Glossary

Table: Terms and Definitions

Term	Definition
Access Explorer	A Platform UI page (Inventory > Access Explorer) that displays visual representations of the relationships between identities, assets, and access policies, based on the filters and sources selected. You can use the Access Explorer to find out how an identity gains access to an asset, which identities have access to an asset, or when access or membership was granted.
Active Directory (AD)	Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network.
Active Directory (AD) Connector	The AD Connector enables secure communication between the Platform, Active Directories, and various services within your internal network. For enhanced reliability and efficiency, it is recommended to deploy multiple Connectors to enable failover capabilities and load distribution.
AD	See Active Directory (AD)
Agent	An agent is software installed on a computer that can act autonomously to achieve goals set by humans. An agent has self-governing attributes and capabilities in reasoning, learning, adaptability, decision-making, policy-following, and execution.
Attribute (ILM)	In Platform ILM, an Attribute is a property of a Business Object (ILM). Attributes typically contain metadata including data type and validation rules. Although the terms attribute and field are sometimes used interchangeably, an attribute is a backend entity that may or may not be represented in the UI as a field. Attribute is more frequently used by people working directly with code and the data, such as developers and data architects, and others working with APIs and integrations. See Field (ILM).
Audit	A record of actions that are typically user initiated but may also include some system actions. An audit is designed for consumption by users - mainly security overseers like SecOps and CISOs.
Audit Collector Workload	A workload run by the Platform Engine that enables Privilege Control for Servers (on the Delinea Platform) to receive audit data about events and actions during session recording captured by the privilege control agent deployed on audited computers. More than one Platform Engine and Audit Collector workload can be deployed for greater resilience and/or scale. Minimum requirement: two Audit Collector workloads to ensure uninterrupted auditing.
Authentication	Authentication is a way for a user to prove that they are still the person they claimed to be during the identification phase by inputting something a person knows, such as a password or security question; something a person has, such as a token, smart card, ID card, or cryptographic key; or something a person "is," using biometric data such as a fingerprint or facial scan.
Authentication Challenge	A mechanism on the Delinea Platform to challenge a user attempting to log in. Examples include password, phone call, email confirmation code, and security questions.
Authentication Profile	On the Delinea Platform, an authentication profile specifies the authentication challenges required to log in to the Platform and the length of time that must elapse before a user is prompted for authentication again.
Authorization	Authorization is the process of verifying what specific applications, files, and data a user has access to.
Birthright User Type (ILM)	In Platform ILM, Birthright access is granted to every Identity of this user type and can never be removed. An example might be an email account for employees. All identities of the Employee User Type are granted an email account and they have that email account as long as they are an employee.
Business Object (ILM)	In Platform ILM, a Business Object (BO) is a structured, reusable, secure, and time-aware, data container that represents a distinct real-world HR entity or concept, complete with properties, rules, and relationships to other business objects. Common business objects include Date of Birth, Legal First Name, and Time Off Request.
Catalog (ILM)	In Platform ILM, a Catalog is a collection of accesses that are made available for users to request. Each catalog is associated with a User Type. When an Identity accesses self-service, they can request any access that is available their User Type AND that is in a catalog associated with their User Type.
CID	See Continuous Identity Discovery (CID)
CIEM	See Cloud Infrastructure Entitlement Management (CIEM)
Cloud Infrastructure Entitlement Management (CIEM)	Cloud Infrastructure Entitlement Management (CIEM) is a security approach for controlling access rights to cloud resources. CIEM solutions identify all existing privileges across cloud and multi-cloud environments, then identify privileges that are higher than they should be, such as privileges that are stale and no longer needed to help reduce the risk of unauthorized access.
cloudadmin	A local Delinea Platform “break-glass” account that is created for you. It follows the format cloudadmin@your_platform_tenant_name. cloudadmin is the first account you need to perform initial Platform provisioning, login, upgrade, and setup tasks.
