A
Access Levels
Bundles of EmpowerID operations and/or native system rights specific to a resource type, such as Exchange mailboxes or user accounts. Access Levels, when assigned to users, specify the manner in which those users can access IT resources. Different resource types have their own set of Access Levels defined to maintain consistent access control.
Accounts
User profiles imported from external systems. These may or may not be assigned to a specific Person object.
Account Store
A specialized type of resource system managed by EmpowerID that functions as a directory containing user account objects. Account Stores can perform their own authentication, such as Active Directory authentication.
Approval Flow
A sequential process that governs the evaluation and authorization of user access requests (a.k.a., Business Requests) to organizational resources.
Approval Flow Policy
A predefined set of sequential steps dictating how Business Requests should be approved or rejected. Each step assigns specific approvers responsible for evaluation.
Approval Flow Step
An individual stage within an Approval Flow Policy, designated to a specific approver or group of approvers.
Approver Resolver Rule
Criteria that dictate to whom an Approval Flow Step should be routed for evaluation. Examples include routing to a request initiator's manager or a role-based approver.
Attributes
Attributes are named data elements that describe the properties or characteristics of an entity within a system. They serve as the building blocks for identity profiles and resource configurations. In EmpowerID, attributes could refer to user attributes like username, email, or role, as well as resource attributes such as access levels and permissions.
Attribute Flow
Authorization Object
A group representing a specific access assignment in an application or directory system. The group can either be a security group in Active Directory or a generic group in EmpowerID that represents a group or role in a target application.
Authorization Package/Business Function
A bundle of access required to complete a Business Function or participate in a team. Represented by Management Roles, these packages bundle access across multiple systems into a single non-technical assignable unit.
AuthN
Short for Authentication, “AuthN” refers to the process of confirming the identity of an entity, typically a user, system, or application.
AuthZ
Short for Authorization, “AuthZ” refers to the process of determining the access level an authenticated person or system has.
B
Birthright Access
The initial set of entitlements and permissions automatically granted to an individual based on their role within the organization.
Business Request
In EmpowerID, a Business Request is a formalized request that is commonly initiated by end-users for specific actions or access within an organization's IT ecosystem. These requests can vary in nature, ranging from requesting access to particular resources to initiating specific workflows such as account provisioning, role changes, or permission approvals.
The Business Request feature in EmpowerID allows for the customization of request forms and approval workflows. This enables organizations to tailor the request process according to their specific needs, compliance requirements, or governance policies. Once a Business Request is initiated, it undergoes a predefined approval workflow involving one or multiple approvers, depending on the organization's Approval Flow policy configuration.
These policies ensure that each request is processed in a controlled manner, allowing for efficient tracking and auditing. Upon completion of the approval flow, the Business Request is assigned a status, such as 'Approved' or 'Rejected,' which clearly indicates the request's outcome. This feature enhances the organization's ability to maintain compliance and governance standards by providing a structured, auditable trail of all user-initiated actions and administrative decisions.
Business Role
A type of role designed to reflect organizational responsibilities rather than specific technical permissions. Business roles aggregate various entitlements and access rights into a single, easily assignable role.
C
Cloud Gateway
The Cloud Gateway is a small, lightweight Windows application that acts as a connectivity gateway between the customer environment and the EmpowerID SaaS tenant. It enables the EmpowerID Cloud SaaS tenant to inventory and manage on-premise systems without requiring ports to be opened on their firewall
Company
Serves as a high-level organizational unit for grouping various configurable elements, facilitating better resource and permission management.
Compliant Access Delivery
Securely granting access to resources while adhering to laws, regulations, and organizational policies.
Containers
Containers are lightweight, self-sufficient packages that encapsulate the necessary elements to run an application, including code, runtime, libraries, and system tools. They operate in isolation from the host system, ensuring a uniform and consistent environment for applications. In the context of EmpowerID, containers are used to deploy various system components, contributing to enhanced scalability and reliability.
