This page provides definitions of terminology used in the IAMIAM Identity and Access Management (IAM) is a set of policies, processes, and technologies designed to ensure that the right individuals (identities) have the right access to resources within an organization. IAM involves managing and securing digital identities, controlling access to systems and data, and maintaining the confidentiality, integrity, and availability of information. space. For a deeper review of IAM concepts, try our Concepts page.
A
Acceptable Use Policy (AUPAUP An Acceptable Use Policy (AUP) is a document that outlines a set of rules to be followed by users or customers of a set of computing resources. An AUP clearly states what the user is and is not allowed to do with these resources.)
A document that outlines a set of rules to be followed by users or customers of a set of computing resources. An AUP clearly states what the user is and is not allowed to do with these resources.
Account
An account is the representation of a user within a particular system.
Active Directory (ADAD Active Directory (AD) is a directory service from Microsoft which implements Internet standard directory and naming protocols. See Austin Active Directory (Austin AD) in the service catalog for the University’s local implementation.)
A directory service from Microsoft which implements Internet standard directory and naming protocols. See Austin Active Directory (Austin AD) in the service catalog for the University’s local implementation.
Affiliate Class
An EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information. class representing people with a significant relationship with the University, such as donors, library patrons, and former faculty, staff, and students.
AffiliationAffiliation An affiliation is an attribute which reflects, at a high level, how an individual is related to the university. At any point in time, an individual may have no defined relationship, one defined relationship, or many defined relationships with the university. For example, and individual may be a current student, a future faculty member, a former employee, or all three.
An affiliation is an attribute which reflects, at a high level, how an individual is related to the University. At any point in time, an individual may have no defined relationship, one defined relationship, or many defined relationships with the University. For example, and individual may be a current student, a future faculty member, a former employee, or all three.
Affiliation Sponsor
University department that can add or remove an affiliation for an EID.
Aggregation
The consolidation of similar or related information.
Attribute
An attribute is a quality or characteristic ascribed to someone or something. See our Concepts page for an in-depth discussion.
Attribute-Based Access Control (ABACABAC Attribute-Based Access Control (ABAC) is a mechanism for managing of user access to information systems based on values of user attributes. Attribute-Based Access Control (ABAC) evaluates the access dynamically, using an algorithm that takes “attributes” as an input, and outputs access decision (allow/deny). The attributes are usually user attributes from the user profile, supplemented with context attributes, such as time of access and user’s current location.)
A mechanism for managing of user access to information systems based on values of user attributes. Attribute-Based Access Control (ABAC) evaluates the access dynamically, using an algorithm that takes “attributes” as an input, and outputs access decision (allow/deny). The attributes are usually user attributes from the user profile, supplemented with context attributes, such as time of access and user’s current location.
Austin Active Directory (Austin AD)
The Active Directory service offered and supported by Enterprise Technology for the university. See Austin Active Directory (Austin AD) in the service catalog for more information.
AuthenticationAuthentication Authentication is the act of determining that a person is who they claim to be. For more information, see our Concepts page.
Authentication is the act of determining that a person is who they claim to be. See our Concepts page for an in-depth discussion.
AuthorizationAuthorization Authorization refers to the act of determining whether an authenticated user is allowed to access a specific resource or take a specific action. For more information, see our Concepts page.
Authorization refers to the act of determining whether an authenticated user is allowed to access a specific resource or take a specific action. See our Concepts page for an in-depth discussion.
Availability
Availability is the assurance that an enterprise’s IT infrastructure has suitable recoverability and protection from system failures, natural disasters or malicious attacks.
B
Business Continuity (BCBC Business Continuity (BC) is the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.)
The capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.
Business EID
An EID that describes a business entity. This kind of EID cannot be used to log in. Business UT EIDsUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information. always begin with the number ‘2’, followed by a random sequence of numbers and letters.
D
Data Integrity
The property that data has not been altered by an unauthorized entity.
Department EID
An EID that describes a department in the Department System . This kind of EID cannot be used to log in. Department UT EIDs always begin with the number ‘3’, followed by the one-byte institution code and the department code from the Department System.
Deprovisioning
The process of removing access for a particular user from software systems. For example, when an employee leaves the organization, their user profile must be deprovisioned.
