Glossary

A

acceptable tolerance

The permissible range of variation or deviation from a specified or desired value without affecting functionality or quality.

access attempt

An action taken by a user, either authorized or unauthorized, to gain access to a system, resource, or information.

access certification

A process that verifies and validates user access rights to systems and applications.

access certification campaign

Periodic recertifications to validate if users' accesses are still needed for a continued business need.

access decision

The process of deciding whether to grant or deny user access to information or resources.

access entitlement

A specific privilege or action that authorized users have access to.

access policy

A set of rules and conditions that control the users' access to a resource based on defined conditions.

access policy object

A digital entity that defines the rules and permission that govern how users or systems can interact with specific resources in a network or system.

access request (AR)

A module that manages authorization workflows.

access right

A designation of the rights that users have, such as read, modify, create, delete, and admin (RMCDA).
A security setting that controls access to the objects in an object store or workflow.

access token

A value used by the consumer to gain access to the protected resources on behalf of the user, instead of using the user's service provider credentials.
An object that contains security information for a process or thread, including the identity and privileges of the user account that is associated with the process or thread.

access request management (ARM)

The process of managing and governing access to resources, such as applications, data, and systems, within an organization.

access token expiry

The time it takes for the access token to expire.

access token lifetime

The time an access token is valid.

account

An entity that contains a set of parameters that define the application-specific attributes of a user, which include the identity, user profile, and credentials.

account synchronization

In IBM Verify, an action that fetches all the target application groups.

action

An act that can be performed in response to a trigger.

activation

A processing step that prepares a program to be run.

Active Directory (AD)

A hierarchical directory service that enables centralized, secure management of an entire network, which is a central component of the Microsoft Windows platform.

AD

See Active Directory.

adapter

An intermediary software component that allows two other software components to communicate with one another.

adapter agent

A software component that provides an interface between a managed resource and a system.

adapter binary

An executable file that contains the code necessary for an adapter to interact with a specific system or application.

adapter configuration tool

A tool that enables the creation of customized adapters that can communicate with various external systems.

adapter JAR file

A Java Archive file that contains the necessary classes and libraries to facilitate communication between different systems.

adapter log

A log that records the activities of the adapter, which helps determine the background or cause of an issue and find the proper solution.

adapter schema

A definition of the structure of data that is used to integrate with an external system.

administration console

A web-based tool that allows authorized users to access and manage various administrative functions from any location at any time.

administrator user

A user account that bypasses all access rights checks.

advanced rule

A policy type that specifies conditions that must be met before access to a protected object is permitted.

advance workflow

The workflow extends the capabilities of the workflow administration application by allowing users to work with historical workflow instance information, while preserving current usage patterns.

agent wallet

A component used to manage and store digital credentials.

alternative data sources

One or more extra data sources to be used along with or instead of primary LDAP.

API access

The process of controlling and managing access to application programming interfaces (APIs).

API client

A client that must be created for use by the IBM Verify gateway for a radius server.

API credential

A credential that authenticates an identity trying to access third party services via APIs.

API grant type

The authorization mechanism that a client uses to retrieve an ID and access token from verify.

API key

A unique code that is passed to an API to identify the calling application or user, and to send tracking data. An API key is used to track and control how the API is being used, for example, to prevent malicious use or abuse of the API.

API secret

A secret used to authenticate the client and authorize access to the API.

app

A web or mobile device application.

appliance

A hardware device with integrated software that is dedicated to a specific task or set of business requirements.

application

One or more computer programs or software components that provide a function in direct support of a specific business process or processes. See also application server.

application role

An entity that represents the tasks that users perform and the permissions that are associated with those tasks.

application server

A server program in a distributed network that provides the execution environment for an application program. See also application.

AR

See access request.

ARM

See access request management (ARM).

array

A structure that contains an ordered collection of elements of the same data type in which each element can be referenced by its index value or ordinal position in the collection.

artifact

An entity that is used or produced by a software or systems development process.

attribute

A characteristic or trait of an entity that describes the entity; for example, the telephone number of an employee is one of the employee attributes. See also identity.
Data that is associated with a component.

audit

A process that logs the user, administrator, and help desk activities.

authentication

A security service that provides proof that a user of a computer system is genuinely who that person claims to be. See also authorization.

authentication activity

The process of monitoring and reporting user authentication events to detect situations that do not comply with the security policy.

authentication factor

The device, biometrics, or secrets required as a credentials for validating digital identities.

authentication method

The way users verify their identity to access the system.

authentication source

The data source against which you intend to perform authentication.

authority

The right to access objects, resources, or functions.

authorization

The process of granting a user, system, or process either complete or restricted access to an object, resource, or function. See also authentication.

authorization check

A security check that is performed when a user or application attempts to access a system resource; for example, when an administrator attempts to issue a command to administer IBM MQ or when an application attempts to connect to a queue manager.

authorization code

An alphanumeric code generated for administrative functions, such as password resets or two-factor authentication bypass.

authorization policy

A set of conditions that define whether a user can access a protected resource.

authorization server

A server that processes authorization and authentications.