Collection (ILM)	In Platform ILM, a Collection is a grouping of items of the same type that can be used throughout the application. In addition, Ownership Collections define who owns which items for use with certification and approvals. A collection can support the following types of items: Role, Resource, Entitlement, Company, Identity. Each collection type EXCEPT Identity can have owner(s) assigned to each collection Item. The owner can be defined as an identity or a collection of identities.
Collection (Platform Inventory)	On the platform, a collection is an inventory query that is saved for future reuse. A collection can also be used to build custom dashboards, detection rules, and scheduled reports. All collections on the Platform are automatically updated daily and can also be updated on demand.
Command Relay Workload	A workload run by the Platform Engine that enables Privilege Control for Servers to send commands and parameters through an SSH connection for execution on a customer’s servers. The Command Relay workload depends on a service account that can modify the Active Directory domain to update policies.
Continuous Identity Discovery (CID)	Continuous Identity Discovery (CID) extends the discovery capability of Secret Server Cloud on the Delinea Platform to cover cloud identities, including privileged accounts, service accounts, admins, and shadow admins.
Data Type (ILM)	In Platform ILM, a field has a data type that defines the type of information stored.
Default Granted User Type (ILM)	In Platform ILM, Default Granted access is granted to every Identity of the user type when the Identity is created (or changed to that user type), but the access can be removed.
Default Not Granted User Type (ILM)	In Platform ILM, Default Not Granted means that access is not granted to new identities by default, but it could be added. Default Not Granted access could be added directly by Administrators or Manager, it could be added by policies attached to a role, or it could be added through a self service request if the access in available in a catalog.
Delinea Expert	A secure AI chatbot that answers questions about the Platform features, components, or best practices, and provides links to support its answers. Delinea Expert cannot access your data or see which Platform page you are on. Delinea Expert can sometimes make mistakes — always check important information. If an answer seems inaccurate, please click the Flag icon to alert us.
Distributed Engine	An engine used by Secret Server on Platform, Secret Server Cloud, and Secret Server On-Premises to take actions in the customer environment and update secrets. In the future, Secret Server on Platform will use only the Platform Engine for these actions.
Dynamic Collection (ILM)	In Platform ILM, Roles can be automatically assigned to users by Dynamic Collections. The role will be assigned to any user in the dynamic collection. Dynamic collections are evaluated when user is created, when user is updated, on a schedule, when the collection definition is updated, and when a user type is updated.
Engine Management	A Platform UI page (Settings > Engine Management) where admins manage Platform Engines, the Sites where the engines are deployed, and the Workloads that the engines run.
Engine Site	A group of engines selected on a common principle, e.g. network or subnet, or geographical location (office, city, etc.), or data center, or any other characteristics that the IT personnel finds appropriate. Workload settings are organized at the Engine Site level.
Engine Workload	A background service managed and deployed by us, provisioned and run by Platform Engines, and configured by administrators in Engine Management. Engine Workloads include Audit Collector, Command Relay, PRA, and ITP for Active Directory. Workloads are updated automatically by the Engine when a new version of the workload is available. Other independent Engines (such as Distributed Engine) or Connectors will be converted over time into workloads to be downloaded and provisioned by the Platform Engine as necessary.
Entitlement (ILM)	In Platform ILM, Entitlements are the application roles (security roles, responsibilities, security groups, permission sets, etc.) accessed within a Resource.
Field (ILM)	In Platform ILM, a Field is a labeled input box in the UI. Every field is associated with a backend attribute, but not every attribute is represented in the UI as a field. Field is more frequently used by people working with UI screens, such as workers in HR, support, and UI design. See Attribute (ILM).
Form (ILM)	In Platform ILM, Forms are used to update identity data. Form customization allows customers to create forms by adding fields that capture the data needed to manage their identities. Identity Creation Forms: These forms will be used by administrators and/or managers to create identities in the system. Identity Update Forms: These forms will be used by administrators and/or managers to update existing identities in the system.
