IAM Terms from A to Z
In the context of IAM, access refers to the ability of a user, device, or application to interact with specific systems, applications, or data. Access is governed by permissions and policies that determine who can perform which actions, such as viewing, creating, modifying, or deleting resources.
It is managed through authentication (identity verification) and authorization (permission granting). Proper access management is essential for security and compliance in any organization.
Access analytics involves examining access patterns, user permissions, and system activity to identify risks and strengthen security. It helps detect anomalies, uncover excessive or outdated privileges, and ensure compliance with internal and regulatory policies. Organizations rely on access analytics to gain deeper visibility into user behavior and support proactive risk management.
For a practical solution, explore the Garancy Access Intelligence Manager.
This term refers to to the processes, policies, and technologies that ensure an organization’s access controls are appropriate and aligned with its business objectives. The goal is, on one hand, to monitor who is allowed to access which resources and, on the other hand, to ensure that access rights are granted, reviewed, and revoked in a controlled, traceable, and auditable manner.
The Main Objectives of Access Governance:
Security: Protecting sensitive data and systems from unauthorized access
Compliance: Adhering to legal, industry-specific, and internal regulations
Efficiency: Automating user access management and review processes to reduce manual effort
Transparency: Providing a clear and traceable overview of existing permissions and their changes over time
Access Management is the operational implementation of the policies and frameworks defined by Access Governance. It focuses on the technical processes that control user access to systems, applications, and resources once identities are established.
This includes authenticating users, authorizing access based on predefined rules, managing sessions, and making real-time access decisions based on policies and context.
Access Management answers the question, “Who can access what, when, and how?” – ensuring that access is secure, efficient, and compliant with governance requirements.
Adaptive authentication dynamically adjusts authentication requirements based on risk factors and user behavior. It enhances security by applying stronger checks when anomalies are detected. This approach balances user convenience with security needs.
An account controls technical access to an application, system or network. It usually consists of a user name and password that the user must enter to log in.
An account is not the same as a user: While the user represents a unique identity in the system, a user can have multiple accounts – for example, to access different systems or perform different roles and permissions. The accounts can each represent different access levels or rights.
Application onboarding is the process of integrating new applications into the IAM environment. It includes configuring access controls, setting up user provisioning, and aligning with compliance requirements. Effective onboarding ensures secure, consistent, and efficient access management – making it a critical step for both scalability and security in IAM programs.
Application Risk Management identifies and mitigates security risks associated with applications. It involves assessing vulnerabilities, compliance, and access controls. Effective risk management reduces the attack surface and ensures regulatory compliance, making it a critical aspect of IAM.
A company’s abstract “surface” that can be a target for attackers. Bugs, security gaps and weak policies can increase the risk of a breach. The goal of strong identity access management is to limit the target area and reduce the overall risk through security procedures such as automated user provisioning and deprovisioning, as well as regular recertification of access rights.
Attestation is the formal process in which a responsible person, such as a manager or data owner, reviews and confirms that users’ access rights to systems, applications, or data are correct and appropriate.
The goal of attestation is to ensure that only authorized individuals have access to sensitive resources at a specific point in time. This process helps organizations maintain compliance and minimize the risk of unauthorized access.
An audit log is a chronological record of system activities and access events. It plays a vital role in monitoring, compliance, and forensic investigations. Audit logs help detect suspicious behavior, trace incidents, and ensure accountability across systems.
Maintaining secure and tamper-proof audit logs is a best practice in IAM and a core component of Garancy.
The process of determining whether an entity one is communicating with is in fact who it claims to be. In other words, the process of verifying a user’s identity.
Process of determining whether a user has the right to access a service or perform an action.
In IAM, applications are managed as resources requiring controlled access. Application onboarding and integration are key IAM tasks. Secure application management is vital for organizational security.
Attribute-Based Access Control (ABAC) is a security model that grants access based on user attributes such as role, department, location, or device type. It enables fine-grained and context-aware access control policies, allowing organizations to enforce dynamic and flexible access decisions. ABAC is a key capability in modern IAM systems.
aConnect is one of Garancy’s connectors, enabling flexible, attribute-based access control across connected systems.
Business objects in the context of Identity & Access Management are central structural or functional entities that are used within an IAM system. They affect the assignment of permissions and can be used for automation purposes. The most important business objects include users, identities, organizational units, applications, roles, groups, and accounts.
Business Process Model & Notation is a graphical standard for modeling and visualizing business processes. It offers a clear and consistent way to design workflows and enables process automation across systems. In IAM, BPMN is commonly used to define approval chains and provisioning workflows, improving transparency and operational efficiency.
For more information, explore the Garancy Process Center.
Certification in IAM refers to the official validation that access rights, processes, or systems meet defined standards, policies, or compliance requirements. It provides documented proof that access controls are in line with organizational or regulatory expectations. Certification may result from an audit or as the outcome of an attestation process.
Compliance refers to the ability of the IAM system to support an organization in complying with relevant regulations, standards and internal policies that cover data protection, security and user access management.
