IAM Terms, Components, and Functions

Identity & Access Management, Identity Governance and Administration, Identity & Access Governance, Identity Governance, Identity Management, Access Management, User Provisioning, IAM Workflow, User Self Services...

Anyone who does not deal with Identity & Access Management (IAM) and the latest terms and functions on a regular basis may find it difficult to understand what lies behind them. What makes it even harder is that there is no universally accepted definition of IAM. Analysts such as Gartner, Forrester, or KuppingerCole have their own perspectives on IAM and regularly introduce new headings and terms to group, evaluate, and place product functionalities into their quadrants, analyses, reports, and market studies. Likewise, IAM product vendors' marketing departments constantly invent new, appealing terms for their products and modules to generate customer interest and differentiate themselves from their competitors. System integrators and IAM consultants must use both the commonly known terms from analysts and vendors, and also try to introduce their own understandable terminology that reflects customer requirements and is easy for clients to grasp.

Ultimately, there is often no right or wrong when it comes to terminology—it always depends on the origin and the context or by whom it is used. Based on our experience, it is therefore most important that all project participants agree on a shared understanding before starting an IAM project. This ensures that everyone is speaking the same language and avoids miscommunication.

Below you will find the most important IAM terms, components, and functions along with their most common definitions from our perspective. Terms that appear in bold within the explanatory text are explained separately. We begin with the umbrella terms Identity & Access Management (IAM), Identity Governance and Administration (IGA), and Identity Governance (IG). The terms that follow are listed in alphabetical order.

Identity & Access Management (IAM)

From our point of view, Identity & Access Management is still the most commonly used umbrella term for one of the fundamental building blocks of IT security. Simply put, IAM is about the security of users and their IT access rights. IAM consists of Identity Management (IDM) and Access Management (AM).

Identity Management (IDM)

The Identity Management (IDM) component addresses all digital identities (users) within a company and their access rights. It ensures that all types of users (employees, customers, suppliers, contractors, external staff, etc.) who access resources (applications, documents, data, webshops, etc.) receive only the exact access they need (also known as the Least Privilege Principle) at the right time for their work or to retrieve information. IDM must also ensure this throughout the entire User Lifecycle of a user.

The functional components of Identity Management include User Lifecycle Management, User Provisioning / Deprovisioning, Role Based Access Control (RBAC), Workflow, and User Self Services.

Access Management (AM)

Access Management ensures that the mentioned user groups can access company resources via portals such as intranet or extranet (Web Access Management) or Single Sign-On (SSO). It should not matter which device (PC, tablet, smartphone, etc.) the user is accessing from—the user experience should always be the same. Furthermore, Access Management ensures that only authorized individuals have access. Through appropriate methods of Multi-Factor Authentication (fingerprint, iris scan, PIN/TAN, etc.), it can be verified whether a person is who they claim to be.

As an alternative to Identity & Access Management, the term Identity Governance and Administration (IGA), coined by Gartner, is also used. However, we continue to observe that it is still not widely used, especially among customers.

Identity Governance and Administration (IGA)

In 2013, Gartner decided to merge its Magic Quadrants for User Provisioning and Identity & Access Governance into one, thereby creating the umbrella term Identity Governance and Administration (IGA). However, even within Gartner, there seems to be some inconsistency about which term is more appropriate: while the quadrant is now called the Magic Quadrant for Identity Governance and Administration, Gartner’s annual event still carries the title Identity & Access Management Summit.

Forrester still refers to this area as Identity and Access Management, while KuppingerCole uses the term Identity & Access Management / Governance.

Identity Governance (IG)

In addition to Identity & Access Management (IAM), Identity Governance (IG) refers to the structured and regular review of access rights for all users or user groups, in order to ensure compliance with policies and legal regulations. The current state of permissions is extracted from the systems to be reviewed, presented in an understandable format, and submitted to the responsible individuals such as supervisors or application owners. These individuals review the access rights of their staff and compare them to policy requirements. If discrepancies are found, the unnecessary permissions must be revoked. Identity Governance products or integrated Identity Management systems can automatically handle these corrections through appropriate mechanisms. This process is known as the recertification of user permissions.

Alternative terms for Identity Governance include Identity & Access Governance (IAG) or simply Access Governance—however, they all carry the same meaning.

The following terms are listed in alphabetical order.

Audit

Audits in the field of Identity & Access Management serve as proof of data security and compliance with legal requirements and regulations. During an audit, the actual state in systems and databases is compared to the target state defined by these regulations. Typically, different user types are examined on a sample basis, and their access rights are reviewed. Questions such as “Which accesses did user A have on day B, and who approved them?” must be answered.