B

Edit online

base: This attribute is the LDAP container search base for users.
bearer token: A Security Assertion Markup Language (SAML) token that uses the bearer subject confirmation method.
behavior: The observable effects of an operation or event, including its results.
Binary attributes: This attribute is a list of comma-separated binary LDAP user attributes that are returned from a successful password verify operation.
binary security token: A security token that is binary encoded using a value type and an encoding type to interpret the token.
bind request: A request to establish a connection between systems or logical units.

C

Edit online

CA: See corrective action.
callback: A way for one thread to notify another application thread that an event has happened.
canvas: An area within a dashboard or workspace that users interact with to create, view, and manipulate content and data.
capability: A function or feature that is made available by an application, tool, or product.
certificate: A digital document that binds a public key to the identity of the certificate owner, thereby enabling the certificate owner to be authenticated. A certificate is issued by a certificate authority and is digitally signed by that authority.
certificate chain: A path that traces certificates from a branch in the hierarchy to the primary CA certificate.
cipher: An algorithm for encrypting and decrypting data.
class: In object-oriented design or programming, a model or template that can be used to create objects with a common definition and common properties, operations, and behavior. An object is an instance of a class.
clause: A set of conditions and variable expressions that represent specific layers in a protocol stack.
client: A software program or computer that requests services from a server.
client secret: A piece of information that is used with an application key to verify the identity of an application.
cluster: A group of appliances in which one appliance acts as the central appliance, and the other appliances act as its clients.
code page: A particular assignment of code points to graphic characters.
condition: A test of a situation or state that must be in place for a specific action to occur.
configuration: The manner in which the hardware and software of a system, subsystem, or network are organized and interconnected.
configuration file: A file that specifies the characteristics of a program, system device, system, or network.
connection protocol: A set of rules and standards that govern how devices or systems communicate with each other over a network.
connector: A plug-in that is used to access and update data sources. A connector accesses the data and separates out the details of data manipulations and relationships.
console: A graphical user interface that simplifies the tasks for managing network security, such as monitoring events and scheduling scans.
consumption: The usage of a resource.
container: An entity that provides lifecycle management, security, deployment, and runtime services to components.
corrective action (CA): Measures taken to identify and rectify the unacceptable conditions.
credential: Information acquired during authentication that describes a user, group associations, or other security-related identity attributes, and that is used to perform services such as authorization, auditing, or delegation. For example, a user ID and password are credentials that allow access to network and system resources.
credential stuffing: A method of hacking a system by injecting breached username and password pairs in an attempt to fraudulently gain access to user accounts.
customer: A person who receives products or services, has accounts, and places orders.

D

Edit online

data type: In programming languages, a descriptor of a set of values together with a set of permitted operations.
deployment: A process that retrieves the output of a build, packages the output with configuration properties, and installs the package in a predefined location so that it can be tested or run.
deprecation policy: A set of rules that define the process of marking a policy as deprecated, indicating that it should no longer be used and may be removed at any point.
deprovision: To remove a service or component. For example, to deprovision an account means to delete an account from a resource.
device: A piece of equipment such as a workstation, printer, disk drive, tape unit, or remote system.
directory connection: A connection that enables the verify server to access and utilize the directory data.
directory server: A server that can add, delete, change, or search directory information on behalf of a client.
dispatcher: A single entry point for all incoming requests, directing it to the correct destination based on predefined rules and configurations.
DN value: The unique identifier of a server or a user in the directory.
Docker: An open platform that developers and system administrators can use to build, ship, and run distributed applications.
dynamic role: A role that uses valid LDAP filters to set a user's membership in a specific role.

E

Edit online

element: A component of a variable.
employee: The individual who works for an organization that uses the Verify platform to manage access, identity, and authentication.
endpoint: The system that is the final destination of an operation.
end user: The individual who interacts with the IBM Verify platform to access protected resources, such as applications, data, and systems.
enrollment: The process of entering and saving user or user group information in a portal.
entitlement: The identification of a structured set of rights that are assigned to a generic user for access to the resources of a company or organization.
environment: A specific instance of a configuration of hardware and software.
event object: A subset of the fields in the definition of an event.
event payload: The data associated with a specific event, such as authentication, management, or service events.
External LDAP host URI: This attribute is the on-premises LDAP server connection information.

