This section explains how systems identify users and services, verify them, and decide what they are allowed to do.
Use it when the main question is about login, access, tokens, roles, federation, or permissions.
- Access Review Process
An access review is a structured check of who has access to a system or resource and whether that access is still appropriate.
- Access Token Credential
An access token is a credential used by an application or client to call a protected resource after authorization has been granted.
- Account Lockout Controls
Account lockout is an authentication control that temporarily or conditionally blocks further sign-in attempts after repeated failed login attempts.
- Account Provisioning Workflow
Account provisioning is the process of creating, updating, and disabling user or service accounts and assigning the right access to them.
- Attribute-Based Access Control (ABAC)
Uses attributes and policy rules, not just role membership, to decide whether access should be granted.
- Authentication and Identity Verification
Verifies that a user, device, or service is the identity it claims to be before access is granted.
- Authorization Decisions and Scope
Determines which systems, data, and actions an authenticated identity is allowed to access.
- Biometric Authentication
Biometrics are authentication methods that use physical or behavioral traits to help verify identity.
- Break Glass Account
A break-glass account is a tightly controlled emergency account kept for exceptional situations when normal identity systems or administrative paths are unavailable.
- Conditional Access Policies and Signals
Uses signals such as device state, location, and risk to allow, block, or step up access.
- Hardware Authentication Token
A hardware token is a physical device used as part of authentication, often to provide stronger proof of identity than a password alone.
- Identity Governance and Administration (IGA)
Identity Governance and Administration, or IGA, is the discipline that manages identity lifecycle, access requests, approvals, reviews, and access policy oversight at scale.
- Identity Governance Program
Identity governance is the discipline of deciding, reviewing, and controlling who should have access to which systems and data.
- Identity Lifecycle Management
Identity lifecycle is the process of creating, updating, reviewing, and removing identities and their access over time.
- Identity Proofing Process
Identity proofing is the process of verifying that a person is who they claim to be when an account is created, recovered, or issued higher-trust access.
- Identity Provider (IdP) Services
The system that authenticates identities and supplies trusted login assertions or identity information to other services.
- Just Enough Administration (JEA)
Just enough administration is an approach that gives administrators only the exact administrative capabilities needed for a specific operational role or task.
- Just-in-Time Access Controls
Just-in-time access is an access model in which elevated permissions are granted only when needed and removed automatically after a short approved window.
- Kerberos Authentication Protocol
Kerberos is a ticket-based network authentication protocol commonly used in enterprise environments to verify identities without sending passwords repeatedly.
- Least Privilege Access
Least privilege access is the practice of granting only the minimum access needed for a person or system to perform a legitimate task.
- Lightweight Directory Access Protocol (LDAP)
LDAP is a protocol for accessing and managing directory information such as users, groups, and organizational records in identity systems.
- Multi-Factor Authentication (MFA)
Requires more than one independent kind of proof so a password alone is not enough to log in.
- OAuth Authorization Framework
OAuth is a delegated authorization framework that lets one application access resources on a user's behalf without sharing the user's password.
- OpenID Connect (OIDC)
OpenID Connect adds an identity layer on top of OAuth so applications can verify who the user is as part of a modern login flow.
- Passwordless Authentication Methods
Verifies identity without requiring the user to know or type a traditional password.
- Phishing-Resistant Authentication Methods
Authentication approach designed to reduce the chance a user can be tricked into handing over reusable sign-in proof.
- Policy-Based Access Control (PBAC)
Uses explicit policy rules to decide what access should be granted in a given context.
- Privileged Access Management (PAM)
Controls, monitors, and reduces high-risk administrative access to critical systems and data.
- Refresh Token Credential
A refresh token is a credential used to obtain a new access token without forcing the user to reauthenticate every time a short-lived token expires.
- Role-Based Access Control (RBAC)
Grants permissions through defined roles so access can be managed consistently instead of one user at a time.
- Security Assertion Markup Language (SAML)
SAML is a federation standard commonly used to carry authentication and identity assertions between an identity provider and an application.
- Service Account Identity
A service account is a non-human account used by an application, script, workload, or automated process to authenticate to another system.
- Single Sign-On (SSO)
Lets one central authentication session be reused across related applications to reduce repeated logins.
- System for Cross-domain Identity Management (SCIM)
SCIM is a standard for automating identity provisioning and lifecycle updates between systems.
- Token Revocation Process
Token revocation is the process of invalidating an issued token before its normal expiration time.