This section explains how systems identify users and services, verify them, and decide what they are allowed to do.
Use it when the main question is about login, access, tokens, roles, federation, or permissions.
- Access Review
An access review is a structured check of who has access to a system or resource and whether that access is still appropriate.
- Access Token
An access token is a credential used by an application or client to call a protected resource after authorization has been granted.
- Account Lockout
Account lockout is a control that temporarily or conditionally blocks further sign-in attempts after repeated failed authentication attempts.
- Account Provisioning
Account provisioning is the process of creating, updating, and disabling user or service accounts and assigning the right access to them.
- Attribute-Based Access Control
Attribute-based access control uses attributes and policy rules, not just role membership, to decide whether access should be granted.
- Authentication
Authentication is the process of verifying that a user, device, or service is really the identity it claims to be.
- Authorization
Authorization is the process of deciding what an authenticated identity is allowed to access or do.
- Biometrics
Biometrics are authentication methods that use physical or behavioral traits to help verify identity.
- Break-Glass Account
A break-glass account is a tightly controlled emergency account kept for exceptional situations when normal identity systems or administrative paths are unavailable.
- Conditional Access
Conditional access is a policy approach that allows, blocks, or steps up access based on context such as user, device, location, or risk.
- Hardware Token
A hardware token is a physical device used as part of authentication, often to provide stronger proof of identity than a password alone.
- Identity Governance
Identity governance is the discipline of deciding, reviewing, and controlling who should have access to which systems and data.
- Identity Governance and Administration
Identity Governance and Administration, or IGA, is the discipline that manages identity lifecycle, access requests, approvals, reviews, and access policy oversight at scale.
- Identity Lifecycle
Identity lifecycle is the process of creating, updating, reviewing, and removing identities and their access over time.
- Identity Proofing
Identity proofing is the process of verifying that a person is who they claim to be when an account is created, recovered, or issued higher-trust access.
- Identity Provider
An identity provider is the system that authenticates identities and supplies trusted login assertions or identity information to other services.
- Just Enough Administration
Just enough administration is an approach that gives administrators only the exact administrative capabilities needed for a specific operational role or task.
- Just-in-Time Access
Just-in-time access is a model where elevated permissions are granted only when needed and removed automatically after a limited period.
- Kerberos
Kerberos is a ticket-based network authentication protocol commonly used in enterprise environments to verify identities without sending passwords repeatedly.
- LDAP
LDAP is a protocol for accessing and managing directory information such as users, groups, and organizational records in identity systems.
- Least Privilege Access
Least privilege access is the practice of granting only the minimum access needed for a person or system to perform a legitimate task.
- Multi-Factor Authentication
Multi-factor authentication requires more than one independent kind of proof so a password alone is not enough to log in.
- OAuth
OAuth is a delegated authorization framework that lets one application access resources on a user's behalf without sharing the user's password.
- OpenID Connect
OpenID Connect adds an identity layer on top of OAuth so applications can verify who the user is as part of a modern login flow.
- Passwordless Authentication
Passwordless authentication verifies identity without requiring the user to know or type a traditional password.
- Phishing-Resistant Authentication
Phishing-resistant authentication is an authentication approach designed to reduce the chance that a user can be tricked into handing over reusable sign-in proof.
- Policy-Based Access Control
Policy-based access control uses explicit policy rules to decide what access should be granted in a given context.
- Privileged Access Management
Privileged access management controls, monitors, and reduces high-risk administrative access to critical systems and data.
- Refresh Token
A refresh token is a credential used to obtain a new access token without forcing the user to reauthenticate every time a short-lived token expires.
- Role-Based Access Control
Role-based access control grants permissions through defined roles so access can be managed consistently instead of one user at a time.
- SAML
SAML is a federation standard commonly used to carry authentication and identity assertions between an identity provider and an application.
- SCIM
SCIM is a standard for automating identity provisioning and lifecycle updates between systems.
- Service Account
A service account is a non-human account used by an application, script, workload, or automated process to authenticate to another system.
- Single Sign-On
Single sign-on lets one successful authentication session provide access to multiple related applications.
- Token Revocation
Token revocation is the process of invalidating an issued token before its normal expiration time.