Deprovisioning is generally more complicated than simply deleting the account, because it’s often desirable to retain and accurately attribute the user’s previous contributions, so the account must remain in some type of disabled state.
Digital Identity
Digital representation of identity: set of characteristics, qualities, believes and behaviors of en entity, usually represented as a set of attributes.
Disaster Recovery (DRDR Disaster Recovery (DR) is a set of policies and procedures to enable the recovery of continuation of vital technology infrastructure and systems following a natural or human-induced disaster.)
A set of policies and procedures to enable the recovery of continuation of vital technology infrastructure and systems following a natural or human-induced disaster.
Duo
The third-party vendor which supports the University’s implementation of Multi-Factor Authentication (MFAMFA Authentication makes use of one or more factors of authentication: something you know (e.g., a password), something you have (e.g., your smartphone), or something you are (e.g., a fingerprint). Multi-Factor Authentication (MFA) makes use of two or more factors when authenticating you. For more information, see our Concepts page.). Duo Security was acquired by Cisco in 2018.
E
eduPerson
eduPerson is a Lightweight Directory Access Protocol (LDAPLDAP Lightweight Directory Access Protocol (LDAP) is a set of protocols for accessing information directories based on the standards contained within the X.500 standard, but is significantly simpler.) schema designed to include widely-used person and organizational attributes in higher education. The eduPerson object class provides a common list of attributes and definitions, drawing on the existing standards in higher education.
EID System
The EID System (1996-2006) was an identity and access management system written in Natural with an Adabas back end.
It was superseded in 2006 by the uTexas Identity Manager (TIMTIM The uTexas Identity Manager (TIM) is the University’s identity manager. See uTexas Identity Manager (TIM) in the service catalog for more information.), which itself is often mistakenly referred to as the “EID System.”
EID Type
A categorization of EIDs defined by what kind of entity they represent. Each EID type has specific business rules and properties. There are seven EID types: person, business, department, id-only, service, group and resource.
Enterprise Authentication
A standards-based, consolidated web authentication service for The University, allowing for single sign-on (SSOSSO Single Sign-On (SSO) is a service which allows a user to use one set of credentials to access multiple applications.) across participating University web applications.
EntitlementEntitlement An entitlement is an attribute which defines what an account is allowed or authorized to do. An EID holder may have many entitlements, each with a start and end date (end dates may be in perpetuity).
An attribute which defines what an account is allowed or authorized to do. An EID holder may have many entitlements, each with a start and end date (end dates may be in perpetuity).
F
Family Educational Rights and Privacy Act of 1974 (FERPAFERPA The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law which pertains to the release of and access to educational records.)
The Family Educational Rights and Privacy Act of 1974 (FERPA), codified as 20 U.S.C. § 1232g , is a federal law that pertains to the release of and access to educational records. The law, also known as the Buckley Amendment, applies to all schools that receive funds under an applicable program of the US Department of Education.
Federated Identity
Federation is a system of trust between two parties for the purpose of authenticating users and conveying information needed to authorize their access to resources. In this system, an identity provider (IdPIdP An Identity Provider (IdP) is a software tool or service that offers user authentication as a service. The IdP manages the user's primary authentication credentials and issues assertions derived from those credentials. At UT Austin, the primary IdP used to authenticate the UT EID and EID Password is Enterprise Authentication, which is managed by the IAM Team. For more information, see our Concepts page.) is responsible for user authentication, and a service provider (SPSP A Service Provider (SP) is the server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP. For more information, see our Concepts page.), such as a service or an application, controls access to resources.
Federation
A process that allows the conveyance of identity and authentication information across a set of networked systems.
Fiscal Year (FYFY The Fiscal Year (FY) at the University runs from September 1 through August 31 of the following calendar year.)
The fiscal year at The University runs from September 1 through August 31 of the following calendar year. Broken down into quarters:
Q1: September – November
Q2: December – February
Q3: March – May
Q4: June – August
See The University of Texas at Austin Fiscal Year article in the askUS Knowledge Base for more information.
Fit-Gap
An analysis which determines the extent to which a solution meets the established needs and requirements and identifies areas where those requirements are not met.
G
Guest Authentication
A future offering which will allow individuals not closely tied to The University (e.g., admissions applicants, job applicants, alumni) to authenticate using an identity (e.g. Google, Microsoft) other than their UT EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information..
