Glossary
Below, you'll find a list of terms commonly used in Omada Identity (both in the solution and in the documentation) to help you easily navigate through our solution and understand the main concepts.
A
Accelerator
Accelerator package is a fixed price starter package from Omada (on-premises or cloud).
Access management
The IdentityPROCESS+ process area that manages access rights for new employees or employees moving within the organization.
Access request
A process for users to request access to resources which are application roles or enterprise roles.
Access system
A system where the IGA system has the ability to read and/or write access data (accounts, permissions, and assignments), that is, to manage the access to the system. In the customer context, these are the business supporting systems.
Account
A user or a technical account in a system – for example, an Active Directory account – that is assigned to or given access to resources (access rights) in a system.
Account type
There can be several account types in a system, which can usually be distilled down to three different Account types: Personal Account, Privileged Account, and Technical Account.
Actual state
Current access rights that users have to business systems. This information is read from the business systems and is used to determine compliance by comparing them to the desired state which is defined in the IGA system.
Administration
The IdentityPROCESS+ process area that manages the integration of target systems into the IGA System to allow central administration of user access and governance as well as password management.
Application
Omada definition:
Application (= logical application) is a logical container of resources that you can request access for. Application should be owned, classified, published/presented, and recertified according to IGA principles. Application here is a logical application, not a physical business system.
The term application is often used as a synonym for business system in the customer context. In Omada projects the above definition for a logical application is used.
Application owner
An Omada role that indicates the person accountable for a logical application who will ensure that description, classifications are maintained.
Application role
Application roles are groupings of individual permissions that can be requested within an (logical) Application. Application roles should be owned, classified, published/presented, and recertified according to IGA design principles.
Application role owner
An Omada role that indicates the person accountable for a specific application role in an Application who will ensure that description, classifications and approval flows are correct. When representing “critical access”, the Application role owner is often seen as the second approver, following the line Manager's approval.
Assignment policy
An assignment policy defines that a set of identities should be assigned to a set of resources. You can define the identities in scope by specifying one or more business contexts and/or using an identity view.
Attestation
The periodic or ad hoc process of reviewing and validating that access rights, policies, role definitions, and master data in the system is correct and valid. The most common certification campaigns survey identity access to resources in target systems.
Authoritative Identity source
The main source of identity data that is used by the IGA system. In most organizations, the authoritative ID source will be the HR system as this database holds the legal information about employees joining and leaving the company as well as their job title and current line manager.
As the information from HR systems is legal data, the responsibility is with the HR department, not with IT.
Authoritative source policy
Authoritative Source Policies are used to control the origin of the data processed by Omada Identity. Some data can be maintained by Omada Identity and some can be maintained externally, for example, in an HR system, and only exported to Omada Identity. This source of data is controlled on the property level of a data object.
B
Birthrights
Birthrights usually refer to the basic role(s) that employees automatically are granted upon their start date.
Business alignment
The IdentityPROCESS+ process area that simplifies IGA processes for non-technical users and streamlines the maintaining of access rights for employees with the same job role or those who work in the same business area or participate in the same project.
Business role owner
An Omada role that indicates the accountable person for specific grouping of Application roles. Usually a Business role owner is asked to recertify that the application roles contained in the business role are still relevant for the Business role.
Business system
A system within an organization that users request access to, so they can do their jobs. Examples could include a CRM system, email, or production database.
Business role model
The Business role model in this document defines four layers of business roles (Special, Functional, Organizational and Basic) and the business purpose of each layer in the role model. An identity’s access rights are often represented by assignments to several business roles distributed over several layers in the role model. Some organizations add or remove layers in their Business role model.
C
Certification campaign
A survey that is sent out to line managers and resource owners to verify information such as access rights, policies, role definitions, and master data held in the IGA system.
Classification tags
A method for system owners to identify the types of data held in their applications so that appropriate policies can be applied to them to ensure compliance with internal regulations and external legislation such as GDPR.