F

Edit online

factor capability: The various methods of authentication that can be used to verify a user's identity.
factor rule: The configuration of authentication factors, which are methods used to verify a user's identity.
federated user: A user who shares a representation of an identity with another entity.
FEDRamp: A United States government program that provides a standardized, risk-based approach for the adoption and use of cloud services by the US federal government.
fine grained entitlement: The definition of entitlements in IBM Verify, allowing for detailed management of provisioning policies and access control.
flow: A series of connected steps in a process or service that represents the overall progression of how the process is performed.
flow designer: A feature that facilitates creating, managing, and implementing customized requirements by using a set of predefined tasks.
flow instance: An instance that defines the flow instance properties, expressions, and related flow designer errors.
friendly name: A more understandable name for something that is indecipherably technical.

G

Edit online

grant: To give a privilege or authority to an authorization identifier.
grant type: A specific type of grant.
group object: The attributes that can be used to define or delete a group in IBM Verify.

H

Edit online

HA: See high availability.
health check: A process that monitors system resources and conditions to determine whether the system is running efficiently.
health status: A measure of how well a resource is functioning, with possible values including normal, warning, minor, critical, fatal, and unknown.
high availability (HA): The ability of a service or workload to withstand failures and continue providing processing capability according to some predefined service level.

I

Edit online

ID: See identifier.
identifier (ID): A sequence of bits or characters that identifies a user, program, device, or system to another user, program, device, or system.
identity: A collection of attributes from a data source that represent a person, organization, place, or item. See also attribute.
identity adapter: An interface between a managed resource and the IBM Verify Identity Manager.
identity agent: An agent used to connect external user repositories with IBM Verify to perform authentication or provisioning.
Identity Brokerage: The gateway to directly integrate Identity Governance and Intelligence with targets and hubs using IBM Security Identity Adapters.
Identity Data Manager (IDM): A software solution designed to manage and maintain digital identities within an organization.
identity feed: The automated process of creating one or more identity records from one or more common sources of identity data.
identity provider: A system that manages user identities and authenticates users, providing an authentication token to the service provider.
identity source: A source related to the configuration options available in the identity and OIDC node of the IAG configuration YAML.
IDM: See Identity Data Manager.
investigation: A process of profiling the data source to understand the source data in order to identify relevant values, structures, and patterns.
issuer: A role to generate and deliver credentials that are composed of claims based on a predefined schema.

J

Edit online

JavaScript configuration: An on-prem configuration file that specifies the configuration details of the data source.
JavaScript plug-in: Your code for handling interaction with the non-primary LDAP.

K

Edit online

keystore: A storage facility for cryptographic keys and certificates. See also truststore.

L

Edit online

LDAP bind DN

This attribute is the LDAP server connection user.

LDAP bind password

This attribute is the LDAP server connection password.

LDAP certificate authority certificate

This optional attribute is the SSL certificate that is used if the on-premises agent requires a TLS connection to the LDAP server.

listener

A program that detects incoming requests and starts the associated channel.

load

A collection of line items from orders that are organized in a way to maximize shipping or picking efficiency.
In IBM Verify, to move data or programs into storage, a file, or a computer.

load balancer

Software or hardware that distributes workload across a set of servers to ensure that servers are not overloaded.

M

Edit online

machine: A device, system, or server that uses the Verify platform to authenticate users so that they can access protected resources.

MFA: See multifactor authentication.
microservice: A set of small, independent architectural components, each with a single purpose, that communicate over a common lightweight API.
module: A structured document that is composed of multiple requirement artifacts.
multifactor authentication (MFA): A mechanism that forces a user to authenticate using two or more methods of authentication.

N

Edit online

native app policy: A set of configurations that define the compliance settings for native apps on various devices, including android and windows devices.
nested group: A group that is contained within another group.
NOC Dashboard: A centralized monitoring interface that provides real-time visibility into the security posture of an organization.
node: A logical group of managed servers.

O

Edit online

OAuth client: An application that requests access to a protected resource on behalf of a user.
OAuth client application: An application that uses the OAuth protocol to access protected resources on behalf of a user.
obf: See obfuscation.
obfuscation (obf): The process of protecting sensitive data by masking or hiding it from view.
object class: This attribute is a list of comma-separated object classes that the LDAP user can have.
OIDC application: An application that uses the OpenID Connect (OIDC) protocol to authenticate users.
OIDC provider: A user-friendly access management and multifactor authentication provider that helps organizations maintain security as they adopt new technologies.
onboard: To add a new user, alone, or as part of a group to an internal company software infrastructure, which gives the user access to an internal product or service.
one-time password (OTP): A one-use password that is generated for an authentication event and is sometimes communicated between the client and the server through a secure channel.
one-way SSL authentication: Authentication that enables the identity server to authenticate the credentials of the adapter, which operates as the SSL server, without requiring the adapter to authenticate the identity server.
operation: A specific action (such as add, multiply, or shift) that the computer performs when requested.
OTP: See one-time password.