In the context of IAM, compliance ensures that the organization manages identities and access in a way that meets legal, regulatory and security requirements. Regulations, guidelines and standards that IAM systems support with regard to compliance are:
GDPR (also DSVGO)
HIPAA (Health Insurance Portability and Accountability Act)
SOX (Sarbanes-Oxley Act)
NIS2 (Network and Information Security Directive)
DORA (Digital Operational Resilience Act)
GMP (Good Manufacturing Practice)
TISAX (Trusted Information Security Assessment Exchange)
KRITIS (Critical Infrastructure) and others
In contrast to IAM (also known as WIAM – Workforce Identity and Access Management), which aims to manage internal identities within an organization, CIAM (Customer Identity and Access Management) focuses on the following features:
Customer registration
Social login and single sign-on (SSO), e.g., logging in with Google, Facebook, or Apple
Consent management and data protection, e.g., GDPR-compliant data sharing
Adaptive authentication
Fraud and anomaly detection
CIEM solutions manage and monitor entitlements and permissions across cloud environments. They help identify and prevent excessive, unused, or risky permissions that could lead to security vulnerabilities. CIEM plays a critical role in ensuring compliance, minimizing cloud-based threats, and strengthening overall cloud IAM strategies.
This refers to the management of contextual data sources – such as location, device, or time – that are used in access decisions. Effective Context Data Management strengthens adaptive and risk-based authentication and supports dynamic authorization policies. Proper handling of this data ensures accuracy, integrity, and security, which are critical for trust in access control systems.
Continuous authorization refers to the ongoing evaluation of access permissions throughout a user session. It ensures that access remains appropriate as contextual factors – such as location, behavior, or risk level – change over time.
This dynamic approach helps prevent privilege escalation, session hijacking, and unauthorized actions. Continuous authorization is a critical component of real-time, adaptive security frameworks.
Credential stuffing is a cyberattack in which stolen username-password pairs are used to gain unauthorized access to user accounts. Attackers automate login attempts across multiple websites and services, exploiting reused credentials.
Modern IAM systems implement detection and mitigation techniques to defend against this widespread threat. Credential stuffing remains a major risk to online security and user trust.
Cybersecurity in IAM and IGA focuses on safeguarding identities, credentials, and access controls against cyber threats. It encompasses key measures such as multi-factor authentication, encryption, and continuous monitoring. A strong IAM security foundation significantly reduces the risk of breaches and data loss, making it critical for organizational resilience.
To learn more, watch our webinar “Cybersecurity with IAM as the Cornerstone of a Robust Security Architecture”.
A component within an IAM software for interacting with the target systems. Connectors are essential for provisioning, deprovisioning and managing various resources.
Key Functionalities of a Connector:
Integration of external systems: A connector acts as a link between the IAM system and external applications such as SaaS applications, databases and on-premise systems. It enables the IAM system to communicate with these systems and manage identities within them.
User provisioning and deprovisioning: When a user is added, modified, or removed in the IAM system, the connector automatically creates, updates, or deletes the user account in the connected system. This may include email systems, data management tools, process software, or cloud services.
Synchronization of identity data: A connector enables the synchronization of user attributes (e.g. usernames, roles and permissions) between the IAM system and other identity repositories such as Active Directory (AD) or LDAP. This ensures data consistency.
Authentication and authorization: In some cases, connectors are used to delegate authentication and authorization to external identity providers, for example, to facilitate Single Sign-On (SSO) or to enable connectivity between different systems.
Access control and compliance: Connectors enable the IAM system to enforce access control policies by managing authorizations in connected systems. This ensures that users have the right level of access based on roles and policies defined in Garancy.
Here you will find an overview of the connectors available in Garancy.
Decentralized identity empowers users to manage their digital identities independently, without relying on a central authority. It leverages blockchain or distributed ledger technology to ensure secure and tamper-proof identity verification. By enhancing privacy, user autonomy, and data control, decentralized identity is an emerging trend in the IAM landscape.
The process of revoking access rights and permissions to systems, applications and data that a user no longer needs. This usually occurs when an employee leaves the company, changes departments or roles, or no longer requires access to certain resources. This process can be triggered either manually when needed or it can be planned in advance with automated execution. This is one of the core functions of Garancy.
Dynamic authorization enables real-time access decisions based on contextual factors such as user behavior, device type, location, or risk level. It allows organizations to grant or revoke access instantly, adapting to changing conditions and user context.
As a key component of adaptive security models, dynamic authorization enhances both flexibility and risk awareness in access control.
DORA is an EU regulation that aims to ensure the operational resilience of financial institutions. In the area of IAM, it emphasizes secure access controls, incident response mechanisms and, above all, logging to protect critical financial services from cyber threats.
Robust IAM practices help organizations comply with DORA requirements by enforcing access restrictions, recertification of access rights and risk assessments.
Data Access Governance (DAG) is centered on managing and securing access rights to unstructured data, such as documents, spreadsheets, presentations, and emails, to safeguard sensitive information. DAG complements document management tools (DMS), file servers, and SharePoint portals, while addressing the dynamic nature of data sharing and mitigating the risks of data leakage.
Embedded Identity Management integrates IAM capabilities directly into applications, systems, or devices, streamlining authentication and access control processes at the core. This approach enhances both security and user experience by reducing reliance on external systems. Embedded IAM is increasingly adopted in IoT environments and modern software architectures.
