Skip to main content
Version: On prem: 14.0.16

Glossary

Below, you'll find a list of terms commonly used in Omada Identity (both in the solution and in the documentation) to help you easily navigate through our solution and understand the main concepts.

A

Accelerator

Accelerator package is a fixed price starter package from Omada (on-premises or cloud).

Access management

The IdentityPROCESS+ process area that manages access rights for new employees or employees moving within the organization.

Access request

A process for users to request access to resources which are application roles or enterprise roles.

Access system

A system where the IGA system has the ability to read and/or write access data (accounts, permissions, and assignments), that is, to manage the access to the system. In the customer context, these are the business supporting systems.

Account

A user or a technical account in a system – for example, an Active Directory account – that is assigned to or given access to resources (access rights) in a system.

Account type

There can be several account types in a system, which can usually be distilled down to three different Account types: Personal Account, Privileged Account, and Technical Account.

Actual state

Current access rights that users have to business systems. This information is read from the business systems and is used to determine compliance by comparing them to the desired state which is defined in the IGA system.

Administration

The IdentityPROCESS+ process area that manages the integration of target systems into the IGA System to allow central administration of user access and governance as well as password management.

Application

Omada definition:

Application (= logical application) is a logical container of resources that you can request access for. Application should be owned, classified, published/presented, and recertified according to IGA principles. Application here is a logical application, not a physical business system.

note

The term application is often used as a synonym for business system in the customer context. In Omada projects the above definition for a logical application is used.

Application owner

An Omada role that indicates the person accountable for a logical application who will ensure that description, classifications are maintained.

Application role

Application roles are groupings of individual permissions that can be requested within an (logical) Application. Application roles should be owned, classified, published/presented, and recertified according to IGA design principles.

Application role owner

An Omada role that indicates the person accountable for a specific application role in an Application who will ensure that description, classifications and approval flows are correct. When representing “critical access”, the Application role owner is often seen as the second approver, following the line Manager's approval.

Attestation

The periodic or ad hoc process of reviewing and validating that access rights, policies, role definitions, and master data in the system is correct and valid. The most common certification campaigns survey identity access to resources in target systems.

Business role owner

The main source of identity data that is used by the IGA system. In most organizations, the authoritative ID source will be the HR system as this database holds the legal information about employees joining and leaving the company as well as their job title and current line manager.

As the information from HR systems is legal data, the responsibility is with the HR department, not with IT.

Authoritative Identity source

The main source of identity data that is used by the IGA system. In most organizations, the authoritative ID source will be the HR system as this database holds the legal information about employees joining and leaving the company as well as their job title and current line manager.

As the information from HR systems is legal data, the responsibility is with the HR department, not with IT.

B

Birthrights

Birthrights usually refer to the basic role(s) that employees automatically are granted upon their start date.

Business alignment

The IdentityPROCESS+ process area that simplifies IGA processes for non-technical users and streamlines the maintaining of access rights for employees with the same job role or those who work in the same business area or participate in the same project.

Business role owner

An Omada role that indicates the accountable person for specific grouping of Application roles. Usually a Business role owner is asked to recertify that the application roles contained in the business role are still relevant for the Business role.

Business system

A system within an organization that users request access to, so they can do their jobs. Examples could include a CRM system, email, or production database.

C

Certification campaign

A survey that is sent out to line managers and resource owners to verify information such as access rights, policies, role definitions, and master data held in the IGA system.

Classification tags

A method for system owners to identify the types of data held in their applications so that appropriate policies can be applied to them to ensure compliance with internal regulations and external legislation such as GDPR.

CNAME record

Type of resource record in the Domain Name System (DNS) that maps one domain name (an alias) to another (the canonical name).

Configuration

Setting up Omada Identity using the data provided by master data and targets systems to enable the processes delivered by Omada Identity and described in IdentityPROCESS+. Configuration means using only the tools available in the standard toolbox Omada Identity.

Constraint policy

A policy that safeguards against end users being granted access to multiple systems that could result in them being able to commit fraudulent activities due to the levels of access they have been granted. If a constraint policy is violated, then the business should split the access between different employees to reduce the risk of malicious activity. See also: Segregation of Duties.

Context

A way of grouping users into organizational units so they can be managed in the same way. A context could, for example, be a group of people who work on the same project, have the same cost center or work in the same factory.

Customization

Customization means the change of existing or creating new functionality exceeding the functionalities of the Omada Identity. This is done by using custom code. This option is only available for an on-premises installation.

D

Data administrator

A member of IT who is responsible for planning, organizing, and controlling data resources within the organization.

