Identity Types

This feature is currently available only to customers participating in a Private Preview. If you'd like to participate and be among the first to try this feature, ask our support or account team for details.

An identity type defines a large grouping of similar users. It can be viewed as a category of users with much in common, even though they don’t all have the same business role. Typical examples include staff, contractors, customers, and students.

Identity types are helpful not only for classifying users but also for provisioning access. One way is by assigning items through birthright access at the identity type level.

Identity types are recommended for grouping users by specific geographies, such as US and UK staff.

About Birthright Access

Birthright access sets the resources, roles, and other things that a particular category of identities get when they are first created.

A common example would be to set Entra ID and Email as birthright resources, since most organizations provision an identity provider account and email address to all staff members, regardless of their job function.

Birthright assignments only manage access to applications, not physical assets.

Access Types

  • Resource: A resource is a digital or physical asset to which a user can be granted access. This could be a physical asset such as a key card or a digital application (Ping Directory, Okta, or Entra ID).

  • Entitlements: Entitlements are access levels within a resource (security roles, responsibilities, security groups, permission sets, and so forth).

  • Role: A role is a collection of resources and entitlements. Roles can be assigned to more than one person. Roles are best organized for a specific purpose, such as a specific job function.

Access Model

Every identity has exactly one identity type, and this is the foundation of the IGA access model.

Within the identity type, administrators configure different access levels for roles and resources (such as birthright, default granted, and default not granted), defining the initial and potential access given to an identity.

Only access defined in the identity type can be granted. Anything not explicitly set in the identity type can never be granted to an identity of that identity type. When access is defined, it is specified in one of the following categories:

  • Birthright: Birthright access is granted to every identity of this identity type and can never be removed.

    • Example: An email account for employees: All identities of the employee identity type are granted an email account. They have that email account as long as they are employees.

  • Assigned: Access is granted to every identity of the identity type when the Identity is created or changed to that identity type. Access can be removed.

  • Assignable: Access is not granted to new identities by default. Access can added directly by administrators or managers, by policies attached to a role, or through a self-service request if the access is available in a catalog. Access can be removed.

Ways Access is Granted

Users can obtain access in various ways based on the business processes and security requirements of their organization.

Birthright

Birthright access is access that every identity receives based on their identity type. For example, every Delinea employee gets an Azure AD and Slack account. Those would be birthright resources for the “Employee” identity type.

Birthright access is granted when an identity is created or updated; however, it is re-evaluated if the identity type is updated.

Direct Assignment

An administrator can assign access to an identity; however, only access available to the specific identity type can be assigned.

Role Access by Dynamic Collections

Dynamic collections can automatically assign roles to users. A role will be assigned to all users in the dynamic collection. Dynamic collections are evaluated:

  • When a user is created

  • When a user is updated

  • On a schedule

  • When the collection definition is updated

  • When the identity type is updated

To view or manage Dynamic Collections, navigate to the Collections page and select the Dynamic Collections tab.