Terminology
This section describes the terms used in the OneWelcome Identity Platform.
| Term | Description |
|---|---|
| API key | An application programming interface key is an authorization string used for performing API calls. It is used to identify the calling application in order to track how the API is being used and prevent malicious use. |
| Application | Application that is available to users with the proper access permissions. |
| Application ID | A unique identifier associated with each application. |
| Application secret | The application password used when performing API calls to authenticate into Delegated User Management. |
| Attribute | A specification or characteristic of an identity or structure element that defines its properties. In case of identities, attributes can be grouped into attribute categories, which allow you to group and organize attributes in the page. Additionally, you can change an attribute’s visibility status or mark it as a default attribute (these are required when adding a new identity). |
| Cascade roles | The option to cascade roles is an entitlement that allows certain roles within a collection to assign roles to the identities in the scope that it controls. |
| Collection | A collection is a cluster of internal and external identities. Each collection is based on a schema and can be organized (grouped) through structures. By default, the system makes available separate collections for users, branded apps, and applications. |
| Consent | A freely given, specific, informed, and unambiguous indication of a data subject's permission, by a clear affirmative action, towards the processing of personal information relating to that data subject. |
| Delegation | The action performed by an administrator inside an organization of pushing the workload and accountability of specific actions to other users. These users can be internal or external to the organization and might also have the entitlement to push actions to other users. |
| Entitlement | An access privilege granted to an identity. Delegated User Management allows you to specify the exact actions a role can perform and if it can cascade (and to what extent) the roles of the controlled identities. |
| Entity | We consider as being an entity any identity, organized into collections, structures and schemas. |
| Event | An occurrence or action that is recognized and handled by Delegated User Management. Within the application, events come with default values for codes and names. They can have custom names and can be assigned to specific categories for easier navigation and filtering. Events can be grouped into custom event categories for easier filtering and access. |
| Branded app | An application that the organization owns and controls and of which identities are managed through OneWelcome IAM. These type of applications can access identities' data managed through OneWelcome IAM based on the associated roles in the collections you define or connect to. They can also allow identities to connect to the data based on the associated roles once they are authenticated. |
| Group | A particular instance of a structure. E.g. in case an organization organizes its identities based on the organizational chart, the "Organizational Chart" will be the structure, while "Finance" will be the group. |
| Identity | An identity is an entity used by information systems to represent a digital subject. Within Delegated User Management, users and applications are considered identities. |
| Jobs | Processes scheduled to perform a specific action automatically. |
| Managed identity | Is an identity that can be accessed and/or managed by a certain user and/or application, based on the access rights associated with his/her/its roles. |
| Organisation | Within the platform, an organization is a legal entity having an account with Delegated User Management. |
| Profile data | All information associated to a user’s profile, that is managed by the platform. |
| Role | A collection of permissions that controls what data and applications an identity can access and what actions it can perform. Roles have a start and stop date and are defined per collection. An identity can have multiple roles. Roles enable you to manage groups of users. Applications have their own roles which are the entitlements users can have within the application. For example: - An applicant is typically a retail user who purchased the product and needs access to the application. - An assessor uses the application to assess the retail user's requests and then approves or denies them. - An administrator is typically an employee of the company that owns the application. Application roles are configured within the application. You can link third-party applications based on SAML, OAuth, or OpenID. You can also categorize applications so that it is easier to list them, search them, and filter them. In addition, you can style the business applications on the application portal by adding logos and icons to make it easier for users to identify them. |
| Role type | A role type determines the scope of the role and the available entitlements. Once it is selected for a specific role, it cannot be changed. Delegated User Management provides the following role types: - Admin: Used to provide access to other identities’ data and to the Delegated User Management platform. - Application: Used to provide access to applications. - Personal. Used to provide users with access to their own data. - Branded app. Used to allow branded apps to perform CRUD operations through API calls. |
| Rule | Rules allow you to instruct the system to automatically assign pre-defined roles to all entities that follow the specified criteria. Automation rules allow users to define system jobs that run at a predefined periodicity. |
| Schema | A schema is an extensible data model that you can use to define identities through specific sets of attributes. |
| Segment | Logical separators of identities in a collection. An identity can have only one instance in a particular segment, but can exist in multiple segments. |
| Structure | Logical groupings of users. The groupings can be flat (list of values) or nested (hierarchies of values). These in turn can be static (that the organization defines explicitly) or dynamic (that are derived from users' attributes). |
| User | An individual account that has access to the system. Once access to the system is granted, accounts (users) can then have different roles within applications. |