EmpowerID Worker Containers
Worker Containers constitute the application tier in the EmpowerID architecture. Specialized for back-end system integration, these containers handle inventory management, data synchronization, and security management tasks. They also execute internal web service processes. The specifications and count of Worker Containers are determined by the variety and volume of applications and integrations in your EmpowerID setup. Worker Containers do not handle User Interface (UI) requests and are analogous to the on-premise Worker Role Service.
EmpowerID UI Containers
UI Containers act as the user-interface layer, serving web pages and handling interactive workflows initiated by end-users. These containers are responsible for delivering the Web applications that constitute the user interface of EmpowerID. By default, they operate strictly over HTTPS and maintain a stateless user interface. The EmpowerID UI container role parallels the functions performed by the on-premise Web Role Service.
Core Identity
A unique representation of each individual human user or IoT device, serving as the root or "master" identity from which multiple "Person Objects" can be derived.
E
EmpowerID API Gateway / ReverseProxy
The EmpowerID API Gateway / Reverse Proxy provides single sign-on and authorization for users accessing an organization's web applications. The reverse proxy service stands in front of the web applications and services end-user requests.
EmpowerID LDAP Virtual Directory Server
The EmpowerID LDAP Virtual Directory server provides LDAP virtual directory authentication and data services for exposing EmpowerID Identity Warehouse data and connected directories objects as a single unified LDAP directory with a flexible schema.
EmpowerID RADIUS Server
The EmpowerID RADIUS server provides RADIUS authentication for routers, switches, and other RADIUS-compliant devices.
EmpowerID RBAC Actor Types
Collections of people or objects to which EmpowerID policies can be assigned, including Person, Group, Management Role Definition, Management Role, Query-Based Collection, Business Role, and Location.
EmpowerID SCIM Virtual Directory Service
The EmpowerID SCIM Virtual Directory service provides a single SCIM-compliant API for the EmpowerID Identity Warehouse and all connected systems.
Entitlement
The set of attributes or resources that a particular user is allowed to access within an application or service.
F
Federated Identity
The linking of a person's electronic identity and attributes across multiple distinct identity management systems.
Federation
A collection of computing or network providers agreeing upon standards of operation in a collective fashion.
FIDO
Fast Identity Online, a set of security specifications for strong authentication.
G
Governance
The set of policies, roles, and processes that control how an organization's business divisions and IT teams work together.
I
IAM
Stands for Identity and Access Management, a framework for business processes that facilitates the management of electronic or digital identities.
IAM Shop
A microservice within EmpowerID where users can browse and request access to various resources. It functions as a self-service portal for access management and is designed to streamline the user experience for acquiring resource permissions.
Identity Federation
Linking of a person's electronic identity and attributes across multiple distinct identity management systems.
Identity Verification
The process of confirming the truth of an attribute of a single piece of data claimed true by an entity.
Inventory Job
A scheduled task that collects data from connected systems and updates the EmpowerID Identity Warehouse.
J
Jobs
Functionalities in EmpowerID are broken down into granular "jobs," hosted and run in Windows services that communicate back to the EmpowerID Identity Warehouse over REST Web services. Jobs are either specific tasks that run on a scheduled basis (such as Inventory) or REST Web Services used in workflow processes.
JSON Web Token (JWT)
An open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
L
Location
In EmpowerID, a “Location” is a container for holding resources.
M
MFA
Stands for Multi-Factor Authentication, which refers to the use of more than one method of authentication to verify the user's identity for a login or other transaction.
Management Role
Management Roles serve as customizable containers that aggregate various Access Levels into role-based or job-specific bundles. These roles facilitate streamlined, bulk assignment of access permissions across multiple systems.
Management Role Definition
In EmpowerID, a Management Role Definition acts as a template for creating specific Management Roles. It predefines the structure and attributes, including Access Levels, that are automatically inherited by Management Roles based upon it. This centralized blueprint allows for the uniform application of settings and permissions across multiple Management Roles, streamlining administrative tasks and ensuring consistency in access control.
