IGA Commonly Used Terms

This feature is currently available only to customers participating in a private preview. If you'd like to participate to be among the first to try this feature, ask our support or account team for details.

This section describes some terminology specific to IGA.

Identity Governance Administration (IGA)

On the Delinea Platform, Identity Governance Administration (IGA) empowers platform administrators to secure their organization by managing access to information, systems, and resources, ensuring the correct individuals (employees, contractors, or partners) have appropriate access to the correct resources at the correct times, and properly monitoring and auditing their access. Access management is automated based on the organization’s specific setup and configuration of Identity Governance and Administration (IGA).

Identity Lifecycle Management (ILM) 

The processes (Joiner, Mover, Leaver) are key components of Identity Lifecycle Management, which ensures secure and appropriate access throughout the identity’s lifecycle in an organization.

Joiner

A “Joiner” refers to the phase in Identity Lifecycle Management when a new identity is created or added to a system. Depending on the organization's specific needs, this identity could represent an employee, contractor, or even equipment. At this stage, appropriate access permissions must be assigned based on the role of the identity being onboarded.

Mover

A “Mover” refers to the Identity Lifecycle Management phase when an existing identity changes, such as an employee moving to a new role or department or a contractor transitioning to a full-time employee. It is crucial during this stage to ensure that only the necessary permissions for the new role are retained, as retaining previous access in combination with new permissions can lead to security risks.

Leaver

A “Leaver” represents the final stage in Identity Lifecycle Management, where an identity is removed from the system, typically upon termination of employment or the end of a contract. The removal can be manual or pre-scheduled, particularly in cases where access is time-bound. It is important to ensure that all access permissions are revoked to prevent unauthorized access after the individual has left.

User Type

A User Type defines a large grouping of similar users. It can be viewed as a ‘big bucket' of users with much in common, even though they don’t all have the same business role. Typical examples include staff, contractors, customers, and students.

User types could also be used to group users in particular geographies, such as US and UK staff.

User types are helpful not only for classifying users but also for provisioning access. One way is by assigning items through birthright access at the user type level.

User Type Access Model

The User Type is the basis for the Identity Access Model. Each Identity has exactly one User Type. The User Type defines the initial access given to an Identity, and the potential access that an Identity could have.

User Type: Birthright

Birthright access is granted to every Identity of this user type and can never be removed. An example might be an email account for employees. All identities of the Employee User Type are granted an email account and they have that email account as long as they are an employee. 

User Type: Default Granted

Default Granted means that the access is granted to every Identity of the user type when the Identity is created (or changed to that user type), but the access can be removed.  

User Type: Default not Granted

Default Not Granted means that the access is not granted to new identities by default, but it could be added. Default Not Granted access could be added directly by Administrators or Manager, it could be added by policies attached to a tole, or it could be added through a self service request if the access in available in a catalog.

Catalogs

Catalogs are collections of access that are made available for users to request. Each catalog is associated with a User Type. When an Identity accesses self-service, they can request any access that is available the their User Type AND that is in a catalog associated with their User Type.

Identity  

An Identity is created when a new person is entered into the relevant HR system, and that information triggers birthright access to an Identity Access Management system (such as Okta or Entra ID).

Resource

A Resource is an item a user can be granted access to within an organization. This could be a physical asset, such as a key card or an application, such as Ping Directory, Okta, Entra ID, and so forth.

Entitlements 

Entitlements are access within a Resource. Entitlements are the application roles (security roles, responsibilities, security groups, permission sets, etc.) within a Resource. 

Role

A Role is a collection of resources and entitlements and can be assigned as a group. Roles are organized around the access required for a specific purpose, such as a job role with the access needed to perform a specific job function.

Collections

Collections are a grouping of items of the same type that can be used throughout the application. In addition, Ownership Collections will define who owns which items for use with certification and approvals. A collection can support the following types of items: Role, Resource, Entitlement, Company, Identity. Each collection type EXCEPT Identity can have owner(s) assigned to each collection Item. The owner can be defined as an identity or a collection of identities.

Dynamic Collections

Roles can be automatically assigned to users by Dynamic Collections. The role will be assigned to any user in the dynamic collection. Dynamic collections are evaluated:

  • When user is created

  • When user is updated

  • On a schedule

  • When the collection definition is updated

  • When user type is updated

Tasks

Tasks are the discrete units of work that are assembled together to compose a workflow. There are two basic task types:

User Tasks

Accomplished by human users. User tasks require one or more assignees, and when a workflow reaches such a task, the assignee(s) are notified. In some cases, a task may be delegated by an assignee to one or more delegates who will complete the task instead.

System Tasks

Automatically accomplished by system processes.

Fields

An identity is based on a default set of fields. Customers often need to configure how identity information is managed, and track additional information about the identities they manage. All standard fields are configurable, and custom fields allow customers to extend the definition of an Identity and store what information is essential based on their business needs.

Fields provide metadata about individual data fields on business objects such as identities, resources, roles, and entitlements. The metadata will describe the contents and validation of the field. When a field is associated with an object type, data can be set in that field for specific instances of that object type. Fields are used to describe intrinsic, or built-in, elements of an object as well as custom extensions to that object.

Data Types

A field has a data type which defines what kind of information is stored.

Forms and Views

Form and views are used to update and display data in Delinea IGA. Since we allow customers to configure and add fields to identities, we need a way to display and edit those custom fields. Form customization will allow customers to create forms that capture the data needed to manage their identities. Forms will be available for:

  • Identity Creation: These forms will be used by administrators and/or managers to create identities in the system.

  • Identity Update: These forms will be used by administrators and/or managers to update existing identities in the system.

  • Identity Displays: These views will be used by administrators and/or managers to view existing identities in the system.

  • Identity Flyouts: These views will be used by administrators and/or managers to get a quick view of additional information for existing identities on the Identities Inventory page.

System for Cross-Domain Identity Management (SCIM)

SCIM is an open standard that automates the exchange of user identity information between systems. It's used to manage user accounts and access to cloud-based applications 

Role-Based Access Control (RBAC)

Role-Based Access Control is the process of mapping access permissions to organizational roles, essentially to define what an individual is allowed to have access to if they have a particular role or roles within the organization. RBAC is important when designing an IGA implementation, as it enables you to make sense of all the varied access requirements across the organization and prevent access from being a ‘free for all’.