Data classification

The process where data administrators and resource owners tag the types of data held within the systems, they are responsible for. These tags are then used to apply policies to ensure that the data handling conforms to regulations.

Desired state

The desired state is the state of the access rights in Omada Identity created by birth rights, rules or an access requests and approval processes. It defines the ideal access rights that users should have to ensure compliance, security standards and other requirements defined by a company or laws. This information is managed in the IGA system and compared with the actual state in the target systems to determine non-compliant user access that requires action by the administrator.

Direct assignments

When an identity uses the standard request access process and has received approval for requested resource assignments, a resource assignment that is associated with identities is created.

E

Emergency lockout

The process of quickly disabling all accounts associated with an identity when a security breach is suspected to prevent an attacker from continuing to access an organization’s data or preventing business systems from operating.

Business role model

The Business role model in this document defines four layers of business roles (Special, Functional, Organizational and Basic) and the business purpose of each layer in the role model. An identity’s access rights are often represented by assignments to several business roles distributed over several layers in the role model. Some organizations add or remove layers in their Business role model.

H

HR system

A business system used by organizations to manage the day-to-day human resources operations. The HR system is usually the most up-to-date and accurate record of the employment status of the workforce and is therefore used in IGA implementations as the authoritative identity source.

I

Identity

The representation of a physical person or technical entity whose access to systems must be documented and managed.

Identity lifecycle management

The IdentityPROCESS+ process area that manages the entire employment of an individual from onboarding through their career and finally offboarding when they leave the company.

Identity security breach

The IdentityPROCESS+ process area that manages the emergency lockout and restoration of access to a user account when an organization suspects a security breach.

IdentityPROCESS+ Framework

The IdentityPROCESS+ best practice framework captures two decades of Omada’s experience working with leading organizations around the globe. It simplifies IGA decisions, ensures maximum automation of IGA business processes, and helps organizations optimize business value and ROI – all based on proven best practices.

The IdentityPROCESS+ best practice framework is a business view on the Omada IGA solution. It describes the options a customer has once the software is in place.

IdentityPROCESS+ workshops

Maturity, Scoping, and architecture workshops are conducted using IdentityPROCESS+ best practices as the starting point to align with standards and secure a seamless upgrade path for future versions.

A 360° maturity workshop is an option to align customer stakeholders for a common goal.

A fit-gap analysis, a series of workshops, is part of these efforts and the organization is challenged on any need to deviate from best practices. Potential gaps to IdentityPROCESS+ are identified, and the necessary decisions are prepared or taken directly.

IdentityPROJECT+

Omada delivery framework. IdentityPROJECT+ uses best practices from Omada project experience to deliver lean solutions in an iterative way.

IGA team

An IGA team is often adopted in Organizations and refers to the group of people who are accountable for operating and operationally expanding the use of an IGA solution.

L

Line Manager

The line manager is a hierarchical reference to the direct manager of any Identity (Employee or External) in the organization.

M

Master data

Personal and other legal relevant information about an employee or a contractor such as their name, job title, or line manager that is gathered from one or more systems (typically the authoritative source), stored in a central repository, and used by the IGA system for tasks such as enforcing policies and routing access requests.

note

The responsibility for master data is not with the IGA team but remains with the owners of the master data. This holds true for the complete data flow. Omada Identity processes master data but does not own all master data.

O

Offboarding

The process of ensuring that employees, contractors, and other users are no longer able to access an organization’s business systems once they leave the company.

Omada Hub

Omada’s online knowledge hub and Q&A forum available to partner and customer organizations.

Omada Identity

Omada Identity is the name of the Omada IGA software. Omada Identity is provided as software on-premises or as-a-service in the cloud.

Omada IGA Academy

The acclaimed IGA training academy established by Omada to spread best practices and help partners and customers create business value. Omada Academy combines e-learning with in-person courses to fit the needs of each participant.

Onboarding

Onboarding can mean creating an identity in Omada Identity. It can also mean the process of ensuring that employees, contractors, and other users are granted appropriate access to business systems when they join the company.

Additionally, application onboarding means the process of defining logical applications.

Orphan account

An account that does not have an identity assigned to it. This could be because an employee has left the company, but their account has not been deleted, or a technical identity has not been assigned an owner. Orphan accounts should either be assigned an owner or deleted, as otherwise they cannot be properly governed and may violate compliance rules.

P

Permission (System)

Permissions are the raw types “access” that are read in from an integrated system. Typically, you want to make a 1:1 between Permissions and Application roles.

Policy

There are variants of policies in OmadaIdentity. Policies define rules which are executed by the system to support efficiency. Types of policies available are:

  • Assignment policies
  • Auth. source policies
  • Constraint policies
  • Control policies
  • Password policies

Process

A description of a set of actions that describe a discrete task that can be carried out in an IGA system.