Audits are conducted by auditors, supervisory authorities, or internal revision teams. Negative audit results can have serious consequences for companies, including lower ratings or even the loss of business relationships.

Compliance

Compliance is not limited to IAM but is equally important across all IT areas of a company. Within Identity & Access Management, compliance means adhering to all legal requirements and regulations related to users and their IT access rights.

Compliance can be verified through regular audits, where the actual state of systems and databases is compared with the target state defined by applicable regulations. If the actual state matches the target, compliance is achieved.

Customer Identity & Access Management (CIAM)

Online store customers can log in using their accounts from social networks like Facebook, Google+, or Twitter, which greatly simplifies registration and authentication. Beyond managing customer identities, CIAM also focuses on merging customer information across systems such as IAM, CRM, and web applications to provide a more complete customer view.

Federated Identity Management (FIM)

Federated Identity Management refers to the management of users and their access rights across organizational boundaries, allowing users to use the same identity data across one or more companies.

Identity & Access Governance (IAG)

See Identity Governance. Alternative terms such as Identity Governance or Access Governance are used interchangeably. Among them, Identity Governance is currently the most commonly used term.

Multi-Factor Authentication (MFA)

Recent security incidents and the rise of social engineering have increasingly questioned the security of passwords alone. Multi-Factor Authentication (often Two-Factor Authentication) ensures that a person is who they claim to be. A combination of the factors: knowledge (password or PIN), possession (smartcard or token), and inherent traits (biometric features like fingerprints or iris scan) significantly increases account security and reliably protects corporate networks.

Privileged Account Management (PAM)

Privileged Account Management (PAM), also known as Privileged Identity Management (PIM), involves managing, monitoring, and securing privileged accounts such as those of administrators or superusers. Due to the increasing number and severity of security breaches caused by misuse of privileged accounts, along with rising compliance demands, PAM has become indispensable for companies.

The major benefit of PAM solutions is that administrators and superusers no longer know their passwords, which prevents them from sharing them. A complete audit trail of all privileged user activities provides transparency regarding who accessed sensitive information, what actions were taken, and ensures compliance with audit and review requirements.

Role Based Access Control (RBAC)

Role Based Access Control is a method for assigning permissions and controlling access to a company’s resources (applications, documents, data, webshops, etc.). The RBAC model, developed as early as 1992, grants permissions based on user roles. These user or business roles are composed of groups that bundle individual permissions. Criteria for forming these groups can include functional attributes such as tasks, departmental affiliation, or project membership, as well as hierarchical attributes like position within the company or location.

The advantage of RBAC lies in eliminating the need to assign permissions individually, making access assignments more transparent and less error-prone. It also significantly improves traceability, helps avoid conflicting permissions (Segregation of Duties - SoD), and ensures compliance.

As the core of an Identity Management System, RBAC delivers the greatest benefit. However, the biggest challenge of any IAM project is developing the role model. When modeling roles, the Pareto Principle should definitely be considered: for many organizations, automating around 80% of permissions via roles is a realistic goal. Anything beyond that may lead to a disproportionate effort in role development, so the cost-benefit ratio must be critically assessed.

Single Sign-On (SSO)

SSO enables users to access all applications and systems after a single login. The current challenges for SSO solutions include the integration of mobile devices, social media, and cloud-based applications.

User LifeCycle Management

User LifeCycle Management refers to managing a user throughout their entire lifecycle within the company, while continuously tracking all relevant information that affects the assignment (provisioning) and removal (deprovisioning) of access rights. Users can include not only employees but also customers, suppliers, temporary workers, or external contractors.

User Provisioning / Deprovisioning

User Provisioning / Deprovisioning is a core component of Identity Management (IDM) and refers to the automated, role-based, and auditable assignment of permissions across numerous applications and systems. This enables transparent, traceable, and timely onboarding of new employees while ensuring compliance. Deprovisioning ensures that, for example after a project ends, a departmental change, or termination (offboarding), the corresponding permissions are removed.

User Self Services

Requesting access rights, resetting passwords, unlocking accounts — as the name "User Self Services" implies, users can help themselves via web forms or a kind of webshop when it comes to their accounts, permissions, access, and passwords. These services are available around the clock, speed up processing times, and relieve the helpdesk.

Workflow

In addition to User Provisioning, workflows extend Identity Management by enabling interaction with users. For example, an approval workflow for an access right or role can be triggered from the provisioning process. Through a web form, the supervisor can approve or deny the access or role. Substitution rules ensure that the workflow is delegated during absences, and if not processed within a defined timeframe, the approval request can be escalated to the next higher-level supervisor.

Another use case for workflows is a request process where a user can apply for an access right or role themselves, which in turn can trigger an approval workflow — see User Self Services.