CNAME record
Type of resource record in the Domain Name System (DNS) that maps one domain name (an alias) to another (the canonical name).
Configuration
Setting up Omada Identity using the data provided by master data and targets systems to enable the processes delivered by Omada Identity and described in IdentityPROCESS+. Configuration means using only the tools available in the standard toolbox Omada Identity.
Constraint policy
A policy that safeguards against end users being granted access to multiple systems that could result in them being able to commit fraudulent activities due to the levels of access they have been granted. If a constraint policy is violated, then the business should split the access between different employees to reduce the risk of malicious activity. See also: Segregation of Duties.
Control policy
Control policies allow Omada Identity data administrators to detect and rectify possible problems with master data and access rights that may have an impact on the correct functioning of processes.
Control policies define a negative control data set, that is, the set containing undesired data. This data set can be defined either as a set of data objects or as an SQL query that can be mapped to data objects. If a control data set is defined with an SQL query, the query result must be mappable to data objects.
Context
A way of grouping users into organizational units so they can be managed in the same way. A context could, for example, be a group of people who work on the same project, have the same cost center or work in the same factory.
Customization
Customization means the change of existing or creating new functionality exceeding the functionalities of the Omada Identity. This is done by using custom code. This option is only available for an on-premises installation.
D
Data administrator
A member of IT who is responsible for planning, organizing, and controlling data resources within the organization.
Data classification
The process where data administrators and resource owners tag the types of data held within the systems, they are responsible for. These tags are then used to apply policies to ensure that the data handling conforms to regulations.
Desired state
The desired state is the state of the access rights in Omada Identity created by birth rights, rules or an access requests and approval processes. It defines the ideal access rights that users should have to ensure compliance, security standards and other requirements defined by a company or laws. This information is managed in the IGA system and compared with the actual state in the target systems to determine non-compliant user access that requires action by the administrator.
Direct assignments
When an identity uses the standard request access process and has received approval for requested resource assignments, a resource assignment that is associated with identities is created.
E
Emergency lockout
The process of quickly disabling all accounts associated with an identity when a security breach is suspected to prevent an attacker from continuing to access an organization’s data or preventing business systems from operating.
H
HR system
A business system used by organizations to manage the day-to-day human resources operations. The HR system is usually the most up-to-date and accurate record of the employment status of the workforce and is therefore used in IGA implementations as the authoritative identity source.
I
Identity
The representation of a physical person or technical entity whose access to systems must be documented and managed.
Identity lifecycle management
The IdentityPROCESS+ process area that manages the entire employment of an individual from onboarding through their career and finally offboarding when they leave the company.
Identity security breach
The IdentityPROCESS+ process area that manages the emergency lockout and restoration of access to a user account when an organization suspects a security breach.
IdentityPROCESS+ Framework
The IdentityPROCESS+ best practice framework captures two decades of Omada’s experience working with leading organizations around the globe. It simplifies IGA decisions, ensures maximum automation of IGA business processes, and helps organizations optimize business value and ROI – all based on proven best practices.
The IdentityPROCESS+ best practice framework is a business view on the Omada IGA solution. It describes the options a customer has once the software is in place.
IdentityPROCESS+ workshops
Maturity, Scoping, and architecture workshops are conducted using IdentityPROCESS+ best practices as the starting point to align with standards and secure a seamless upgrade path for future versions.
A 360° maturity workshop is an option to align customer stakeholders for a common goal.
A fit-gap analysis, a series of workshops, is part of these efforts and the organization is challenged on any need to deviate from best practices. Potential gaps to IdentityPROCESS+ are identified, and the necessary decisions are prepared or taken directly.
IdentityPROJECT+
Omada delivery framework. IdentityPROJECT+ uses best practices from Omada project experience to deliver lean solutions in an iterative way.
IGA team
An IGA team is often adopted in Organizations and refers to the group of people who are accountable for operating and operationally expanding the use of an IGA solution.