Group EID
An EID that describes a group of EIDs, used internally within the EID System. This type of EID cannot be used to log in. Group UT EIDs always begin with the number ‘5’, followed by a random sequence of letters and numbers.
Grouper
A component of the InCommon Trusted Access Platform, Grouper acts as an enterprise group and access management system.
Guest Class
An EID class representing people with a very loose connection to the University, such as prospective students. This category also includes those with no affiliation.
I
ID-only EID
An EID that serves as an identification “tag” for a record. This type of EID cannot be used to log in. ID-only EIDs always begin with the number ‘0’, followed by a random sequence of letters and numbers.
Identifier
An identifier is a special type of attribute consisting of a (generally) unique label for an identity. See our Concepts page for an in-depth discussion.
Identity
An identity is the collection of accounts and identifiers associated with a particular person (or sometimes a non-person entity). See our Concepts page for an in-depth discussion.
Identity and Access Management (IAM)
Identity and Access Management is a set of policies, processes, and technologies designed to ensure that the right individuals (identities) have the right access to resources within an organization. IAM involves managing and securing digital identities, controlling access to systems and data, and maintaining the confidentiality, integrity, and availability of information.
Identity Governance & Administration (IGAIGA Identity Governance and Administration (IGA) refers to a set of processes and technologies used by organizations to manage and control user access to resources and information within their systems.)
Identity Governance and Administration (IGA) refers to a set of processes and technologies used by organizations to manage and control user access to resources and information within their systems. This includes managing user identities, roles, and permissions, as well as monitoring and auditing user activities to ensure compliance with regulations and policies. IGA helps organizations reduce security risks, improve regulatory compliance, and streamline user access management across different systems and applications.
Identity Life Cycle
Set of identity stages from creation to its deactivation or deletion. It contains creation of an account, assignment of correct groups and permissions, setting and resetting passwords and in the end deactivation or deletion of the account. See our Concepts page for an in-depth discussion.
Identity Provider (IdP)
In an authentication relationship, the Identity Provider (IdP) provides the identity and the Service Provider (SP) provides the service. See our Concepts page for an in-depth discussion.
IdentityIQ (IIQIIQ SailPoint IdentityIQ (IIQ) is a group- and role-based authorization management service. See Identity Lifecycle Management for more information.)
A group- and role-based authorization management service offered by SailPoint.
Incident
An unplanned interruption to a service or reduction in the quality of a service.
InCommon Federation
A federation of educational institutions, research organizations, and commercial resource providers which allows single sign-on across federation members to support collaboration and access to shared tools. Enterprise Authentication is a member of the InCommon federation.
Information Resources Use and Security Policy (IRUSPIRUSP The University’s implementation of UTS 165 Information Resources Use and Security Policy is the UT Information Resources Use and Security Policy (UT-IRSUP).)
The University’s implementation of UTS 165 Information Resources Use and Security Policy is the UT Information Resources Use and Security Policy (UT-IRSUP).
Information Security Office (ISOISO The Information Security Office (ISO) is the University’s information security team.)
The University’s information security team .
Institutional Identifier (IIDIID The Institutional Identifier (IID) (format: <eid>@eid.utexas.edu) is designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement.)
The Institutional Identifier (IID) (format: <eid>@eid.utexas.edu) is designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement.
K
Key Performance Indicator (KPI)
A key performance indicator (KPI) is a high-level measure of system output, traffic or other usage, simplified for gathering and review on a weekly, monthly or quarterly basis. Typical examples are bandwidth availability, transactions per second and calls per user. KPIs are often combined with cost measures (e.g., cost per transaction or cost per user) to build key system operating metrics.
L
LEARN Federation
The University’s authentication offerings are part of the Lonestar Education And Research Network (LEARN) federation which allows The University to collaborate with other members of the federation.
Least Privilege
A policy of granting users or applications only the permissions necessary to perform their official duties. Limiting their amount of access decreases the chances of unauthorized activity and security breaches.
Lifecycle Management (LCM)
This term recognizes that many entities represented in a software system will be at a certain stage in a lifecycle, and their access needs to be managed accordingly. For instance, an employee may start off as a “candidate,” then become a “full employee” with one or more positions over their tenure, and ultimately cease to be an employee and be deprovisioned entirely.