Employee recertification is the periodic process of reviewing and validating the access rights and roles assigned to employees. Its primary goal is to ensure that users retain only those permissions required for their current job responsibilities, minimizing the risk of unauthorized access.
This process typically involves managers or system owners confirming or revoking access based on changes in roles, responsibilities, or employment status. Regular employee recertification is essential for maintaining compliance, strengthening security, and enabling effective access governance.
Solutions such as the Garancy Recertification Center help organizations streamline and automate this process efficiently.
An entitlement is a specific set of access rights or privileges granted to a user, group, or system within an application or IT environment. It defines which resources a user can access and what actions they are permitted to perform.
Managing entitlements effectively is essential for enforcing the Principle of Least Privilege, ensuring users have only the access required for their roles. Entitlements are a key component of compliance and security reviews.
Entitlement management is the process of defining, assigning, and monitoring access rights across an organization. It ensures that users have only the permissions necessary for their responsibilities. Effective entitlement management reduces insider threats, supports regulatory compliance, and is a core function of Identity and Access Management.
Entra ID, formerly known as Active Directory (AD), is a directory service developed by Microsoft that helps organizations manage and organize users, computers and resources within a network. It provides centralized authentication, authorization and access control, enabling administrators to enforce policies, assign permissions and ensure secure access to resources across the IT environment.
Garancy provides a connector for Entra ID that is continuously maintained and updated.
Fraud Reduction & Intelligence focuses on detecting and preventing fraudulent activities within IAM systems. It leverages techniques such as behavioral analytics and anomaly detection to defend against identity theft and account compromise. By providing real-time insights, fraud intelligence strengthens the organization’s overall security posture.
A security and governance concept that requires certain actions, decisions or transactions to be approved or even executed by at least two authorized persons. This approach is designed to improve oversight, reduce errors, prevent fraud and ensure compliance by adding an extra layer of verification and accountability.
In the IAM context, the 4-eyes principle plays a crucial role in controlling and monitoring access to sensitive systems and data. It ensures that high-risk operations involving user identities and access rights are subject to double verification, thereby increasing security and reducing the probability of unauthorized activity. The four-eyes principle is a fundamental component in strengthening the security and governance of identity and access management systems.By requiring dual approval for critical actions, organizations can:
enhance security by reducing the risk of unauthorized or malicious activities,
ensure compliance with regulatory requirements for monitoring and accountability and
promote transparency by fostering a culture of accountability and due diligence.
Implementing the dual control principle in IAM processes helps organizations secure their assets, protect sensitive information and maintain stakeholder trust by ensuring that access to critical resources is appropriately controlled and monitored.
In IAM, a group is a collection of accounts with similar access needs or roles. Groups streamline access management by enabling permissions to be assigned collectively rather than individually. Group-based access control improves operational efficiency and ensures consistent permission handling across users.
Refers to the framework of rules, policies, processes and practices that guide how an organization operates and achieves its objectives in a structured and accountable manner. It encompasses decision-making, resource management, compliance and risk management to ensure transparency, efficiency and alignment with organizational goals and external regulations.
Identity Access Management (IAM) is a critical component of governance as it enforces policies and controls to ensure that users have appropriate access to resources based on their roles and responsibilities. IAM also supports governance by providing visibility, auditability and compliance, helping organizations manage risk and align with regulatory requirements.
A help desk provides user support for IAM-related issues such as password resets, access requests, and account problems. It serves as the first point of contact for identity-related concerns. Efficient help desk operations enhance both user satisfaction and security. In modern IAM environments, automated help desk tools are commonly used to streamline support processes.
HIPAA is a U.S. regulation for protecting sensitive health information. IAM plays a critical role in HIPAA compliance by enforcing a strict Need-to-Know principle for health data through role-based access control (RBAC). This ensures that only authorized personnel can access patient data. An IAM system also provides audit options in the form of audit trails (reports).
An identity is the central digital representation of a natural or technical entity in the IAM system. It provides a consistent reference for management, authentication, and authorization. An identity typically consists of attribute-based information, such as name, department, function, and status, and forms the basis for role and rights assignments throughout the entire lifecycle – from onboarding to role changes and offboarding.
Important: An identity is not necessarily linked to active system use, but primarily serves as an administrative construct. An identity can give rise to multiple users, for example for different systems or roles – especially in non-human scenarios.
Cloud-based identity and access management delivery model. Identity as a Service (IDaaS) provides IAM functions as a subscription-based, on-demand service hosted and managed by a third-party vendor, rather than being implemented and maintained on-premises by the organization.
Both IAM and IDaaS play a central role in securing corporate resources by managing identities and access rights. The decision between the two models depends on factors such as the specific requirements of the company, compliance aspects, available resources and the strategic orientation towards the cloud.
Identity Data Governance manages the quality, privacy, and security of identity-related data. It defines clear policies for data handling and enforces compliance with relevant regulations. Effective governance minimizes the risk of data breaches and misuse, making it a critical foundation for trust in IAM systems.
