Glossary
Table: Terms and Definitions
| Term | Definition |
|---|---|
| Access Explorer | A platform UI page (Inventory > Access Explorer) that displays visual representations of the relationships between identities, assets, and access policies, based on the filters and sources selected. You can use the Access Explorer to find out how an identity gains access to an asset, which identities have access to an asset, or when access or membership was granted. |
| Active Directory (AD) | Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, compute objects, groups, policies, and other entities on the network. |
| Active Directory Connector | The Delinea Active Directory Connector enables secure communication between the Delinea Platform, Active Directories, and various services within your internal network. For enhanced reliability and efficiency, it is recommended to deploy multiple Connectors to enable failover capabilities and load distribution. |
| AD | Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. |
| Agent | An agent is software installed on a computer that can act autonomously to achieve goals set by humans. An agent has self-governing attributes and capabilities in reasoning, learning, adaptability, decision-making, policy-following, and execution. |
| Audit | A record of actions that are typically user initiated but may also include some system actions. An audit is designed for consumption by users - mainly security overseers like SecOps and CISOs. |
| Audit Collector Workload | A workload run by the delinea engine that enables Privilege Control for Servers (on the delinea platform) to receive audit data about events and actions during session recording captured by the privilege control agent deployed on audited computers. More than one delinea engine and Audit Collector workload can be deployed for greater resilience and/or scale. Minimum requirement: two Audit Collector workloads to ensure uninterrupted auditing. |
| Authentication | Authentication is a way for a user to prove that they are still the person they claimed to be during the identification phase by inputting something a person knows, such as a password or security question; something a person has, such as a token, smart card, ID card, or cryptographic key; or something a person "is," using biometric data such as a fingerprint or facial scan. |
| Authentication Challenge | A mechanism on the Delinea Platform to challenge a user attempting to log in. Examples include password, phone call, email confirmation code, and security questions. |
| Authentication Profile | On the Delinea Platform, an authentication profile specifies the authentication challenges required to log in to the platform and the length of time that must elapse before a user is prompted for authentication again. |
| Authorization | Authorization is the process of verifying what specific applications, files, and data a user has access to. |
| Birthright User Type | In IGA/ILM, Birthright access is granted to every Identity of this user type and can never be removed. An example might be an email account for employees. All identities of the Employee User Type are granted an email account and they have that email account as long as they are an employee. |
| Catalog | In IGA/ILM, a Catalog is a collection of accesses that are made available for users to request. Each catalog is associated with a User Type. When an Identity accesses self-service, they can request any access that is available their User Type AND that is in a catalog associated with their User Type. |
| CID | Continuous Identity Discovery (CID) extends the discovery capability of Secret Server Cloud on the Delinea Platform to cover cloud identities, including privileged accounts, service accounts, admins, and shadow admins. |
| CIEM | Cloud Infrastructure Entitlement Management (CIEM) is a security approach for controlling access rights to cloud resources. CIEM solutions identify all existing privileges across cloud and multi-cloud environments, then identify privileges that are higher than they should be, such as privileges that are stale and no longer needed to help reduce the risk of unauthorized access. |
| Cloud Infrastructure Entitlement Management (CIEM) | Cloud Infrastructure Entitlement Management (CIEM) is a security approach for controlling access rights to cloud resources. CIEM solutions identify all existing privileges across cloud and multi-cloud environments, then identify privileges that are higher than they should be, such as privileges that are stale and no longer needed to help reduce the risk of unauthorized access. |
| cloudadmin | A local Delinea Platform “break-glass” account that is created for you. It follows the format cloudadmin@your_platform_tenant_name. cloudadmin is the first account you need to perform initial platform provisioning, login, integration, and setup tasks. |
| Collection | A collection is an inventory query that is saved for future reuse. A collection can also be used to build custom dashboards, detection rules, and scheduled reports. All collections on the platform are automatically updated daily and can also be updated on demand. In IGA/ILM, a Collection is a grouping of items of the same type that can be used throughout the application. In addition, Ownership Collections define who owns which items for use with certification and approvals. A collection can support the following types of items: Role, Resource, Entitlement, Company, Identity. Each collection type EXCEPT Identity can have owner(s) assigned to each collection Item. The owner can be defined as an identity or a collection of identities. |