Identity (ILM)	In Platform ILM, an Identity is created when a new person is entered into the relevant HR system, and that information triggers birthright access to an Identity Access Management system (such as Okta or Entra ID).
Identity Lifecycle Management (ILM)	Identity Lifecycle Management (ILM) assigns identities (Joiner, Mover, Leaver) to employees, contractors, or equipment to ensure secure and appropriate access throughout the identities' lifecycle in an organization.
Identity Threat Protection (ITP)	Identity Threat Protection solutions safeguard identities and the systems they access by detecting and preventing identity-based threats like malicious insiders, account takeovers, and privilege escalations.
ILM	See Identity Lifecycle Management (ILM)
Joiner (ILM)	In Platform ILM, a Joiner is an identity added to or newly created in a system. Depending on the organization's specific needs, this identity could represent an employee, contractor, or even equipment. At this stage, appropriate access permissions must be assigned based on the role of the identity being onboarded.
Leaver (ILM)	In Platform ILM, a Leaver is an identity removed from the system, typically upon termination of employment or the end of a contract. The removal can be manual or pre-scheduled, particularly in cases where access is time-bound. It is important to ensure that all access permissions are revoked to prevent unauthorized access after the individual has left.
Log	A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA.
Marketplace	The Delinea Platform Marketplace is an integration ecosystem for shared services where you can find applications, scripts, utilities, and other software that you can use with the Delinea Platform. By default, the Admin User role has access to Marketplace and they can control Marketplace access permissions for users.
MFA	See Multi-Factor Authentication (MFA)
MFA for Secrets	Multi-factor Authentication (MFA) for secrets gives Delinea Platform administrators the option to add one or more security requirements to access specified secrets. This functionality is available exclusively through the Platform and supports many types of MFA, such as email, the Credential Manager (mobile) App, YubiKey, and other devices using the FIDO2 protocol.
Mover (ILM)	In Platform ILM, a Mover is an identity that changes, such as an employee moving to a new role or department or a contractor transitioning to a full-time employee. It is crucial during this stage to ensure that only the necessary permissions for the new role are retained, as retaining previous access in combination with new permissions can lead to security risks.
Multi-Factor Authentication (MFA)	Multi-factor Authentication (MFA) adds an extra layer of security by requiring users to prove their identity using two or more different factors, such as something they know (like a password), something they have (like a phone or security token), or something they are (like a fingerprint or facial scan). Even if a password is compromised, MFA can prevent unauthorized access because the attacker would still need to obtain the additional verification methods.
PCCE	See Privilege Control for Cloud Entitlements (PCCE)
PCS	See Privilege Control for Servers (PCS)
Platform Admin	A Delinea Platform role with extensive permissions that is automatically assigned to all members of the System Administrator group.
Platform Engine	Software installed on servers in a network segment (a Site) that enables the Delinea Platform to perform various actions on that network via Workloads, such as discovery, remote access, authentication, or session recording collection. The Platform Engine acts as a single installer that will dynamically deploy the workloads as needed. For redundancy and high availability, admins can deploy two or more Platform Engines per site.
PRA	See Privileged Remote Access (PRA)
Privilege Control for Cloud Entitlements (PCCE)	Privilege Control for Cloud Entitlements (PCCE) discovers privileged identities across complex multi-cloud environments, identities and fixes identity misconfigurations and enforces the principle of Least Privilege access.
Privilege Control for Servers (PCS)	Privilege Control for Servers (PCS) carries the PAM capabilities of the Delinea Platform into the individual servers and computer endpoints in your corporate network.
Privileged Remote Access (PRA)	Privileged Remote Access (PRA) enables secure remote access to computers that is audited and session recorded. Formerly Remote Access Service (RAS).
RBAC	See Role-Based Access Control (RBAC)
Resilient Secrets	A feature of Secret Server on Platform, Secret Server Cloud, and Secret Server On-Premises that duplicates all secrets and configurations from one Secret Server (the source) to a backup store (the replica). The feature is officially called Resilient Secrets, but the UI says Disaster Recovery.
