This page provides definitions of terminology used in the Identity and Access Management (IAMIAM Identity and Access Management (IAM) is a set of policies, processes, and technologies designed to ensure that the right individuals (identities) have the right access to resources within an organization. IAM involves managing and securing digital identities, controlling access to systems and data, and maintaining the confidentiality, integrity, and availability of information.) space. For a deeper review of IAM concepts, visit our Concepts page.
A
Acceptable Use Policy (AUPAUP An Acceptable Use Policy (AUP) is a document that outlines a set of rules to be followed by users or customers of a set of computing resources. An AUP clearly states what the user is and is not allowed to do with these resources.)
A document outlining rules users must follow when using computing resources. It defines acceptable and unacceptable actions.
Account
A representation of a user within a specific system.
Active Directory (ADAD Active Directory (AD) is a directory service from Microsoft which implements Internet standard directory and naming protocols. See Austin Active Directory (Austin AD) in the service catalog for the University’s local implementation.)
A directory service from Microsoft that implements standard directory and naming protocols. UT Austin’s implementation is known as Austin Active Directory (Austin AD) .
Affiliate Class
An EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information. class for individuals with a significant relationship to the University, such as donors, library patrons, and former faculty, staff, or students.
AffiliationAffiliation An affiliation is an attribute which reflects, at a high level, how an individual is related to the university. At any point in time, an individual may have no defined relationship, one defined relationship, or many defined relationships with the university. For example, and individual may be a current student, a future faculty member, a former employee, or all three.
An attribute reflecting an individual’s relationship to the University. Examples include current student, future faculty member, or former employee.
Affiliation Sponsor
A University department authorized to add or remove affiliations for an EID.
Aggregation
The consolidation of related information into a single dataset.
Attribute
A quality or characteristic ascribed to someone or something. For more details, see our Concepts page.
Attribute-Based Access Control (ABACABAC Attribute-Based Access Control (ABAC) is a mechanism for managing of user access to information systems based on values of user attributes. Attribute-Based Access Control (ABAC) evaluates the access dynamically, using an algorithm that takes “attributes” as an input, and outputs access decision (allow/deny). The attributes are usually user attributes from the user profile, supplemented with context attributes, such as time of access and user’s current location.)
A system that manages access to resources based on user attributes. ABAC dynamically evaluates access using an algorithm that considers attributes like user profile details, time, and location.
Austin Active Directory (Austin AD)
The University’s local implementation of Active Directory, supported by Enterprise Technology.
AuthenticationAuthentication Authentication is the act of determining that a person is who they claim to be. For more information, see our Concepts page.
The process of verifying that a person is who they claim to be. For more details, see our Concepts page.
AuthorizationAuthorization Authorization refers to the act of determining whether an authenticated user is allowed to access a specific resource or take a specific action. For more information, see our Concepts page.
The process of determining whether an authenticated user is allowed to access a resource or perform an action. For more details, see our Concepts page.
Availability
The assurance that IT infrastructure is protected from system failures, natural disasters, or malicious attacks to maintain continuous operation.
B
Business Continuity (BCBC Business Continuity (BC) is the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.)
The ability of an organization to continue delivering services at acceptable levels following a disruption.
Business EID
An EID that represents a business entity. These EIDsUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information. cannot be used to log in and always start with the number ‘2’.
D
Data Integrity
The assurance that data has not been altered by unauthorized entities.
Department EID
An EID that represents a department in the Department System. These EIDs cannot be used to log in and start with the number ‘3’.
Deprovisioning
The process of removing a user’s access to systems while retaining their previous contributions.
Digital Identity
A digital representation of an entity’s characteristics, behaviors, and attributes.
Disaster Recovery (DRDR Disaster Recovery (DR) is a set of policies and procedures to enable the recovery of continuation of vital technology infrastructure and systems following a natural or human-induced disaster.)
Policies and procedures to restore technology infrastructure and systems following a disaster.
Duo
The third-party vendor supporting the University’s Multi-Factor Authentication (MFAMFA Authentication makes use of one or more factors of authentication: something you know (e.g., a password), something you have (e.g., your smartphone), or something you are (e.g., a fingerprint). Multi-Factor Authentication (MFA) makes use of two or more factors when authenticating you. For more information, see our Concepts page.) implementation.
E
eduPerson
An LDAPLDAP Lightweight Directory Access Protocol (LDAP) is a set of protocols for accessing information directories based on the standards contained within the X.500 standard, but is significantly simpler. schema designed for higher education, providing common attributes and definitions.