L
Line Manager
The line manager is a hierarchical reference to the direct manager of any Identity (Employee or External) in the organization.
M
Master data
Personal and other legal relevant information about an employee or a contractor such as their name, job title, or line manager that is gathered from one or more systems (typically the authoritative source), stored in a central repository, and used by the IGA system for tasks such as enforcing policies and routing access requests.
The responsibility for master data is not with the IGA team but remains with the owners of the master data. This holds true for the complete data flow. Omada Identity processes master data but does not own all master data.
O
Offboarding
The process of ensuring that employees, contractors, and other users are no longer able to access an organization’s business systems once they leave the company.
Omada Hub
Omada’s online knowledge hub and Q&A forum available to partner and customer organizations.
Omada Identity
Omada Identity is the name of the Omada IGA software. Omada Identity is provided as software on-premises or as-a-service in the cloud.
Omada IGA Academy
The acclaimed IGA training academy established by Omada to spread best practices and help partners and customers create business value. Omada Academy combines e-learning with in-person courses to fit the needs of each participant.
Onboarding
Onboarding can mean creating an identity in Omada Identity. It can also mean the process of ensuring that employees, contractors, and other users are granted appropriate access to business systems when they join the company.
Additionally, application onboarding means the process of defining logical applications.
Orphan account
An account that does not have an identity assigned to it. This could be because an employee has left the company, but their account has not been deleted, or a technical identity has not been assigned an owner. Orphan accounts should either be assigned an owner or deleted, as otherwise they cannot be properly governed and may violate compliance rules.
P
Permission (System)
Permissions are the raw types “access” that are read in from an integrated system. Typically, you want to make a 1:1 between Permissions and Application roles.
Policy
There are variants of policies in Omada Identity. Policies define rules which are executed by the system to support efficiency. Types of policies available are:
- Assignment policies
- Authoritative source policies
- Constraint policies
- Control policies
- Password policies
Process
A description of a set of actions that describe a discrete task that can be carried out in an IGA system.
Process group
A collection of IGA processes whose tasks are related and therefore are logically grouped and implemented together.
Project activity
A project activity represents a specific set of tasks to be performed. There can always be only one person responsible for an activity.
Project Activity Group
A collection of Project Activities.
Project Deliverable
Project deliverables represent objectively measurable outputs from a project phase. Deliverables can, for example, be a signed project plan, a test successfully completed and signed off, or a signed and completed Business Blueprint.
Producing and receiving sign-off on all deliverables relating to a project phase also defines the completion of the project phase.
Project Milestone
A milestone is a significant intermediate goal in an overall project or project phase and can segment a project plan or phase into smaller intervals. If a milestone is constrained by a specific date, it is a scheduled milestone. Such time-restrained milestones allow project managers to monitor progress and ensure that critical deadlines are met, for example, delivery or approval dates. A milestone trend analysis helps project managers forecast how delays in meeting certain deadlines set by milestones can delay the whole project.
Project Phase
A project phase consists of several activity groups. Each project phase delivers a set of objectively measurable deliverables. Deliverables link to milestones with set dates. Reaching these milestones means the project progresses as planned.
Project phases within one project can never overlap. One phase within a project must be completed before the next can begin. However, multiple projects can run in parallel under a program, each being in a different phase. In such cases, cross-coordination across projects is of utmost importance.
Project Plan
The project plan contains project phases, activity groups, activities, deliverables, and milestone and clarifies the interrelated dependency of the activity groups and activities.
Project Program
A program is a set of multiple projects. Each project runs through the three standard project phases: EXPLORE, BUILD, OPERATE. Projects under a program do not have to be in the same phases: for instance, one project can be in the EXPLORE phase, while another project may be in the OPERATE phase.