Identity Governance and Administration is a key component within the field of Identity Access Management. IGA focuses on the administration and control of digital identities and access rights within an organization, while ensuring compliance with legal and security requirements.
IGA focuses on the areas of compliance, audits, automation, and governance.
The core functions of IGA include access reviews, role management, and segregation of duties (SoD).
This process ensures that identity data is accurate, complete, and consistent. High-quality identity information is essential for secure and efficient IAM operations. Effective quality management minimizes errors, reduces compliance risks, and is considered a best practice in modern Identity Management.
Identity Lifecycle Management oversees the creation, modification, and deletion of digital identities. It automates user onboarding, role changes, and offboarding. Correct and efficient Lifecycle Management, using the Garancy User Center, for example, ensures timely and secure access.
Identity management – often also referred to as identity and access management or just IAM – involves the administration and control of digital identities of users and devices within an organization. The aim is to ensure that the right people have access to the right resources at the right time and for the right reasons.
Identity federation allows users to access multiple systems using a single set of credentials. It enables secure and seamless authentication across organizational boundaries. Federation supports single sign-on (SSO) and improves user experience. It is widely used in cloud and partner integrations.
An Identity Provider (IdP) is a system or service for managing user identities and providing authentication information. The IdP confirms who a user is by checking login information such as a username and password or certificates. After successful authentication, the IdP issues proof of identity, which is then passed on to other services or applications.
The relationship between an Identity Provider (IdP) and an IAM system is complementary, with the IdP acting as a key component within the broader IAM ecosystem.
IdP within IAM: The IdP is often a core service of an IAM system, handling authentication while the IAM platform manages access control, identity governance and provisioning.
Seamless user experience: The IdP enables features like Single Sign-On (SSO) and federated identity management, allowing IAM systems to provide secure, streamlined access across multiple applications.
Security and compliance: IAM systems rely on the IdP for robust authentication mechanisms to ensure secure access and meet regulatory requirements.
In short, the IdP verifies “who you are,” and the IAM system determines “what you can do.”
IT Service Management (ITSM) involves designing, delivering, and managing IT services, making it essential for reliable IT operations. In IAM, ITSM supports user support, incident management, and service requests. Integration with IAM improves efficiency and user satisfaction.
Garancy ISEC provides internal security controls and monitoring for IAM environments. It detects and mitigates internal threats and policy violations, supporting compliance and risk management. It is tailored for the Garancy Suite.
ITDR detects and responds to identity-based threats such as compromised accounts or privilege abuse. It uses analytics and automation to identify suspicious activities. ITDR significantly strengthens incident response capabilities and serves as a critical pillar of modern IAM security strategies.
ISPM assesses and improves the security status of identity systems. It identifies vulnerabilities, misconfigurations, and compliance gaps. ISPM tools deliver actionable insights and remediation recommendations, enabling organizations to proactively reduce risk.
An identity repository is a centralized database that stores user identities and attributes. It supports authentication, authorization, and auditing. Secure management of the repository is vital for IAM. It often integrates with directories and HR systems.
Identity proofing verifies that a user’s claimed identity is authentic, often using documents or biometrics. It is a crucial step in user onboarding and high-assurance transactions, helping ensure that access is granted only to legitimate individuals. Robust identity proofing significantly reduces the risk of fraud and is foundational to delivering secure and trustworthy digital services.
Identity orchestration coordinates identity-related processes across systems and applications, automating workflows for provisioning, authentication, and compliance. Orchestration improves efficiency and reduces manual errors. It is crucial for scalable IAM environments.
Joiner, Mover, Leaver (JML) are terms used to describe common employee processes that typically originate in HR systems. For an IAM system, these standard business processes result in adjustments to employee permissions.
IAM systems enable either fully automated or partially automated processes with additional approval workflows. These workflows can be used to provide information about the changes or as a supplement to grant or revoke additional permissions.
Garancy also supports fully and partially automated Joiner, Mover, and Leaver processes.
Joiner (new hire): When a new internal or external employee joins the company, Garancy ensures that they are granted the appropriate access rights according to their role.
Mover (transfer): If a user changes their role or area of responsibility (e.g. change of department or participation in a specific project), the IAM system adapts their access to the new tasks and ensures that they have neither too many nor too few access rights.
Leaver (exit): When a person leaves the company, the system ensures that access rights are immediately revoked to prevent unauthorized access after leaving.
A video on how you can easily manage the employee lifecycle with Garancy can be found here.
JIT access provides users with temporary, time-limited permissions only when needed. It reduces standing privileges and minimizes attack surfaces. JIT access is managed and audited for security. It is a best practice in privileged access management.
KRITIS refers to Critical Infrastructures in Germany, such as energy, water, and healthcare, and is regulated by German law. These infrastructures are subject to special security and compliance requirements. IAM solutions for KRITIS ensure resilience against cyber threats and regulatory compliance.
Lift & Shift is a cloud migration strategy in which existing applications or workloads are moved directly to a cloud environment without major changes. This process is often referred to as “rehosting”.
The architecture of the application remains largely untouched, simply being transferred from an on-premise environment (local data center) to the cloud.