EID System
The University’s identity and access management system from 1996-2006, replaced by the uTexas Identity Manager (TIMTIM The uTexas Identity Manager (TIM) is the University’s identity manager. See uTexas Identity Manager (TIM) in the service catalog for more information.).
EID Type
A categorization of EIDs based on the entity they represent (e.g., person, business, department, service, group).
Enterprise Authentication
A consolidated, standards-based web authentication service enabling Single Sign-On (SSOSSO Single Sign-On (SSO) is a service which allows a user to use one set of credentials to access multiple applications.) across University applications.
EntitlementEntitlement An entitlement is an attribute which defines what an account is allowed or authorized to do. An EID holder may have many entitlements, each with a start and end date (end dates may be in perpetuity).
An attribute defining what an account is authorized to do, often with a start and end date.
eduPersonPrincipalName (ePPNePPN The eduPersonPrincipalName (ePPN) (format: <eid>@utexas.edu) is an attribute which is part of the eduPerson LDAP schema.)
An identifier in the format <eid>@utexas.edu based on the eduPerson LDAP schema.
F
Family Educational Rights and Privacy Act of 1974 (FERPAFERPA The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law which pertains to the release of and access to educational records.)
A federal law governing access to and release of educational records.
Federated Identity
A system of trust between two parties for authenticating users and authorizing access to resources.
Federation
A process that allows the conveyance of identity and authentication information across a set of networked systems.
Fiscal Year (FYFY The Fiscal Year (FY) at the University runs from September 1 through August 31 of the following calendar year.)
The University’s fiscal year runs from September 1 through August 31 of the following year.
Q1: September – November
Q2: December – February
Q3: March – May
Q4: June – August
Fit-Gap
An analysis identifying areas where a solution meets or fails to meet established requirements.
G
Guest Authentication
Enables individuals not closely tied to the University to authenticate using external identities (e.g., Google, Microsoft).
Group EID
An EID representing a group of individuals. These EIDs cannot be used to log in and start with the number ‘5’.
Grouper
An enterprise group and access management system from the InCommon Trusted Access Platform.
Guest Class
An EID class representing people with a very loose connection to the University, such as prospective students. This category also includes those with no affiliation.
I
ID-only EID
An EID serving as an identification tag for records. These EIDs cannot be used to log in and start with the number ‘0’.
Identifier
A unique label for an identity, typically used across systems. For more details, see our Concepts page.
Identity
The collection of accounts and identifiers associated with a person or entity. For more details, see our Concepts page.
Identity and Access Management (IAM)
A set of policies, processes, and technologies ensuring the right individuals have the right access to resources.
Identity Governance & Administration (IGAIGA Identity Governance and Administration (IGA) refers to a set of processes and technologies used by organizations to manage and control user access to resources and information within their systems.)
Processes and technologies for managing user identities, roles, and permissions to ensure compliance and reduce security risks.
Identity Life Cycle
The stages of an identity, from creation to deactivation. For more details, see our Concepts page.
Identity Provider (IdPIdP An Identity Provider (IdP) is a software tool or service that offers user authentication as a service. The IdP manages the user's primary authentication credentials and issues assertions derived from those credentials. At UT Austin, the primary IdP used to authenticate the UT EID and EID Password is Enterprise Authentication, which is managed by the IAM Team. For more information, see our Concepts page.)
In an authentication relationship, the IdP provides the identity, while the Service Provider (SPSP A Service Provider (SP) is the server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP. For more information, see our Concepts page.) provides the service.
IdentityIQ (IIQIIQ SailPoint IdentityIQ (IIQ) is a group- and role-based authorization management service. See Identity Lifecycle Management for more information.)
A group- and role-based authorization management service offered by SailPoint.
Incident
An unplanned interruption to a service or reduction in the quality of a service.
InCommon Federation
A federation of educational institutions, research organizations, and commercial resource providers which allows single sign-on across federation members to support collaboration and access to shared tools. Enterprise Authentication is a member of the InCommon federation.
Information Resources Use and Security Policy (IRUSPIRUSP The University’s implementation of UTS 165 Information Resources Use and Security Policy is the UT Information Resources Use and Security Policy (UT-IRSUP).)
The University’s implementation of UTS 165 Information Resources Use and Security Policy is the UT Information Resources Use and Security Policy (UT-IRSUP).
Information Security Office (ISOISO The Information Security Office (ISO) is the University’s information security team.)
The University’s information security team .
Institutional Identifier (IIDIID The Institutional Identifier (IID) (format: <eid>@eid.utexas.edu) is designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement. For more information, see our Public Documentation or our Internal Documentation [icon name="lock" prefix="fas"].)