| Command Relay Workload | A workload run by the platform engine that enables Privilege Control for Servers to send commands and parameters through an SSH connection for execution on a customer’s servers. The Command Relay workload depends on a service account that can modify the Active Directory domain to update policies. |
| Continuous Identity Discovery (CID) | Continuous Identity Discovery (CID) extends the discovery capability of Secret Server Cloud on the Delinea Platform to cover cloud identities, including privileged accounts, service accounts, admins, and shadow admins. |
| Data Type | In IGA/ILM, a field has a data type that defines the type of information stored. |
| Default Granted User Type | In IGA/ILM, Default Granted access is granted to every Identity of the user type when the Identity is created (or changed to that user type), but the access can be removed. |
| Default Not Granted User Type | In IGA/ILM, Default Not Granted means that access is not granted to new identities by default, but it could be added. Default Not Granted access could be added directly by Administrators or Manager, it could be added by policies attached to a role, or it could be added through a self service request if the access in available in a catalog. |
| Delinea Expert | A secure AI chatbot that answers questions about the Delinea Platform's features, components, or best practices, and provides links to support its answers. Delinea Expert cannot access your data or see which platform page you are on. Delinea Expert can sometimes make mistakes — always check important information. If an answer seems inaccurate, please click the Flag icon to alert us. |
| Distributed Engine | An engine used by Secret Server on platform, Secret Server Cloud, and Secret Server On Premises to take actions in the customer environment and update secrets. In the future, secret server on platform will use only the Platform Engine for these actions. |
| Dynamic Collection | In IGA/ILM, Roles can be automatically assigned to users by Dynamic Collections. The role will be assigned to any user in the dynamic collection. Dynamic collections are evaluated when user is created, when user is updated, on a schedule, when the collection definition is updated, and when a user type is updated. |
| Engine Management | A platform UI page (Settings > Engine Management) where admins manage Platform Engines, the Sites where the engines are deployed, and the Workloads that the engines run. |
| Engine Site | A group of engines selected on a common principle, e.g. network or subnet, or geographical location (office, city, etc.), or data center, or any other characteristics that the IT personnel finds appropriate. Workload settings are organized at the Engine Site level. |
| Engine Workload | A background service managed and deployed by Delinea, provisioned and run by Platform Engines, and configured by administrators in Engine Management. Engine Workloads include Audit Collector, Command Relay, PRA, and ITP for Active Directory. Workloads are updated automatically by the Engine when a new version of the workload is available. Other independent Engines (such as Distributed Engine) or Connectors will over time be converted into workloads to be downloaded and provisioned by the Delinea Engine as necessary. |
| Entitlement | In IGA/ILM, Entitlements are the application roles (security roles, responsibilities, security groups, permission sets, etc.) accessed within a Resource. |
| Field | In IGA/ILM, an identity is based on a default set of fields. Customers often need to configure how identity information is managed, and track additional information about the identities they manage. All standard fields are configurable, and custom fields allow customers to extend the definition of an Identity and store what information is essential based on their business needs. Fields provide metadata about individual data fields on business objects such as identities, resources, roles, and entitlements. The metadata will describe the contents and validation of the field. When a field is associated with an object type, data can be set in that field for specific instances of that object type. Fields are used to describe intrinsic, or built-in, elements of an object as well as custom extensions to that object. |
| Form | In IGA/ILM, Forms are used to update identity data in Delinea IGA. Form customization allows customers to create forms by adding fields that capture the data needed to manage their identities. Identity Creation Forms: These forms will be used by administrators and/or managers to create identities in the system. Identity Update Forms: These forms will be used by administrators and/or managers to update existing identities in the system. |
| Identity | Identity is the process of identifying a particular user, usually by providing a name, email address, phone number, or username. This is the process of someone saying that they are a certain person. In IGA/ILM, an Identity is created when a new person is entered into the relevant HR system, and that information triggers birthright access to an Identity Access Management system (such as Okta or Entra ID). |
| Identity Governance and Administration (IGA) | On the Delinea Platform, Identity Governance and Administration (IGA) empowers platform administrators to secure their organization by managing access to information, systems, and resources, ensuring the correct individuals (employees, contractors, or partners) have appropriate access to the correct resources at the correct times, and properly monitoring and auditing their access. Access management is automated based on the organization’s specific setup and configuration of Identity Governance and Administration (IGA). |