Process group

A collection of IGA processes whose tasks are related and therefore are logically grouped and implemented together.

Project activity

A project activity represents a specific set of tasks to be performed. There can always be only one person responsible for an activity.

Project Activity Group

A collection of Project Activities.

Project Deliverable

Project deliverables represent objectively measurable outputs from a project phase. Deliverables can, for example, be a signed project plan, a test successfully completed and signed off, or a signed and completed Business Blueprint.

Producing and receiving sign-off on all deliverables relating to a project phase also defines the completion of the project phase.

Project Milestone

A milestone is a significant intermediate goal in an overall project or project phase and can segment a project plan or phase into smaller intervals. If a milestone is constrained by a specific date, it is a scheduled milestone. Such time-restrained milestones allow project managers to monitor progress and ensure that critical deadlines are met, for example, delivery or approval dates. A milestone trend analysis helps project managers forecast how delays in meeting certain deadlines set by milestones can delay the whole project.

Project Phase

A project phase consists of several activity groups. Each project phase delivers a set of objectively measurable deliverables. Deliverables link to milestones with set dates. Reaching these milestones means the project progresses as planned.

Project phases within one project can never overlap. One phase within a project must be completed before the next can begin. However, multiple projects can run in parallel under a program, each being in a different phase. In such cases, cross-coordination across projects is of utmost importance.

Project Plan

The project plan contains project phases, activity groups, activities, deliverables, and milestone and clarifies the interrelated dependency of the activity groups and activities.

Project Program

A program is a set of multiple projects. Each project runs through the three standard project phases: EXPLORE, BUILD, OPERATE. Projects under a program do not have to be in the same phases: for instance, one project can be in the EXPLORE phase, while another project may be in the OPERATE phase.

Project Roadmap

The project roadmap represents a high-level overview of a project’s objectives, deliverables, and milestones. Think of it as a bird’s eye view of the entire project. While a project plan and related project phases track operational details, a project roadmap gives an overview of the most important objectives and deliverables. In short, it provides the big picture. Project roadmaps help the project align around key milestones over a longer period with its stakeholders.

Provisioning

The processes that create, modify, and deactivate accounts and permissions across systems. Deletion of account and permissions are also done. Provisioning can be done manually or automatically through technical integration.

R

RACI

A responsibility assignment matrix, also known as RACI (Responsible, Accountable, Consulted and Informed) matrix describes the participation by various roles in completing tasks or deliverables for IGA related business process.

Recertification

A recertification is a series of questions sent to line managers and resource owners asking them to perform attestation or certification of user access rights.

Reconciliation

The process of confirming that all managed target systems accounts, and access rights comply with defined policies. For example, the actual state of all accounts in all managed systems and their access rights must be the same as the desired state, that is, the access rights for the managed systems. Reconciliation should be performed regularly to rectify any discrepancies between the actual and desired states.

Resource

A resource can either be a permission or a role.

A permission or set of permissions defined in a physical system by that system’s access control model. Groups in a directory service, such as Active Directory, are considered as resources.

Resource Owner

See Business role owner and Application role owner.

Roles

A role is a grouping of permissions or other roles (like application roles or enterprise role).

S

Segregation of duties (SoD)

A principle that ensures that key processes are distributed to multiple people or departments to minimize the risk of fraud and errors due to one individual being responsible for a task’s execution. IdentityPROCESS+ defines a process to detect the granting of any toxic access combinations and prevents them from being provisioned without specific reasons being given and approval from security officers.

Survey

A survey can be a series of questions sent to line managers and resource owners asking them to perform attestation or recertification of user access rights.

Surveys can also be used to look for missing descriptions on resources, missing classifications, missing owner or other fields and the update based on answers.

System

A physical system such as Active Directory, a finance application, or HR system. One system can represent other systems across access control models.

System owner

Owner of physical IT systems. As a system owner, you are typically responsible for the overall operation and maintenance of a physical system, including any related support service, integrations, modifications, upgrades, and backups. From an IGA point of view, the system owner is essential in the integration phase. After the integration phase, the focus shifts to the Application and Application role Owners.

System permission

Within a system, there can be a few or many system permissions that can be granted access to. Often these names are not user-friendly. Preferably, there should be a 1:1 mapping between the System permission and the Omada Application role.

T

Technical Identity

An identity that is not directly attached to a person but is used to provide multiple members of the IT team with administrator access to systems without the need to use their personal identities. As these identities may have privileged access rights and are used by several employees, a responsible owner is always defined.

Another class of technical identity is used for service accounts, which however should not be used directly by multiple members of the IT team.