Identity-and-Access-Management

Verifies that a user, device, or service is the identity it claims to be before access is granted.

Determines which systems, data, and actions an authenticated identity is allowed to access.

Requires more than one independent kind of proof so a password alone is not enough to log in.

Lets one central authentication session be reused across related applications to reduce repeated logins.

Verifies identity without requiring the user to know or type a traditional password.

A hardware token is a physical device used as part of authentication, often to provide stronger proof of identity than a password alone.

Grants permissions through defined roles so access can be managed consistently instead of one user at a time.

Uses attributes and policy rules, not just role membership, to decide whether access should be granted.

Controls, monitors, and reduces high-risk administrative access to critical systems and data.

SAML is a federation standard commonly used to carry authentication and identity assertions between an identity provider and an application.

OAuth is a delegated authorization framework that lets one application access resources on a user's behalf without sharing the user's password.

OpenID Connect adds an identity layer on top of OAuth so applications can verify who the user is as part of a modern login flow.

Kerberos is a ticket-based network authentication protocol commonly used in enterprise environments to verify identities without sending passwords repeatedly.

LDAP is a protocol for accessing and managing directory information such as users, groups, and organizational records in identity systems.

Biometrics are authentication methods that use physical or behavioral traits to help verify identity.

Uses explicit policy rules to decide what access should be granted in a given context.

An access review is a structured check of who has access to a system or resource and whether that access is still appropriate.

SCIM is a standard for automating identity provisioning and lifecycle updates between systems.

Identity Governance and Administration, or IGA, is the discipline that manages identity lifecycle, access requests, approvals, reviews, and access policy oversight at scale.

Least privilege access is the practice of granting only the minimum access needed for a person or system to perform a legitimate task.

The system that authenticates identities and supplies trusted login assertions or identity information to other services.

A service account is a non-human account used by an application, script, workload, or automated process to authenticate to another system.

A break-glass account is a tightly controlled emergency account kept for exceptional situations when normal identity systems or administrative paths are unavailable.

Uses signals such as device state, location, and risk to allow, block, or step up access.

Identity lifecycle is the process of creating, updating, reviewing, and removing identities and their access over time.

Just enough administration is an approach that gives administrators only the exact administrative capabilities needed for a specific operational role or task.

Just-in-time access is an access model in which elevated permissions are granted only when needed and removed automatically after a short approved window.

Identity governance is the discipline of deciding, reviewing, and controlling who should have access to which systems and data.

Account provisioning is the process of creating, updating, and disabling user or service accounts and assigning the right access to them.

An access token is a credential used by an application or client to call a protected resource after authorization has been granted.

A refresh token is a credential used to obtain a new access token without forcing the user to reauthenticate every time a short-lived token expires.

Token revocation is the process of invalidating an issued token before its normal expiration time.

Authentication approach designed to reduce the chance a user can be tricked into handing over reusable sign-in proof.

Identity proofing is the process of verifying that a person is who they claim to be when an account is created, recovered, or issued higher-trust access.

Account lockout is an authentication control that temporarily or conditionally blocks further sign-in attempts after repeated failed login attempts.