| Identity Lifecycle Management (ILM) | Identity Lifecycle Management (ILM) assigns identities (Joiner, Mover, Leaver) to employees, contractors, or equipment to ensure secure and appropriate access throughout the identities' lifecycle in an organization. |
| ITP | Identity Threat Protection (ITP) solutions safeguard identities and the systems they access by detecting and preventing identity-based threats like malicious insiders, account takeovers, and privilege escalations. |
| Joiner | In IGA/ILM, a Joiner is an identity added to or newly created in a system. Depending on the organization's specific needs, this identity could represent an employee, contractor, or even equipment. At this stage, appropriate access permissions must be assigned based on the role of the identity being onboarded. |
| Leaver | In IGA/ILM, a Leaver is an identity removed from the system, typically upon termination of employment or the end of a contract. The removal can be manual or pre-scheduled, particularly in cases where access is time-bound. It is important to ensure that all access permissions are revoked to prevent unauthorized access after the individual has left. |
| Log | A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. |
| Marketplace | The Delinea Platform Marketplace is an integration ecosystem for shared services where you can find applications, scripts, utilities, and other software that you can use with the Delinea Platform. By default, the Admin User role has access to Marketplace and they can control Marketplace access permissions for users. |
| MFA | Multi-factor Authentication (MFA) adds an extra layer of security by requiring users to prove their identity using two or more different factors, such as something they know (like a password), something they have (like a phone or security token), or something they are (like a fingerprint or facial scan). Even if a password is compromised, MFA can prevent unauthorized access because the attacker would still need to obtain the additional verification methods. |
| MFA for Secrets | Multi-factor Authentication (MFA) for secrets gives Delinea Platform administrators the option to add one or more security requirements to access specified secrets. This functionality is available exclusively through the Delinea Platform and supports many types of MFA, such as email, the Delinea Mobile App, YubiKey, and other devices using the FIDO2 protocol. |
| Mover | In IGA/ILM, a Mover is an identity that changes, such as an employee moving to a new role or department or a contractor transitioning to a full-time employee. It is crucial during this stage to ensure that only the necessary permissions for the new role are retained, as retaining previous access in combination with new permissions can lead to security risks. |
| Multi-factor Authentication | Multi-factor Authentication (MFA) for secrets gives Delinea Platform administrators the option to add one or more security requirements to access specified secrets. This functionality is available exclusively through the Delinea Platform and supports many types of MFA, such as email, the Delinea Mobile App, YubiKey, and other devices using the FIDO2 protocol. |
| PCCE | Delinea Privilege Control for Cloud Entitlements (PCCE) discovers privileged identities across complex multi-cloud environments, identities and fixes identity misconfigurations and enforces the principle of Least Privilege access. |
| PCS | Privilege Control for Servers (PCS) carries the PAM capabilities of the Delinea Platform into the individual servers and computer endpoints in your corporate network. |
| Platform Admin | A Delinea Platform role with extensive permissions that is automatically assigned to all members of the System Administrator group. |
| Platform Engine | Software installed on servers in a network segment (a Site) that enables the Delinea Platform to perform various actions on that network via Workloads, such as discovery, remote access, authentication or session recording collection. The Delinea Engine acts as a single installer that will dynamically deploy the workloads as needed. For redundancy and high availability, admins can deploy two or more Platform Engines per site. |
| PRA | Privileged Remote Access (PRA) enables secure remote access to computers that is audited and session recorded. Formerly Remote Access Service (RAS). |
| Privilege Control for Cloud Entitlements (PCCE) | Delinea Privilege Control for Cloud Entitlements (PCCE) discovers privileged identities across complex multi-cloud environments, identities and fixes identity misconfigurations and enforces the principle of Least Privilege access. |
| Privilege Control for Servers (PCS) | Privilege Control for Servers (PCS) carries the PAM capabilities of the Delinea Platform into the individual servers and computer endpoints in your corporate network. |
| Privileged Remote Access (PRA) | Privileged Remote Access (PRA) enables secure remote access to computers that is audited and session recorded. Formerly Remote Access Service (RAS). |
| RBAC | Role-Based Access Control (RBAC) is the process of mapping access permissions to organizational roles, essentially to define what an individual is allowed to have access to if they have a particular role or roles within the organization. RBAC is important when designing an IGA implementation, as it enables you to make sense of all the varied access requirements across the organization and prevent access from being a ‘free for all’. |