Reconciliation in IAM or “Live Balancing” in Garancy refers to the process of comparing and aligning identity and access data between different systems, such as IAM platforms and target applications. It ensures that the actual permissions in target systems match the intended access rights defined in the IAM system.
Reconciliation helps detect unauthorized changes, resolve discrepancies, and maintain compliance. Regular reconciliation is essential for accurate and secure access management.
Multi-factor authentication (MFA) is a security measure that requires users to provide two or more proofs of identity before they can access resources (e.g. applications, online accounts or VPNs). Unlike traditional methods that only require a username and password, MFA requests additional verification factors, which increases security and reduces the risk of cyber attacks.
Manual provisioning is the process of creating, configuring, and managing user accounts, permissions or IT resources without automation. An IT administrator or other responsible person performs all necessary steps manually.
This process is often used for systems that cannot be connected or for legacy applications that only a few users still have access to. As it is done manually, it is prone to errors and poses security risks.
Garancy optimizes manual provisioning by generating tasks for the responsible persons. These can be processed in various ways, e.g. by email or workflow.
Garancy provides overviews of all manual tasks, thereby reducing the likelihood of errors. At the same time, the IAM tool documents the entire process and ensures that the IAM system is always up to date as a central source of information (“single point of truth”).
MaRisk is a German regulatory framework issued by the German Federal Financial Supervisory Authority (BaFin). It outlines minimum requirements for risk management practices that financial institutions and banks in Germany must follow to ensure solid and effective internal governance.
Most key aspects of MaRisk are covered by an IAM system like Garancy.
Risk management framework: MaRisk requires institutions to establish a comprehensive risk management system to identify, assess, monitor and mitigate risks. It covers various risk types, including credit, market, operational and liquidity risks. An IAM system with strong SoD capabilities supports this framework.
Internal governance: MaRisk fosters an appropriate organizational structure, clear responsibilities and effective communication channels. This underscores the importance of a risk-conscious corporate culture and strong internal control systems.
Documentation and reporting: Requirements are also set for transparent documentation of risk management processes. Institutions must regularly report on risks and controls to management and supervisory authorities. Detailed, controllable reporting functions within the IAM system enable companies to provide such information.
IT risk and security: MaRisk includes guidelines for managing IT-related risks, ensuring cybersecurity and adapting to regulatory requirements related to technology and operations. Enforcing a Need-to-Know principle through the IAM system significantly increases IT security.
Compliance and audits: MaRisk requires regular internal and external audits to verify compliance with the prescribed standards. This ensures that companies meet their legal and regulatory obligations. With an IAM solution like Garancy, organizations are always able to provide information about the current state of access rights within the company.
Monitoring in IAM is a foundational security practice that involves continuously observing systems and user activities. It detects anomalies, policy violations, and security threats. Effective monitoring supports incident response and compliance.
The Need-to-Know Principle and IAM are closely related concepts that ensure sensitive information and resources are only accessible to those who need them to perform their tasks.
It is a security concept designed to ensure that individuals only have access to data, systems, resources or information that they need to perform their tasks. This minimizes the risk of unauthorized access, insider threats and disclosure of confidential information.
The EU Network and Information Security (NIS) Directive, adopted in 2016 and in force since May 2018, establishes a legal framework for strengthening the cybersecurity of Critical Infrastructures (KRITIS), such as energy, transport and healthcare, as well as certain digital service providers. In terms of IAM, compliance with the NIS1 Directive involves securing user identities, preventing unauthorized access to critical systems, and ensuring traceability through audit trails.
The NIS2 Directive, adopted in November 2022, is an extension of the first NIS Directive, which must be transposed into national law by the member states by October 2024. It extends the scope of the regulation to cover more sectors and introduces stricter requirements for cybersecurity risk management. It focuses on advanced identity management practices such as Zero Trust, Privileged Access Management (PAM), and control mechanisms to protect against advanced cyber threats.
Refers to software, hardware, or IT infrastructure that is hosted and managed locally — within an organization’s own facilities — rather than in a cloud environment. This type of setup puts the organization in complete control of its systems, data and security, but requires resources for maintenance and support.
An IAM tool plays a crucial role in identifying and managing orphaned accounts, which are user accounts that remain active but are no longer associated with a valid user, e.g. after an employee leaves the organization.
Garancy helps detect and mitigate these accounts by automating deprovisioning processes, enforcing role-based access controls and providing audit capabilities to ensure that all accounts are tied to legitimate, active identities. This reduces security risks and improves compliance. As soon as a person leaves the company, all associated accounts are deactivated.
Accumulation of access rights of individual users, e.g. due to a change of department or position within the company. This is also referred to as “apprentice effect” or the “intern phenomenon”. The employee passes through a variety of departments within the company and is assigned rights to carry out tasks within these departments. As these rights are not withdrawn when the employee has completed the assignment, an accumulation of rights occurs. This is associated with significant risks in day-to-day operations. This phenomenon is particularly common among trainees and apprentices.
The Principal of Least Privilege (PoLP) is essential to IAM because it limits user and system access to the minimum required in order to perform work tasks. This increases security by minimizing the attack surface, preventing privilege abuse, and ensuring that organizations comply with access control and data privacy regulations. PoLP is a core component of Garancy, which enables strict access controls and protects critical systems and sensitive data.