Resource (ILM)	In Platform ILM, a Resource is an item a user can be granted access to within an organization. This could be a physical asset, such as a key card or an application, such as Ping Directory, Okta, Entra ID, and so forth.
Role (ILM)	In Platform ILM, A Role is a collection of resources and entitlements, and can be assigned as a group. Roles are organized around the access required for a specific purpose, such as a job role with the access needed to perform a specific job function.
Role-Based Access Control (RBAC)	Role-Based Access Control (RBAC) is the process of mapping access permissions to organizational roles, essentially to define what an individual is allowed to have access to if they have a particular role or roles within the organization. RBAC is important when designing an IGA implementation, as it enables you to make sense of all the varied access requirements across the organization and prevent access from being a ‘free for all’.
SCIM	See System for Cross-Domain Identity Management (SCIM)
Secret	Information that is stored and managed in the Secret Server vault. Typical secrets include privileged passwords on routers, servers, applications, and devices. Files can also be stored in secrets, such as private key files, SSL certificates, license keys, network documentation, Microsoft Word or Excel documents, and more. Secrets are derived from secret templates.
Secret Server	The Delinea Platform secrets vault. Secret Server is an enterprise-grade secrets storage vault for securely storing, managing, and controlling access to privileged credentials and other sensitive data. See Secret Server on Platform, Secret Server Cloud, and Secret Server On-Premises for distinctions.
Secret Server Cloud	Secret Server Cloud is the Platform secrets vault deployed from the cloud. Customers who purchased Secret Server Cloud before November 2023 must perform upgrade procedures to manage Secret Server as a fully integrated component of the Delinea Platform. See Secret Server on Platform and Secret Server On-Premises for comparisons.
Secret Server On-Premises	Secret Server On-Premises is the Platform secrets vault installed on a customer server (instead of the cloud). Secret Server On-Premises can be connected to the Delinea Platform as a limited integration to enable customers to launch PRA from a secret. It does not enable any other Secret Server functionality from the Delinea Platform. See Secret Server Cloud and Secret Server on Platform for comparisons.
System Administrator	Platform users who belong to the System Administrator group inherit the Platform Admin role, with extensive administrative permissions. The System Administrator group cannot be renamed or deleted. Compare to cloudadmin.
System for Cross-Domain Identity Management (SCIM)	System for Cross-Domain Identity Management (SCIM) is an open standard that automates the exchange of user identity information between systems. It's used to manage user accounts and access to cloud-based applications.
Task (ILM)	In Platform ILM, Tasks are the discrete units of work that are assembled to compose a workflow. There are two basic task types: User Tasks and System Tasks. User Tasks are accomplished by human users. User tasks require one or more assignees, and when a workflow reaches such a task, the assignee(s) are notified. In some cases, a task may be delegated by an assignee to one or more delegates who will complete the task instead. System Tasks are automatically accomplished by system processes.
Identity Type (ILM)	In Platform ILM, an Identity Type defines a large grouping of similar users. It can be viewed as a ‘big bucket' of users with much in common, even though they don’t all have the same business role. Typical examples include staff, contractors, customers, and students. Identity types could also be used to group users in particular geographies, such as US and UK staff. Identity types are helpful not only for classifying users but also for provisioning access. One way is by assigning items through Birthright access at the user type level.
Identity Type Access Model (ILM)	In Platform ILM, the Identity Type is the basis for the Identity Access Model. Each Identity has exactly one Identity Type. The Identity Type defines the initial access given to an Identity, and the potential access that an Identity could have.
View (ILM)	In Platform ILM, Views are used to display data. Identity Display Views: Used by administrators and/or managers to view existing identities in the system. Identity Flyout Views: Used by administrators and/or managers to get a quick view of additional information for existing identities on the Identities Inventory page.