Microservices
Microservices refer to an architectural approach for software development where an application is composed of loosely-coupled, independently deployable components or services. Each microservice is responsible for a specific, discrete task and communicates with other services via well-defined APIs. This approach facilitates agility, scalability, and resilience, allowing each service to be developed, deployed, and scaled independently. In EmpowerID, microservices such as IAM Shop, MyTasks, Resource Admin, and My Identity handle specific functionalities within the platform.
Mutual SSL/TLS
A security measure whereby both the client and server authenticate each other's identity before establishing a secure connection.
OAuth 2.0
An open standard for access delegation commonly used for token-based authentication and authorization.
Operations
In EmpowerID, Operations are protected code objects that, when executed, allow a resource to be accessed in a manner consistent with the type of resource and the operation.
O
OIDC
Stands for OpenID Connect, it is a simple identity layer on top of the OAuth 2.0 protocol, which allows clients to verify the identity of the end-user.
OrgRole
An object in EmpowerID representing a person's Business Role, which is assigned in conjunction with an Organizational Location.
OrgZone
An Organizational Location/Business Context that is always assigned in conjunction with a Business Role.
P
Person
An object representing a human being, typically owning multiple user accounts in external systems. The base identity in EmpowerID's RBAC model.
Personas
Core identities linked to multiple sub-person objects, which are the professional identities with business information attached.
Polyarchical RBAC
A system where people are assigned to one or more Business Roles for a specific Location/Context, reducing role bloat.
Provisioning
The process of setting up a new user account, creating a directory entry, and providing initial access permissions.
PKI
Stands for Public Key Infrastructure, a framework that manages digital keys and certificates.
Q
Query-Based Collections
Also known as Set Groups, these are logical bundles of Sets grouped together with a friendly name for resource management.
R
Resource Systems
Specific systems within which a resource resides, such as Active Directory domains, LDAP directories, or custom applications.
Risk Management
The process of identifying, assessing, and treating risks associated with an organization’s IT resources.
RBAC
Stands for Role-Based Access Control, a method where access permissions are associated with roles, and users are assigned roles to receive those permissions.
RBAC Actor Types
Collections of people or objects to which EmpowerID policies can be assigned, including Person, Group, Management Role Definition, Management Role, Query-Based Collection, Business Role, and Location.
Resources
The lowest level object in the EmpowerID security model, representing a specific IT asset.
S
Single Sign-On (SSO)
A mechanism that allows users to securely authenticate with multiple services and applications using one set of credentials.
Self-Service
The ability for end-users to perform actions themselves without requiring assistance from IT staff, such as password reset or access request.
SCIM
System for Cross-domain Identity Management, a standard for automating the exchange of user identity information between IT systems.
T
Token
A small hardware device that the owner carries to authorize access to a network service.
Two-Factor Authentication (2FA)
A security process in which the user provides two different authentication factors to verify their identity.
W
Workflow
A sequence of connected steps that automate the process of data and tasks flow as they are passed from one participant to another.
X
XACML
Stands for eXtensible Access Control Markup Language, an XML-based standard for expressing security policies and access rights to information.
XML
Stands for eXtensible Markup Language, a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.
Y
YubiKey
A hardware authentication device manufactured by Yubico that supports one-time passwords, public-key cryptography, and authentication, among other services.
Z
Zero Trust Architecture
A security model that advocates the strict limitation of access to all resources within a network, regardless of whether they are inside or outside the perimeter.
For additional information or queries regarding the EmpowerID glossary, consult the official documentation or reach out to the EmpowerID support team.
...
A
Access Levels
Access Levels are bundles of EmpowerID operations and/or native system rights specific to a resource type (such as Exchange mailboxes or user accounts) that, when assigned to users, give those users the ability to access IT resources in the manner specified by the Access Level. Each resource type has its own set of Access Levels defined with different combinations of EmpowerID operations and rights (where applicable) to ensure that the level of access to the resources remains consistent for the type and the assignment.