Minimal access: PoLP ensures that users or systems have the lowest level of access or permission possible to perform their tasks. For example, if a user just needs view-only access to a database, they should not be given writing or administrative rights.
Enhanced security: By restricting access rights, PoLP reduces the risk of unauthorized activities, accidental errors or malicious actions. If a user’s account is compromised, the attacker has limited access, which mitigates the potential damage.
User roles and permissions: In IAM, PoLP is enforced through mechanisms such as Role-Based Access Control (RBAC). Each user is assigned one or more roles with permissions that match their job responsibilities. These roles are designed to grant only the least privileges necessary.
Prevention of rights accumulation: PoLP prevents accumulation of more rights than necessary. Users or applications are not granted extensive access rights that could lead to privilege misuse or privilege exploitation, such as unauthorized access to sensitive data or critical systems.
Periodic review: Garancy enforces PoLP by permanently reviewing user entitlements and, most importantly, requiring regular access reviews to prevent users from accumulating unnecessary privileges over time.
Governance: PoLP is of critical importance for regulatory compliance (GDPR, HIPAA and many more), as it ensures that sensitive data is only accessible to authorized users, reducing the chances of data breaches and helping to meet governance requirements.
Privileged account management (PAM) is a subfield of IAM that focuses specifically on the security and management of privileged accounts. These are accounts with higher-level authorizations for accessing critical systems, sensitive data or administrative functions. They include, for example, system administrators, network engineers or database administrators.
While identity and access management (IAM) addresses the general management of user identities and access rights for an entire organization, PAM focuses specifically on one area: securing privileged accounts with higher levels of authority that require rigorous control.
Together, IAM and PAM provide a comprehensive framework for securing identities, managing access and protecting critical company resources. By integrating IAM and PAM, organizations can ensure that all users have the right access rights, while adding an extra layer of protection to privileged accounts to prevent potential breaches or misuse.
Passwordless authentication enables users to access systems without traditional passwords, using methods like biometrics or tokens. It improves security and user experience by eliminating password-related risks. Passwordless solutions are gaining popularity in IAM. They reduce the risk of credential theft.
Provisioning refers to the creation and assignment of user accounts and access rights across systems. It streamlines onboarding, role changes, and access updates, ensuring users receive the right permissions at the right time. Efficient provisioning enhances both security and productivity, making it a core function of any IAM strategy.
The feeling of frustration, stress or mental exhaustion caused by the overwhelming number of passwords that users have to remember and manage for various services. Password fatigue can cause users to resort to unsafe practices, such as reusing passwords or using easy-to-guess passwords, which in turn can pose a security risk.
Password reset is a classic feature of IAM systems that allows users to manage all their account passwords via the IAM system. With the use of self-service functions, passwords can be reset without involving the helpdesk, for example.
The standard features also include offline password reset. If the user has forgotten their Windows password and cannot log in, Garancy offers the option of resetting the Windows password via security questions.
Project privileges are access rights specific to a particular project or initiative, enabling project members to perform necessary tasks while limiting access to others. Project privilege management ensures security and project integrity. It is important for collaboration in IAM.
Privileged credentials management involves securing, storing, and monitoring credentials for accounts with elevated access, such as administrators. This includes password vaulting, credential rotation, and access auditing. Proper management reduces the risk of credential theft and insider threats. It is a critical aspect of IAM security.
Privilege elevation is the process of temporarily granting higher access rights to a user. It is used for tasks requiring administrative privileges. Strict controls and monitoring are essential to prevent misuse. Privilege elevation is managed within privileged access management.
Public Key Infrastructure (PKI) is a framework for managing digital certificates and public-key encryption. It enables secure authentication, data integrity, and confidentiality. PKI is widely used in IAM for securing communications and identities. It is essential for trust in digital transactions.
A permission is an authorization that allows a user or system to perform a specific action on a resource, such as reading, writing, modifying, or deleting data. Permissions are the building blocks of access control and are typically assigned based on roles, groups, or policies.
Managing permissions ensures that users can only perform actions that are appropriate for their responsibilities. Proper permission management is essential for maintaining security and preventing unauthorized activities.
A query is a request for information from a database or system. In IAM, queries are used to retrieve user, access, or audit data. Efficient query management supports reporting and analytics. Queries are essential for monitoring and compliance.
Q&A-based authentication uses predefined questions and answers to verify a user’s identity. It is often used as a secondary authentication factor for password recovery or additional verification.
Security questions add an extra layer of protection but must be managed securely. Weak or guessable answers can introduce vulnerabilities.
Recertification, also known as access review or access certifictaion, is the process of regularly reviewing whether user access rights are still appropriate for their current roles and tasks. This is usually mandated by internal policies, industry standards, or legal requirements to ensure that users have the right level of access and that unauthorized or unnecessary access rights are revoked.
The frequency of these recertifications can be defined in Garancy when creating recertification campaigns. This is based, among other things, on regulatory requirements that are geared to the criticality of the respective authorizations. The more sensitive or security-relevant access rights are considered to be, the more frequently they should be reviewed.