| Resilient Secrets | A feature of secret server on platform, secret server cloud, and secret server on-premises that duplicates all secrets and configurations from one secret server (the source) to a backup store (the replica). The feature is officially called Resilient Secrets, but the UI says Disaster Recovery. |
| Resource | In IGA/ILM, a Resource is an item a user can be granted access to within an organization. This could be a physical asset, such as a key card or an application, such as Ping Directory, Okta, Entra ID, and so forth. |
| Role | In IGA/ILM, A Role is a collection of resources and entitlements, and can be assigned as a group. Roles are organized around the access required for a specific purpose, such as a job role with the access needed to perform a specific job function. |
| Role-Based Access Control (RBAC) | Role-Based Access Control (RBAC) is the process of mapping access permissions to organizational roles, essentially to define what an individual is allowed to have access to if they have a particular role or roles within the organization. RBAC is important when designing an IGA implementation, as it enables you to make sense of all the varied access requirements across the organization and prevent access from being a ‘free for all’. |
| SCIM | System for Cross-Domain Identity Management (SCIM) is an open standard that automates the exchange of user identity information between systems. It's used to manage user accounts and access to cloud-based applications. |
| Secret | Information that is stored and managed in the Delinea Secret Server vault. Typical secrets include privileged passwords on routers, servers, applications, and devices. Files can also be stored in secrets, such as private key files, SSL certificates, license keys, network documentation, Microsoft Word or Excel documents, and more. Secrets are derived from secret templates. |
| Secret Server | The Delinea secrets vault. Delinea Secret Server is an enterprise-grade secrets storage vault for securely storing, managing, and controlling access to privileged credentials and other sensitive data. See Secret Server on Platform, Secret Server Cloud (SSC), and Secret Server on Premises (SSOP) for distinctions. |
| Secret Server Cloud (SSC) | Secret Server Cloud (SSC) is the Delinea secrets vault deployed from the cloud. Customers who purchased Secret Server Cloud before November 2023 must perform integration procedures to manage receive Secret Server on Platform as a fully integrated component of the Delinea Platform. See Secret Server on Platform and Secret Server on Premises (SSOP) for comparisons. |
| Secret Server On Premises (SSOP) | Secret Server on Premises (SSOP) is the Delinea secrets vault installed on a customer server (instead of the cloud). Secret Server on Premises (SSOP) can be connected to the Delinea Platform as a limited integration to enable customers to launch PRA from a secret. It does not enable any other Secret Server functionality from the Delinea Platform. See Secret Server Cloud (SSC) and Secret Server on Platform for comparisons. |
| SSOP | Secret Server on Premises (SSOP) is the Delinea secrets vault installed on a customer server (instead of the cloud). Secret Server on Premises (SSOP) can be connected to the Delinea Platform as a limited integration to enable customers to launch PRA from a secret. It does not enable any other Secret Server functionality from the Delinea Platform. See Secret Server Cloud (SSC) and Secret Server on Platform for comparisons. |
| System Administrator | Platform users who belong to the System Administrator group inherit the Platform Admin role, with extensive administrative permissions. The System Administrator group cannot be renamed or deleted. Compare to cloudadmin. |
| System for Cross-Domain Identity Management (SCIM) | System for Cross-Domain Identity Management (SCIM) is an open standard that automates the exchange of user identity information between systems. It's used to manage user accounts and access to cloud-based applications. |
| Task | In IGA/ILM, Tasks are the discrete units of work that are assembled to compose a workflow. There are two basic task types: User Tasks and System Tasks. User Tasks are accomplished by human users. User tasks require one or more assignees, and when a workflow reaches such a task, the assignee(s) are notified. In some cases, a task may be delegated by an assignee to one or more delegates who will complete the task instead. System Tasks are automatically accomplished by system processes. |
| User Type | In IGA/ILM, a User Type defines a large grouping of similar users. It can be viewed as a ‘big bucket' of users with much in common, even though they don’t all have the same business role. Typical examples include staff, contractors, customers, and students. User types could also be used to group users in particular geographies, such as US and UK staff. User types are helpful not only for classifying users but also for provisioning access. One way is by assigning items through Birthright access at the user type level. |
| User Type Access Model | In IGA/ILM, the User Type is the basis for the Identity Access Model. Each Identity has exactly one User Type. The User Type defines the initial access given to an Identity, and the potential access that an Identity could have. |
| View | In IGA/ILM, Views are used to display data in Delinea IGA. Identity Display Views: Used by administrators and/or managers to view existing identities in the system. Identity Flyout Views: Used by administrators and/or managers to get a quick view of additional information for existing identities on the Identities Inventory page. |