An identifier in the format <eid>@eid.utexas.edu, designed for cloud-based services.
K
Key Performance Indicator (KPI)
A key performance indicator (KPI) is a high-level measure of system output, traffic or other usage, simplified for gathering and review on a weekly, monthly or quarterly basis. Typical examples are bandwidth availability, transactions per second and calls per user. KPIs are often combined with cost measures (e.g., cost per transaction or cost per user) to build key system operating metrics.
L
LEARN Federation
The University’s authentication offerings are part of the Lonestar Education And Research Network (LEARN) federation which allows The University to collaborate with other members of the federation.
Least Privilege
A policy of granting users or applications only the permissions necessary to perform their official duties. Limiting their amount of access decreases the chances of unauthorized activity and security breaches.
Lifecycle Management (LCM)
This term recognizes that many entities represented in a software system will be at a certain stage in a lifecycle, and their access needs to be managed accordingly. For instance, an employee may start off as a “candidate,” then become a “full employee” with one or more positions over their tenure, and ultimately cease to be an employee and be deprovisioned entirely.
Lifecycle management can also apply to other things. For instance, devices may be purchased, provisioned for a particular user, reprovisioned for a different user, and ultimately deprovisioned and sold or discarded.
Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol (LDAP) is a set of protocols for accessing information directories based on the standards contained within the X.500 standard, but is significantly simpler.
M
Maintenance Window
A scheduled period, preferably recurring, in which changes can be implemented.
Member Class
An EID class representing active members of the University community, such as current students, faculty, staff, and official visitors.
Memorized Secret
A type of authenticator comprised of a character string intended to be memorized or memorable by the subscriber, permitting the subscriber to demonstrate something they know as part of an authentication process.
Metadata
Data describing other data. In the context of authentication, metadata defines how an IdP and SP communicate.
Metric
A measurement or calculation that is monitored or reported for management and improvement.
midPoint
midPoint, powered by Evolveum, is a general-purpose identity management and governance system used by the InCommon Trusted Access Platform for its ability to synchronize and reconcile among multiple systems of record and sources of identity, as well as to provision and de-provision user accounts and groups into services.
Multi-Factor Authentication (MFA)
Authentication using two or more factors, such as something you know (password), something you have (smartphone), or something you are (fingerprint).
O
One Time Password (OTP)
A password that is valid for only one login session or transaction, on a computer system or other digital device.
OpenID Connect (OIDCOIDC OpenID Connect 1.0 (OIDC) is an authentication layer built on OAuth 2.0 where the identity provider that runs the authorization server also holds the protected resource that the third-party application aims to access.)
An authentication layer built on OAuth 2.0 where the identity provider that runs the authorization server also holds the protected resource that the third-party application aims to access.
OpenLDAP
OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License.
Organizational Hierarchy System (OHSOHS The Organizational Hierarchy System (OHS) refers to the Department System by an anachronistic name.) Contacts
Also known as OHS Contacts or OHSC, OHS Contacts is a tool used by departments to identify individuals who are authorized to perform specific roles for the department.
P
Passphrase
A passphrase is a memorized secret consisting of a sequence of words or other text that a claimant uses to authenticate their identity. A passphrase is similar to a password in usage, but is generally longer for added security.
Password
A string of characters used to verify or “authenticate” a person’s identity. Passphrases and personal identification numbers (PIN) serve the same purpose as a Password.
Password Strength
Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.
Person EID
An EID that refers to records representing a person. Person EIDs can be used to log on. They are formed using the initials of the individual and a sequence number. (UT EIDs issued prior to 2002 were not required to follow this format rule.)
Personally Identifiable Information (PII)
Information that alone or in conjunction with other information identifies an individual. PII includes, but is not limited to: an individual’s name; a Social Security number; a date of birth; a government-issued identification number; a mother’s maiden name; unique biometric data (including an individual’s fingerprint, voice print, and retina or iris image); a unique electronic identification number, address, or routing code; or a telecommunication access device.
Population
A subset of an affiliation, defined by the affiliation sponsor, used to determine EID contacts.
Privileged Access Management (PAMPAM Privileged Access Management (PAM) identifies the users and technologies that need privileged access and assigns specific policies to them.)
An information security mechanism that safeguards identities with special access or capabilities beyond regular users.
Proof of Concept (POCPOC A Proof of Concept (POC) is the implementation of a functional prototype for the purposes of validating that a technology or approach is possible.)
The implementation of a functional prototype for the purposes of validating that a technology or approach is possible.