In Garancy, recertification is divided into two areas:
Employee recertification to check employee permissions
Role recertification, which checks the role master data and role content, i.e., the permissions it contains
This distinction allows recertification to be tailored to the person responsible and simplifies the recertification process.
In the IAM context, resources are the digital assets, systems, applications, data, services, or other components within an organization’s IT environment that users need to access in order to perform their tasks.
In Garancy, resources are the most granular level of entitlements. The entitlement hierarchy is structured as follows: Role – Group – Resource.
A role is one of the fundamental concepts that represents one or more authorizations and access rights to be assigned to users or entities within a system. Roles are used to simplify and centralize the management of access control by clustering a collection of permissions that are typically needed to perform a certain job function or activity.
The use of roles is a core principle of Role-Based Access Control (RBAC), a widely adopted approach in IAM systems. RBAC ensures that access is granted on the basis of roles defined according to job function, thus enforcing the principle of least privilege. This means that users are provided only with the access rights they need to perform their tasks.
Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an organization. RBAC is crucial to Garancy because it provides a systematic way to manage and assign permissions to users, thereby increasing security and operational efficiency.
In contrast to the user lifecycle, which focuses on users and their rights, the role lifecycle refers to the management of roles and the rights assigned to them.
A key element is the role model, which forms the logic behind structured rights assignment. A distinction is typically made between application roles, which refer to technical permissions in individual systems, and business roles, which act as higher-level bundles of several application roles and are usually defined on the basis of organizational functions. The resulting role hierarchy enables a transparent, reusable, and auditable structure of access rights.
The Main Functions of the Role Lifecycle:
Creation: Garancy helps to define and create roles based on organizational structures, job functions and access requirements.
Modification: As business needs change, Garancy supports role updates, adjustments or the addition of new permissions.
Review and certification: Regular role audits ensure that roles continue to comply with corporate policies and regulatory requirements.
Withdrawal: A role is automatically decommissioned when it is no longer needed. This prevents the accumulation of excessive or obsolete permissions.
An architectural style that uses standard HTTP methods (e.g. GET, POST) and supports lightweight data formats like JSON. It is widely adopted for its simplicity, scalability and flexibility, particularly in modern web and mobile applications.
Role recertification is the periodic review and validation of user roles and associated access rights. It ensures that roles remain appropriate and compliant. Recertification – for example, with the Garancy Recertification Center – helps detect and remove unnecessary privileges. It is a critical control in IAM governance.
Reporting in Garancy involves generating reports on user activities, access rights, and compliance status. These reports support audits, monitoring, and management decisions. Automated reporting increases transparency and accountability. Reporting is essential for meeting regulatory requirements.
RACF (Resource Access Control Facility) is an IBM security solution for controlling access to mainframe resources. It manages users, groups, and permissions, supporting compliance and auditing. RACF is widely used in enterprise environments for mainframe security. It is integral to secure mainframe IAM.
Single Sign-On (SSO) is an authentication method that allows users to access multiple applications, systems, or services with a single set of login credentials (e.g., username and password). By centralizing authentication, SSO simplifies the user experience and reduces the need to remember multiple passwords while improving security by enabling centralized control over user access.
SSO is often paired with Multi-Factor Authentication (MFA) to enhance security. While SSO minimizes password fatigue by requiring only one set of credentials, MFA adds an additional security layer by requiring multiple forms of verification, such as a one-time password (OTP) or hardware token.
This combination ensures that even if SSO credentials are compromised, unauthorized access is still mitigated through the second authentication factor. Together, SSO and MFA provide both convenience and strong security.
Separation of Duties, also called Segregation of Duties or SoD for short, is a security principle that divides critical tasks among multiple people to prevent fraud and errors. In IAM, SoD policies restrict users from having conflicting access rights. SoD supports compliance and reduces insider threats. It is essential for risk management.
The suspension and unsuspension of user accounts are basic functions of an IAM system.
Suspension: A user account is deactivated to temporarily prevent access to systems and data without deleting the account. This typically occurs in the case of temporary absences (e.g., vacation, parental leave, or sabbatical), investigations, or non-compliance with policies. The IAM system ensures that the locked user can no longer access systems or data, but retains the configuration and account records that are important in the event of an audit.
Unsuspension: After review and approval, the account can be reactivated, giving the user access to the assigned resources again. IAM systems ensure that this process is traceable, controlled, and audit-proof.
Emergency Suspension: This is an escalation level above regular suspension. It ensures that affected accounts immediately lose all access rights. Again, all data necessary for an audit, as well as historical data on the user, is retained.
The Software Bill of Materials (SBOM) is a detailed, hierarchical list of all the components, dependencies and libraries (including open source, third-party and proprietary code) that make up a software application. It serves as a comprehensive inventory that provides transparency into the software supply chain.
Key purposes of an SBOM
Transparency: Identifies all software components to understand what is included in an application.
Security: Helps organizations detect and mitigate vulnerabilities, ensuring compliance with security standards like CVE (Common Vulnerabilities and Exposures) databases.
Compliance: Ensures adherence to licensing requirements for open-source or third-party components.
Risk Management: Supports monitoring and managing risks associated with the software supply chain.