Lifecycle management can also apply to other things. For instance, devices may be purchased, provisioned for a particular user, reprovisioned for a different user, and ultimately deprovisioned and sold or discarded.
Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol (LDAP) is a set of protocols for accessing information directories based on the standards contained within the X.500 standard, but is significantly simpler.
M
Maintenance Window
A scheduled period, preferably recurring, in which changes can be implemented.
Member Class
An EID class representing active members of the University community, such as current students, faculty, staff, and official visitors.
Memorized Secret
A type of authenticator comprised of a character string intended to be memorized or memorable by the subscriber, permitting the subscriber to demonstrate something they know as part of an authentication process.
Metadata
Metadata is a set of data that describes and gives information about other data. See our Concepts page for an in-depth discussion.
Metric
A measurement or calculation that is monitored or reported for management and improvement.
midPoint
midPoint, powered by Evolveum, is a general-purpose identity management and governance system used by the InCommon Trusted Access Platform for its ability to synchronize and reconcile among multiple systems of record and sources of identity, as well as to provision and de-provision user accounts and groups into services.
Multi-Factor Authentication (MFA)
Authentication makes use of one or more factors of authentication: something you know (e.g., a password), something you have (e.g., your smartphone), or something you are (e.g., a fingerprint). Multi-factor authentication makes use of two or more factors when authenticating you. See our Concepts page for an in-depth discussion.
O
One Time Password (OTP)
A password that is valid for only one login session or transaction, on a computer system or other digital device.
OpenID Connect (OIDCOIDC OpenID Connect 1.0 (OIDC) is an authentication layer built on OAuth 2.0 where the identity provider that runs the authorization server also holds the protected resource that the third-party application aims to access.)
An authentication layer built on OAuth 2.0 where the identity provider that runs the authorization server also holds the protected resource that the third-party application aims to access.
OpenLDAP
OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License.
Organizational Hierarchy System (OHSOHS The Organizational Hierarchy System (OHS) refers to the Department System by an anachronistic name.) Contacts
Also known as OHS Contacts or OHSC, OHS Contacts is a tool used by departments to identify individuals who are authorized to perform specific roles for the department.
P
Passphrase
A passphrase is a memorized secret consisting of a sequence of words or other text that a claimant uses to authenticate their identity. A passphrase is similar to a password in usage, but is generally longer for added security.
Password
A string of characters used to verify or “authenticate” a person’s identity. Passphrases and personal identification numbers (PIN) serve the same purpose as a Password.
Password Strength
Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.
Person EID
An EID that refers to records representing a person. Person EIDs can be used to log on. They are formed using the initials of the individual and a sequence number. (UT EIDs issued prior to 2002 were not required to follow this format rule.)
Personally Identifiable Information (PII)
Information that alone or in conjunction with other information identifies an individual. PII includes, but is not limited to: an individual’s name; a Social Security number; a date of birth; a government-issued identification number; a mother’s maiden name; unique biometric data (including an individual’s fingerprint, voice print, and retina or iris image); a unique electronic identification number, address, or routing code; or a telecommunication access device.
Population
A subset of an affiliation, defined by the affiliation sponsor, used to determine EID contacts.
Privileged Access Management (PAMPAM Privileged Access Management (PAM) identifies the users and technologies that need privileged access and assigns specific policies to them.)
An information security mechanism that safeguards identities with special access or capabilities beyond regular users.
Proof of Concept (POCPOC A Proof of Concept (POC) is the implementation of a functional prototype for the purposes of validating that a technology or approach is possible.)
The implementation of a functional prototype for the purposes of validating that a technology or approach is possible.
Provisioning
Any kind of change (e.g. Create, Update, Disable, Enable, Delete) to a user account on a connected system. Provisioning can be performed either manually or automatically. The word “deprovisioning” is often used to describe access revocation processes. This term is technically inaccurate. In fact, access revocation is simply another form of provisioning that encapsulates the disabling or deletion of a user account.
Q
Quality Assurance (QA)
Part of quality management focused on providing confidence that quality requirements will be fulfilled.
R
RabbitMQ
The Message Broker service offered by Enterprise Technology.
Restriction
Restrictions apply to information about an identity and limit who may view this information. The restriction may apply to the identity record as a whole or just particular attributes of the identity. One identity may have many restrictions, and each of these has a start and end date (the end date may be in perpetuity).