P

Edit online

password: In computer and network security, a specific string of characters used by a program, computer operator, or user to access the system and the information stored within it.
password intelligence: Use to monitor, warn, or prevent the use of stolen, common, or known passwords.
password policy: A set of rules that are based on an organization's security requirements to enhance computer security by encouraging users to employ strong passwords and use them properly.
permission: Authorization to perform activities, such as reading and writing local files, creating network connections, and loading native code.
policy: A set of considerations that influence the behavior of a managed resource or a user.
primary LDAP: Built in LDAP handling, no JavaScript plug-in is needed for the primary LDAP.
principal: An entity that can communicate securely with another entity. A principal is identified by its associated security context, which defines its access rights.
privacy: The protection of user data and information from unauthorized access and inappropriate use.
private key: An algorithmic pattern used to encrypt messages that only the corresponding public key can decrypt. See also public key.
provider: A package or set of packages that supplies a concrete implementation of a subset of the Java 2 SDK security API cryptography features.
provision: To provide, deploy, and track a service, component, application, or resource.
proxy: In IIBM Verify, a server that acts as an intermediary between the Verify Identity Access system and the back-end servers.
proxy server: A server that receives requests intended for another server and that acts on behalf of the client (as the client's proxy) to obtain the requested service.
public certificate: A certificate that is issued by a public internet certificate authority (CA).
public key: An algorithmic pattern used to decrypt messages that were encrypted by the corresponding private key. See also private key.

Q

Edit online

query string: A character string that specifies the properties and property values for a query.
queue: A line or list of items waiting to be processed, for example, work to be performed or messages to be displayed or transmitted.

R

Edit online

realm: A named collection of users and groups that can be used in a specific security context.
reconciliation: The process of ensuring consistency between the original data repository and the larger system where the data is stored for backup.
registry: A repository that contains access and configuration information for users, systems, and software.
remediate: To resolve vulnerabilities or weaknesses in a system.
remediation: The process of resolving vulnerabilities or weaknesses in the system.
remediation policy: A set of procedures that are executed when a device violates a security policy.
repo: See repository.
repository (repo): A persistent storage area for data and other application resources.
response: The reaction of an appliance to an event.
restriction: A limitation or constraint placed on access to certain data or resources.

S

Edit online

schema: A collection of database objects such as tables, views, indexes, or triggers that define a database.
scope: In IBM Verify, the set of entities that a policy or an access control item (ACI) can affect.
secret: Sensitive information, such as a password or an API key, that is used by an application to access a protected resource.
signature: A unique identification information for any application, window, or field.
signer certificate: The digital certificate that validates the issuer of a certificate.
single sign-on (SSO): An authentication process in which a user can access more than one system or application by entering a single user ID and password.
social identity provider: An entity that provides authentication services, allowing users to access applications using their existing social media or other online identities.
SSL authentication: A process that establishes authenticity through public-key certificates.
SSO: See single sign-on.
string: A sequence of elements of the same nature, such as characters considered as a whole.
synchronization: The process of ensuring that all clocks across the network are aligned with the actual time.

T

Edit online

tenant: An independent logical section for storing data and resources, such as users, credentials, and settings, which can only be accessed by users registered to that specific tenant.
tenant administrator: A role that an administer user accounts for their own tenant only, and they cannot create a new tenant.
threat: A security issue, or a harmful act, such as the deployment of a virus or illegal network penetration.
timestamp: The value of an object that indicates the system time at some critical point in the object's history.
token: A particular message or bit pattern that signifies permission or temporary control to transmit over a network.
trust service: A security token service provided by WebSphere Application Server, which uses the secure messaging mechanisms of Web Services Trust (WS-Trust) to define additional extensions for the issuance, exchange, and validation of security tokens.
truststore: A storage object where public keys are stored in the form of trusted certificates, for authentication purposes in web transactions. See also keystore.

U

Edit online

unauthorized access: Gaining access to resources within a computer system without permission.
user: Any individual, organization, process, device, program, protocol, or system that uses the services of a computing system.
username attribute: This attribute is the naming attribute such as user id that is used to look up a user for password verification.
user profile: A description of a user that includes such information as user ID, user name, password, access authority, and other attributes that are obtained when the user logs on.
user registry: A collection of user information, such as user IDs and passwords, that is used as the basis for security control by a system such as a web application server.

V

Edit online

vanity hostname: A custom hostname for an IBM Verify tenant, which is used to customize the hostname so that it does not mention IBM.
verification: The act of verifying the proof of identity of each credential.
vulnerability: A known weakness or flaw in an asset's design, implementation, or operation and management that an attacker could exploit to gain unauthorized access or take other actions.

W

Edit online

wallet: A secured data store of access credentials of a user and related information, which includes user IDs, passwords, certificates, encryption keys.
webhook: A user-defined HTTP callback, which is an HTTP request that a pipeline sends automatically when certain actions occur.
workflow: A sequence of activities and tasks that define work, such as a business process, case, or workstream.