Provisioning
Any kind of change (e.g. Create, Update, Disable, Enable, Delete) to a user account on a connected system. Provisioning can be performed either manually or automatically. The word “deprovisioning” is often used to describe access revocation processes. This term is technically inaccurate. In fact, access revocation is simply another form of provisioning that encapsulates the disabling or deletion of a user account.
Q
Quality Assurance (QA)
Part of quality management focused on providing confidence that quality requirements will be fulfilled.
R
RabbitMQ
The Message Broker service offered by Enterprise Technology.
Restriction
Restrictions apply to information about an identity and limit who may view this information. The restriction may apply to the identity record as a whole or just particular attributes of the identity. One identity may have many restrictions, and each of these has a start and end date (the end date may be in perpetuity).
Risk
A function of the likelihood that a threat will exploit a vulnerability and the resulting impact to University missions, functions, image, reputation, assets, or constituencies if such an exploit were to occur.
S
SailPoint
The third-party vendor which supports IdentityIQ (IIQ).
Schema
Description of a structure of information, such as description of data types, attribute names and types, attribute structure and multiplicity, often supplemented by additional information such as documentation and presentation metadata.
In information systems designed to process identity information, the schema usually refers to structure of digital identity data, names of identity attributes, their types, multiplicity, optionality and similar properties.
Security Assertion Markup Language (SAMLSAML Security Assertion Markup Language (SAML) is a standard, XML-based language for exchanging authentication and authorization data between identity providers and service providers. This standard is currently used by Enterprise Authentication (as well as hundreds of service providers that integrate with our identity provider).)
An XML-based standard for exchanging authentication and authorization data between IdPs and SPsSP A Service Provider (SP) is the server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP. For more information, see our Concepts page..
Service EID
An EID representing a service. These EIDs can be used to log in and start with the number ‘4’.
Service Provider (SP)
In an authentication relationship, the SP provides the service, while the IdP provides the identity.
Shibboleth
A component of the Incommon Trusted Access Platform which provides a single sign-on (SSO) federated identity solution, the Shibboleth software powers the SAML-based authentications at The University performed via the Enterprise Authentication service.
Single Sign-On (SSO)
A service enabling users to access multiple applications with one set of credentials.
System of Record (SORSOR A System of Record (SOR) is an authoritative system for identity attributes and values.)
The authoritative source for identity attributes and values.
T
Technical Support Contact (TSC)
A designated technical support individual for a specific college, school, or unit.
TEDTED The uTexas Enterprise Directory (TED) is the University’s enterprise directory. See uTexas Enterprise Directory (TED) in the service catalog for more information. on the Mainframe (TOMTOM TED on the Mainframe (TOM) is a subset of the uTexas Enterprise Directory (TED) except on the UT Mainframe. It is a handful of files in an ADABAS database. It is populated by a uTexas Identity Manager (TIM) notifier and consumed exclusively by UT Mainframe applications.)
A subset of the uTexas Enterprise Directory (TED) hosted on the UT Mainframe. It provides high-performance access to identity data for mainframe applications.
Trusted Access Platform (TAPTAP The InCommon Trusted Access Platform (TAP) is an identity and access management suite of software.)
The InCommon Trusted Access Platform is an identity and access management suite of software.
U
Uniform Resource Identifier (URIURI A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource available on the Internet.)
A sequence of characters identifying an abstract or physical resource on the Internet.
Uniform Resource Locator (URLURL A Uniform Resource Locator (URL) is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A typical URL could have the form http://www.example.com/index.html, which indicates a protocol (http), a host name (www.example.com), and a file name (index.html). Also sometimes referred to as a web address.)
A reference to a web resource specifying its location and a mechanism for retrieving it. For example: http://www.example.com/index.html.
University of Texas Electronic Identity (UT EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information. or EID)
The official public records identifier for individuals at The University of Texas at Austin. For more information, see the Identity Management knowledge articles .
Upgraded EID
A UT EID that has been identity-proofed and whose holder has signed the EID agreement.
User Experience (UX)
A design concept focused on understanding and improving how users interact with systems or applications.
User Interface (UI)
The physical or software-based interface through which users interact with a technology system.
uTexas Enterprise Directory (TED)
The University’s centralized directory service for identity data. For more information, see Directory Services.
uTexas Identity Manager (TIM)
The University’s identity management system. For more information, see Identity Management.
Y
YubiKey
A hardware authentication device manufactured by Yubico. It supports one-time passwords (OTP), public-key cryptography, and FIDO2 protocols. YubiKeys are used for secure logins to computers, networks, and online services.