Risk
A function of the likelihood that a threat will exploit a vulnerability and the resulting impact to University missions, functions, image, reputation, assets, or constituencies if such an exploit were to occur.
S
SailPoint
The third-party vendor which supports IdentityIQ (IIQ).
Schema
Description of a structure of information, such as description of data types, attribute names and types, attribute structure and multiplicity, often supplemented by additional information such as documentation and presentation metadata.
In information systems designed to process identity information, the schema usually refers to structure of digital identity data, names of identity attributes, their types, multiplicity, optionality and similar properties.
Security Assertion Markup Language (SAMLSAML Security Assertion Markup Language (SAML) is a standard, XML-based language for exchanging authentication and authorization data between identity providers and service providers. This standard is currently used by Enterprise Authentication (as well as hundreds of service providers that integrate with our identity provider).)
A standard, XML-based language for exchanging authentication and authorization data between identity providers and service providers. This standard is currently used by Enterprise Authentication (as well as hundreds of service providers that integrate with our identity provider).
Service EID
EID that describes a service. This type of EID can be used to log in. Service UT EIDs always begin with the number ‘4’, followed by a random sequence of numbers and letters.
Service Provider (SP)
In an authentication relationship, the Identity Provider (IdP) provides the identity and the Service Provider (SP) provides the service. See our Concepts page for an in-depth discussion.
Shibboleth
A component of the Incommon Trusted Access Platform which provides a single sign-on (SSO) federated identity solution, the Shibboleth software powers the SAML-based authentications at The University performed via the Enterprise Authentication service.
Single Sign-On (SSO)
A service which allows a user to use one set of credentials to access multiple applications.
System of Record (SORSOR A System of Record (SOR) is an authoritative system for identity attributes and values.)
The authoritative system for identity attributes and values.
T
Technical Support Contact (TSC)
A technical support individual designated for a particular college, school, or unit.
TEDTED The uTexas Enterprise Directory (TED) is the University’s enterprise directory. See uTexas Enterprise Directory (TED) in the service catalog for more information. on the Mainframe (TOMTOM TED on the Mainframe (TOM) is a subset of the uTexas Enterprise Directory (TED) except on the UT Mainframe. It is a handful of files in an ADABAS database. It is populated by a uTexas Identity Manager (TIM) notifier and consumed exclusively by UT Mainframe applications.)
TED on the Mainframe (TOM) is a subset of the uTexas Enterprise Directory (TED) except on the UT Mainframe. It is a handful of files in an ADABAS database. It is populated by a uTexas Identity Manager (TIM) notifier and consumed exclusively by UT Mainframe applications.
Trusted Access Platform (TAPTAP The InCommon Trusted Access Platform (TAP) is an identity and access management suite of software.)
The InCommon Trusted Access Platform is an identity and access management suite of software.
U
Uniform Resource Identifier (URIURI A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource available on the Internet.)
A compact sequence of characters that identifies an abstract or physical resource available on the Internet.
Uniform Resource Locator (URLURL A Uniform Resource Locator (URL) is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A typical URL could have the form http://www.example.com/index.html, which indicates a protocol (http), a host name (www.example.com), and a file name (index.html). Also sometimes referred to as a web address.)
A reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A typical URL could have the form http://www.example.com/index.html, which indicates a protocol (http), a host name (www.example.com), and a file name (index.html). Also sometimes referred to as a web address.
University of Texas Electronic Identity (UT EID or EID)
The public records identifier for principals at The University. See the Identity Management knowledge articles for more information.
Upgraded EID
A UT EID which has been identity-proofed and whose holder has signed the EID agreement.
User Experience (UX)
A concept in computing system and application design that studies and evaluates human feelings and expressions when using such systems.
User Interface (UI)
A broad term for any system, either physical or software based, that allows a user to connect with a given technology.
uTexas Enterprise Directory (TED)
The University’s enterprise directory. See Directory Services for more information.
uTexas Identity Manager (TIM)
The University’s identity manager. See Identity Management for more information.
W
White Pages Service (WPSWPS The White Pages Service (WPS) is a directory back-end which supports the university’s web-based public directory.)
The directory back-end which supports The University’s web-based public directory .
Y
YubiKey
The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device.