The significance of SBOMs in modern IT
SBOMs are becoming increasingly important, mainly due to the growing threat of attacks on supply chains and the introduction of regulatory requirements such as the Executive Order 14028 (Improving the Nation’s Cybersecurity) in the US, mandating SBOMs for government-related software.
A protocol with strict standards for message structure that supports only XML. It is often used in enterprise environments requiring high security, reliability and advanced features like transactions.
Static access control assigns fixed permissions to users or roles, regardless of context. It is simple to implement but lacks flexibility. Static models are suitable for stable environments with predictable access needs. Modern IAM increasingly uses dynamic access control instead.
SOAR platforms automate and coordinate security operations, including incident response and threat remediation. They integrate with IAM for identity-based response actions. SOAR improves efficiency and reduces response times. It is essential for modern security teams.
SIEM systems collect, analyze, and correlate security events from across the IT environment. They provide real-time threat detection, incident response, and compliance reporting. SIEM integration with IAM enhances visibility and security. SIEM is a cornerstone of modern security operations.
Session management controls the lifecycle of user sessions, including creation, maintenance, and termination. It helps prevent session hijacking and unauthorized access. Proper session management is vital for security and compliance. It is a core IAM function.
Self-service in IAM allows users to manage their own access requests, password resets, and profile updates. This improves user experience and reduces the workload on IT support. Self-service portals are common in modern IAM solutions like Garancy, enabling efficiency and empowering users.
Secure Service Edge (SSE) combines network security functions delivered as a cloud service, such as secure web gateways, cloud access security brokers, and zero trust network access. SSE protects users and data regardless of their location. It is increasingly integrated with IAM for holistic security. SSE supports secure access to cloud and on-premises resources.
Secrets Management is the secure storage, distribution, and handling of sensitive information such as passwords, API keys, and certificates. It reduces the risk of unauthorized access and data breaches. Automated secrets management tools handle rotation and access controls. Effective Secrets Management is vital for IAM security.
SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity information. It simplifies user provisioning and deprovisioning across cloud and on-premises systems. SCIM improves interoperability and efficiency. It is widely adopted in IAM.
A target system is a system or application that can be controlled through Identity Access Management. In the case of fully integrated target systems, the communication between the system and Garancy is bidirectional. This enables Garancy to read the authorization management in the application on the one hand, but also to grant or withdraw authorizations in the target system on the other.
TISAX is an industry-specific certification standard for information security in the automotive industry. It ensures compliance with defined security requirements within the supply chain. TISAX certification is often a prerequisite for working with partners and is regularly required by OEMs and suppliers in particular.
A user is a unique identity registered within a system to enable access to resources, services, and data. This identity is used for authentication and authorization and is linked to specific roles and permissions.
The term user includes:
Human users, such as employees, partners, or external users
Non-human users, such as technical identities, services or applications that require automated access to systems.
Each user can have one or more accounts, which grant access to different systems or permission sets, depending on the specific use case.
The user lifecycle consists of the phases that a user’s digital identity goes through within an organization. Typically, the phases are categorized as:
Joiner (onboarding)
Mover (role or position change)
Leaver (offboarding)
Effective management of the user lifecycle is crucial to maintaining security, ensuring compliance and optimizing operational efficiency. Each phase requires specific actions within the IAM system to adequately manage user identities and access rights.
User Behavior Analytics (UBA) analyzes user activities to detect anomalies and potential threats. It uses machine learning to identify unusual patterns and risky behaviors. UBA enhances threat detection and supports risk management. It is increasingly used in IAM solutions.
User account consolidation merges multiple user accounts into a single identity. It eliminates duplicate accounts and simplifies access management. Consolidation improves security and user experience. It is important for organizations with complex IT environments.
Refers to the process of confirming the identity of a user, device or application, often as part of authentication. This ensures that the entity requesting access is legitimate and authorized to interact with the system or resource. Verification methods include passwords, multi-factor authentication (MFA) or biometrics.
Workflow management automates and coordinates business processes, such as access requests and approvals. It ensures tasks are completed efficiently and in compliance with policies. Workflow tools improve transparency and accountability. They are integral to IAM operations.
XDR (Extended Detection and Response) is a security solution that integrates data from multiple sources for threat detection and response. It provides a unified view of security incidents across endpoints, networks, and identities. XDR improves detection accuracy and response speed. It is increasingly integrated with IAM.
This is a hardware authentication device developed by Yubico that supports multi-factor authentication (MFA). It is often used in IAM systems to enhance security by providing a physical token for one-time passwords (OTPs), public key infrastructure (PKI) credentials or FIDO2/WebAuthn authentication.
Zero Trust is a security concept based on the principle “Never trust, always verify”. It assumes that threats can come from anywhere, from both inside and outside your network. Therefore, every access request must be authenticated, authorized and continuously validated before access to resources is granted. Identity and Access Management is crucial to implementing the Principles of Zero Trust, as the IAM system manages and controls access to resources.
ZTNA is a security model that requires strict verification for every user and device attempting to access resources, regardless of location. It minimizes trust and limits lateral movement within networks. ZTNA is a key principle in modern IAM strategies. It enhances security in remote and hybrid environments.