Accounts
User profiles imported from external systems. May or may not be assigned to a specific Person object.
Account Store
EmpowerID inventories, manages
...
and protects resources in what is called resource systems. Account Stores represent a special type of resource system managed by EmpowerID.
...
Account stores
...
differ from other
...
resource systems
...
because they function as directories
...
containing user account objects and can perform their own authentication, such as Active Directory.
Approval Flow
A sequential process in EmpowerID that governs the evaluation and authorization of user access requests to organizational resources.
Approval Flow Policy
A predefined set of sequential steps that dictate how Business Requests should be approved or rejected. Each step assigns a specific approver or group of approvers responsible for evaluating each request.
Approval Flow Step
An individual stage within an Approval Flow Policy, each of which is assigned to a designated approver or approvers. At each step, approvers can approve or reject the request or specific resource items within the request.
Approver Resolver Rule
Criteria that determine to whom an Approval Flow Step should be routed for evaluation. Examples include routing to the request initiator's manager, the target person's manager, or a designated role-based approver.
Authorization Object
A group that represents a specific access assignment in an application or directory system. The group can either be a security group in Active Directory or a generic group in EmpowerID that represents a group or role in a target application.
Authorization Package/Business Function
Management Roles are used to represent Authorization Packages (AKA Business Functions) in EmpowerID. An Authorization Package is a business-designed bundle of access required to complete a Business Function or for participation in a team or working group. Authorization packages bundle access across multiple systems and present a single non-technical assignable unit of access. The Management Role allows this flexibility and enables the business owners to create friendly, non-technical descriptions and manage the governance cycle of these packages.
B
Birthright Access
...
A concept that refers to the initial set of entitlements and permissions automatically granted to an individual based on their role
...
within the organization.
...
In EmpowerID, birthright access is managed through two primary mechanisms:
Provisioning Policies: These policies define the new objects (e.g., user accounts or roles) that should be automatically created for
...
an individual when they join the organization.
Access Assignments: These are policies that automatically add the individual's user accounts to predefined groups, application roles, or permissions based on their role in the organization.
Business Role
A
...
Company
type of role in EmpowerID that is designed to reflect organizational responsibilities, job functions, or business needs rather than specific technical permissions. Business roles aggregate various entitlements, dynamic roles, and access rights into a single role that can be easily assigned to individuals or groups. This approach simplifies administration and enhances understanding of access rights from a business perspective. Business roles are often aligned with the organization's titles, departments, or functions.
C
Company
In the context of EmpowerID, the term "Company" serves as a high-level organizational unit for grouping users, roles, policies, and other configurable elements, facilitating better management and segmentation of resources and permissions across the platform. People belong to companies via their Business
...
Role and
...
Location assignments.
Compliant Access Delivery
...
The practice of securely granting access to information or resources
...
while adhering to applicable laws, regulations, and organizational policies.
...
Core Identity
...
Compliant access delivery aims to safeguard sensitive information by ensuring that only authorized individuals with a legitimate need can access it. This approach strives to strike a balance between the necessity for information access and the imperative to mitigate security risks, including unauthorized access, data theft, or information misuse.
Core Identity
A unique representation within EmpowerID for each individual human user or Internet of Things (IoT) device. A Core Identity serves as the root or "master" identity from which multiple "Person Objects" can be derived. These Person Objects may represent various facets of the individual's or device's interactions with different systems, services, or roles within the organization. By allowing a Core Identity to own multiple Person Objects, EmpowerID provides a flexible and comprehensive approach to identity management.
EmpowerID RBAC Actor Types
...
EmpowerID functionality is broken down into a large number of granular "jobs," which are hosted and run in Windows services that communicate back to the EmpowerID Identity Warehouse over REST Web services. Jobs are either specific tasks that run on a scheduled basis (such as Inventory) , or they are REST Web Services used in workflow processes.
...