Terms, definitions, and Identity Management knowledge

What is Password Synchronization?

Password Synchronization is a method of single sign-on (SSO) that ensures a user’s password is the same between multiple systems. One system, such as Active Directory, acts as the central authority. When a user’s credentials are updated inside of the central authority, their password is pushed out to other systems such as their email provider.

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) is an account security process requiring two or more separate steps for a user to prove their identity. It most commonly refers to logging into a computer, network, application, or other resource. To complete a Multi-Factor Authentication process, you must provide specific credentials or meet certain conditions at each stage. While “two-factor authentication” remains a popular term, MFA has increasingly become the umbrella term.

What is User Account Onboarding?

When a new employee starts a job that requires access to a computer or email, they’ll need an account—likely in Active Directory or Google G Suite. Some organizations set all of that up by hand, which takes a lot of time. Those who work with Tools4ever automate the process, and everything is created in a snap. Either way, once the new user accounts and passwords are set up, it’s time for the riskiest part of any onboarding plan: the hand-off.

What is SAML and how does it work?

Security Assertion Markup Language (SAML) is a type of Single Sign-On (SSO) standard. It defines a set of rules/protocols that allow users to access web applications with only a single login. This is possible because those applications (referred to as “Service Providers”) all trust the systems that verify users’ identities (referred to as “Identity Providers”).

What is Single Sign-On (SSO)?

Decades ago, a single set of user credentials were all that a person needed to do their job. Then, more applications were created that required separate credentials. And still more, as the years went on. Nowadays, a person may be required to log in to as many as nine applications in order to do their job. Each of those applications usually requires their own user credentials. Single Sign-On lets a person log into all of their applications with a single set of credentials.

What is Role-Based Access Control (RBAC)?

Role-Based Access Control (RBAC)  is a method for setting up authorization management within an organization. With this method, authorizations are not assigned on an individual basis but are based on RBAC roles which are designated by an employee's department, position, location, cost centre, and possibly other factors, in the organization.

What is User Account Provisioning?

User Account Provisioning (or user provisioning) is a process that ensures user accounts are created, given proper permissions, changed, disabled, and deleted. These identity management actions are triggered when information is added or changed in a personnel system. New hires, promotions, transfers, and departures are examples of events that can trigger identity management processes.

What is Identity and Access Management?

Identity and Access Management (IAM) is the umbrella term for the structures and processes within any organization that administer and manage resources. Predominantly for IT resources, these processes mostly deal with network access rights, privileges, and AD group memberships.

What is Segregation of Duties?

Many business processes, if executed by a single person, would create a conflict of interest. For example, an employee should not be able to submit and approve their own purchase orders. SoD principles dictate that such processes must be split up between multiple people within an organization. A process may even require multiple approvers in the case of high-risk processes.

What is the User Account Lifecycle?

The "User Account Lifecycle" defines the collective management processes for every user account. These processes can be broken down into Creation, Review/Update, and Deactivation. If your organization utilizes IT resources of any kind, you rely on user accounts to access them.

What are Orphaned Accounts?

The term most often refers to network accounts (e.g. Active Directory) associated with former/inactive employees. However, it remains applicable to any type of account that is not actively used. For example, a Google account that is not used by an active employee would still be designated an "orphan".

What is Principle of Least Privilege?

The Principle of Least Privilege (POLP) states a given user account should have the exact access rights necessary to execute their role’s responsibilities – no more, no less. POLP is a fundamental concept within identity and access management.