral federations are the most common model for academic identity federations. Federation in the Enterprise
Non-Person Account Any account not specifically assigned to a person, such as accounts used for devices, services, and servers. Non-Human Account Management
OAuth 2.0 OAuth 2.0 is an open-source protocol that allows Resource Owners such as applications to share data with clients by facilitating communication with an Authorization Server. That data takes the form of credentials given to applications to obtain information/data from other applications. The Authorization Server is usually the Identity Provider (IdP). The Authorization Server (AS) may provide authorization directly or indirectly. For example, the AS may supply attributes or profile data of the Resource Owner or provide access to data that can later be used for authorization purposes, such as entitlements from an Identity Management or Governance Solution. Federation in the Enterprise
OpenID Connect (OIDC) OpenID Connect is an authentication and authorization framework built on top of OAuth2.0, specifically the authorization_code grant type. It was created to allow not only to authorize clients to obtain information but also includes the ability for clients to obtain information about the user after the user is authenticated. Federation in the Enterprise
Permission a statement of authorization for one or more subjects to perform one or more actions on one or more objects. Policy-Based Access Controls
Personal Data Defined in Article 4(1) of the GDPR: “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”. Note: “natural person” (human) is used to distinguish from companies and other corporate entities that are “legal persons”. An Introduction to the GDPR
Personal Data Personal data are any information which are related to an identified or identifiable natural person. Impact of GDPR on Identity and Access Management
Policy Access Point (PAP) The location where the different types of owners define the access policy. Introduction to Access Control
Policy Decision Point (PDP) The policy engine validating Access requests and provided attributed against the Access Policy (as defined in the Policy Administration Point). Introduction to Access Control
Policy Enforcement Point (PEP) The authority that will only let an Access Requester connect to the Access Supplier if the Policy Decision Point allows it. Introduction to Access Control
Policy Engine It is a security component that validates whether an actor is allowed to access a protected resource, following the requirements in an access policy. Introduction to Access Control
Policy Information Point The authority that refers to the (external) trusted providers of attributes that will be used in the Access Decision. An example is the myacclaim.com service that administers Open Badges of certifications, such as CISSP and MSCP. Introduction to Access Control
Policy-Based Access Control (PBAC) a pattern of access control system involving dynamic definitions of access permissions based on attributes (as in ABAC) as well as context for authorized access. Policy-Based Access Controls
Principle of Least Privilege an information security best practice ensuring that users in an access control system do not have more access to resources than is necessary for their intended activities. Policy-Based Access Controls
Privacy An abstract concept, with no single, common definition Introduction to Privacy and Compliance for Consumers
Privacy Law Laws that regulate the collection, use, storage, and transfer of personal data relating to identified or identifiable individuals. Laws Governing Identity Systems
Processing Defined in Article 4(2) of the GDPR: “‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. Note that even this long list of activities is not exhaustive: other activities may also fall within the definition of “processing”. Additional rules, in Article 22, apply to “automated individual decision-making, including profiling”. These generally have the effect of strengthening the rights of information and objection described later and may limit the use of automation for some high-impact decisions. An Introduction to the GDPR
Project A time-limited activity to achieve a defined outcome(s) Introduction to Project Management for IAM Projects
Project Charter Documented authority for the project manager to proceed with a project; it will usually include a succinct statement of the project’s purpose Introduction to Project Management for IAM Projects
Project Plan A document that describes a project; it will usually include a scope statement, schedule, resource plan, communications plan, and quality plan Introduction to Project Management for IAM Projects
Protected Resource A system, a process, a service, an information object, or even a physical location that is subject to access control as defined by the owner of the resource and by other stakeholders, such as a business process owner or Risk manager. Introduction to Access Control
Resource or Object an asset protected by access controls, such as an application, system, or door.
Revised Payment Systems Directive (PSD2) PSD2 (the Revised Payment Services Directive, Directive (EU) 2015/2366) is an EU Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). It contains many requirements specifically related to Strong Client Authentication. Designing MFA for Humans
Role-Based Access Control (RBAC) a pattern of access control system involving sets of static, manual definitions of permissions assigned to “roles”, which can be consistently and repeatably associated with users with common access needs.
Schedule A document that defines the activity and resources required to achieve the planned deliverable(s) and outcome(s) Introduction to Project Management for IAM Projects
Security Assertion Markup Language (SAML) SAML is an XML-based communication protocol between SPs and IdPs. Usually, the enterprise hosts the IdP, whereas applications (including cloud services) are the SPs. Federation in the Enterprise
Segment a grouping of subjects that may be useful for authorizations, such as full-time employees, undergraduate students, IT administrators, or clinicians.