Project Roadmap
The project roadmap represents a high-level overview of a project’s objectives, deliverables, and milestones. Think of it as a bird’s eye view of the entire project. While a project plan and related project phases track operational details, a project roadmap gives an overview of the most important objectives and deliverables. In short, it provides the big picture. Project roadmaps help the project align around key milestones over a longer period with its stakeholders.
Provisioning
The processes that create, modify, and deactivate accounts and permissions across systems. Deletion of account and permissions are also done. Provisioning can be done manually or automatically through technical integration.
Prioritization policy
You can use the Prioritization policy data object type to define a number of resources that are mutually exclusive. When more than one resource is assigned to an identity (for each of the accounts of the identity), only one resource is assigned for provisioning on the basis of the selection type of the Prioritization policy. The remaining assignments become disabled (with the effect of being deprovisioned). The RoPE identity calculation will include information on the reason why the assignments were disabled.
R
RACI
A responsibility assignment matrix, also known as RACI (Responsible, Accountable, Consulted and Informed) matrix describes the participation by various roles in completing tasks or deliverables for IGA related business process.
Recertification
A recertification is a series of questions sent to line managers and resource owners asking them to perform attestation or certification of user access rights.
Reconciliation
The process of confirming that all managed target systems accounts, and access rights comply with defined policies. For example, the actual state of all accounts in all managed systems and their access rights must be the same as the desired state, that is, the access rights for the managed systems. Reconciliation should be performed regularly to rectify any discrepancies between the actual and desired states.
Resource
A resource can either be a permission or a role.
A permission or set of permissions defined in a physical system by that system’s access control model. Groups in a directory service, such as Active Directory, are considered as resources.
Resource Owner
See Business role owner and Application role owner.
Resource Folder
A resource folder in Omada Identity is a container used to organize and manage resources. It allows you to group related resources together for easier management and access control. You can create multiple resource folders and assign different resources to each folder based on your organizational needs. Resource folders can have unique names and folder IDs, and you can specify owners, approval levels, provisioners, account types, and classifications for each folder. Additionally, resource folders can be associated with specific resource types and systems.
Resource Type
A resource type is a classification or category assigned to a resource. It represents a specific type or class of resources that are managed within the system. Each resource type has its own properties and settings that determine its behavior and how it is managed. Resource types can be used to organize and categorize resources, apply specific access controls and policies, and define attributes and settings for provisioning and synchronization.
Roles
A role is a grouping of permissions or other roles (like application roles or enterprise role).
S
Segregation of duties (SoD)
A principle that ensures that key processes are distributed to multiple people or departments to minimize the risk of fraud and errors due to one individual being responsible for a task’s execution. IdentityPROCESS+ defines a process to detect the granting of any toxic access combinations and prevents them from being provisioned without specific reasons being given and approval from security officers.
Survey
A survey can be a series of questions sent to line managers and resource owners asking them to perform attestation or recertification of user access rights.
Surveys can also be used to look for missing descriptions on resources, missing classifications, missing owner or other fields and the update based on answers.
System
A physical system such as Active Directory, a finance application, or HR system. One system can represent other systems across access control models.
System owner
Owner of physical IT systems. As a system owner, you are typically responsible for the overall operation and maintenance of a physical system, including any related support service, integrations, modifications, upgrades, and backups. From an IGA point of view, the system owner is essential in the integration phase. After the integration phase, the focus shifts to the Application and Application role Owners.
System permission
Within a system, there can be a few or many system permissions that can be granted access to. Often these names are not user-friendly. Preferably, there should be a 1:1 mapping between the System permission and the Omada Application role.
T
Technical Identity
An identity that is not directly attached to a person but is used to provide multiple members of the IT team with administrator access to systems without the need to use their personal identities. As these identities may have privileged access rights and are used by several employees, a responsible owner is always defined.
Another class of technical identity is used for service accounts, which however should not be used directly by multiple members of the IT team.
U
Unresolved Identity
A special built-in identity assigned by Omada as the owner of all accounts that cannot be paired with an identity through account join rules, and have not been paired with an identity through an account ownership survey.