Self-sovereign Identity A term that describes a digital movement that is founded on the principle that an individual should own and control their identity without the intervening administrative authorities. A Peek into the Future of Decentralized Identity
Server Account An account with privileged access rights to a server’s operation typically used for configuration purposes. Non-Human Account Management
Service Account An account used by a computer application to access other applications or services for a specific purpose. Non-Human Account Management
Service Provider (SP) Defined by the OASIS organization, which is responsible for the SAML specification, as “A role donned by a system entity where the system entity provides services to principals or other system entities.” This usually takes the form of an application that offers services requiring authentication and authorization to a user. Federation in the Enterprise
Single Sign-On Single Sign-On is a centralized portal that enables SPs to verify the identities of End Users by facilitating communication with IdPs. SSO acts as a bridge to decouple SPs and IdPs. This can happen via numerous protocols such as agent-based integrations, direct LDAP integration, SAML, and OpenID Connect, to name a few. Federation in the Enterprise
Social Engineering Social engineering is a method of manipulating people so they give up confidential information, such as passwords or bank information, or grant access to their computer to secretly install malicious software. Designing MFA for Humans
Special Category Data (SCD) Categories of data that are regarded as particularly sensitive, so subject to additional regulation. Defined in Article 9(1) of the GDPR as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”; Article 10’s “personal data relating to criminal convictions and offences” requires similar treatment, so is normally considered as another category of SCD. An Introduction to the GDPR
Step-Up Authentication A method to increase the level of assurance (or confidence) the system has regarding a user’s authentication by issuing one or more additional authentication challenges, usually using factors different from the one(s) used to establish the initial authenticated session. The need for increasing the level of assurance is typically driven by the risk associated with the sensitive resource the user is attempting to access. Designing MFA for Humans
System Account A generic term for a privileged account that has extensive permissions to system-level functions, typically used to install new applications, perform system updates, or make configuration changes. Non-Human Account Management
Task Lowest level of defined activity; multiple tasks will typically be grouped into stages of project phases Introduction to Project Management for IAM Projects
Threat Modeling Threat modeling is an analysis technique used to help identify threats, attacks, vulnerabilities, and countermeasures that could impact an application or process. Designing MFA for Humans
Tort Law The body of law that covers situations where one person’s behavior causes injury, suffering, unfair loss, or harm to another person, giving the injured person (or the person suffering damages) a right to bring a civil lawsuit for compensation from the person who caused the injury. Examples include battery, fraud, defamation, negligence, and strict liability. Laws Governing Identity Systems
Trust Federation a trust framework between multiple entities with the purpose of leveraging identity and access management information in a controlled fashion Introduction to Identity – Part 2: Access Management
Two-Factor Authentication (2FA) A specific case of Multi-Factor Authentication (see: IDPro’s Consolidated Terminology) where two factors must be checked to validate a user’s identity. Designing MFA for Humans
Universal Resolver An identifier resolver that works with any decentralized identifier system through DID drivers. The purpose of a universal resolver is to return a DID document containing DID metadata when given a specific DID value. This capability is very useful because DIDs can be anchored on any number of disparate dPKI implementations. A Peek into the Future of Decentralized Identity
User or Subject a person or entity who may receive access within an access control system. Policy-Based Access Controls
Username a common term used for an external identifier Identifiers and Usernames
Username An identifier unique to the authentication service used in conjunction with a shared secret to authenticate a user. Managing Identity in Customer Service Operations
Verifiable Credentials Attestations that an issuer makes about a subject. Verifiable credentials are digitally signed by the issuer. A Peek into the Future of Decentralized Identity
Verifiable Presentations The packaging of verifiable credentials, self-issued attestations, or other such artifacts that are then presented to verifiers for verification. Verifiable presentations are digitally signed by the holder and can encapsulate all the information that a verifier is requesting in a single package. This is also the place where holders can describe the specific terms of use under which the presentation is performed. A Peek into the Future of Decentralized Identity
Verifier The entity that verifies verifiable credentials so that it can provide services to a holder. A Peek into the Future of Decentralized Identity
Zero Trust From NIST Draft Special Publication 800-207, “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet)” Introduction to Identity – Part 2: Access Management