Term Category Definition
Access Governance IAM Access governance is the function that enables the control and verification of authorisations that have been granted to users. It includes topics such as SOLL/IST comparison, revocation of access rights, segregation of duties, etc.
API Consumer Consuming an API here means creating a client which can send requests to the API that you build.
Access Link An access link is the common name for activation links, reset links etc.. An access link is a link that is typically sent to a user's email address and which the user can use to access a certain self-service functionality.
The access link caters for:
  • Identification of the user
  • Authentication of a user (additional factors could be required, but it provides a way of authentication)
  • Direction to a certain self-service function

Using access links is a factor.
Note that access links could also be sent to someone's Facebook account or via SMS or WhatsApp.
Account An arrangement by which a user is given personalised access to a computer, website, or application, typically by entering a username and password.
(source: Oxford dictionary)
A formal banking, brokerage, or business relationship established to provide for regular services, dealings, and other financial transactions.
(source: free dictionary)

Note that in some B2C applications a single 'account' is used shared by multiple users, i.e. a parent (or 'master') user with full privileges and one or more child-users having more limited privileges. In such situations each user would have a separate credential identity.

(identity activation)
(Identity) activation is the process of ensuring that a user's identity meets minimum requirements for a user to login and access at least one relying application. Minimum requirements for an active identity vary per customer and identity management solution.
Minimum requirements can include:
  • The identity is set-up with sufficient credentials for the user to authenticate himself (e.g. identity data)
  • The identity has user attributes that are sufficient for the functionality of one or more relying applications (e.g. functional user data)
  • The relying application is ready for the user to do a federated login (e.g. the user has been provisioned and the resulting user account is 'active' within the relying application).
Note that activation may include several process steps, of which some are executed by the user itself and some steps may be executed by a business representative or may be automated in a relying application or authoritative source.
Often the activation process has a first step in which a user authenticates himself using a OTP sent to his private emails address or mobile number and subsequently choosing a password.
Application Role An application role is a collection of permissions for one and the same relying application. Application roles will typically have names like viewer, contributor, manager , administrator. The application role itself can be viewed as a coarse-grained access right.
Attribute Validation Attribute validation is the process of verifying an attribute with an external trustworthy source. For example, it is the submitted license plate number registered at the RDW.
Attribute Verification Attribute verification is the process of verifying/checking with the legitimate owner of an identity that he indeed 'owns' or has access to the item that's indicated by the attribute.
A verification process makes use of items (systems, users, etc.) that are external to iWelcome.It can be done through the verification of an email address by sending a 'code' and making the logged-in user enter that code.
Authentication IAM Authentication is the validation that a user is who he claims to be; it is the process where where a user proves he is the legitimate owner of a digital identity. It consists of identification and verification of one or multiple credentials.
Authentication iWelcome function The iWelcome function 'Authentication' covers the functionality to authenticate a user. The function includes presentation of a login screen for password validation as well as multi factor authentication (MFA) using One-Time-Passwords (OTP). The authentication function includes federation processes that have iWelcome rely on other identity providers, such as a social IDP or ADFS.
Authentication Information Authentication information is the evidence for proof of possession of a credential.
source: A Taxonomy of User Authentication Methods (Gartner)

Authentication information is usually distinct from the credential it's derived from — for example:
  • For an OTP token, the authentication information is the generated OTP.For an X.509 smart card, it is a nonce challenge that has been digitally signed using the user's private key.
  • For a biometric trait, it is the biometric probe data (either the captured biometric sample, such as a fingerprint image, or the biometric feature set extracted from the sample, depending on where feature extraction is done).
  • For a legacy password, the authentication information is the password itself.
Authorisation iWelcome function iWelcome's function 'Authorisation' is the function that implements business rules to grant access rights to users. It includes definition of an authorisation profile for guest accounts and group members.


Term Category Definition
Backward Compatibility iWelcome software is said to be backward compatible if it can use files, configuration and data created with an older version of iWelcome, without the need to apply any changes in configuration.
A benefit of backwards compatibility is that a later version can be deployed without the need to first adjust or convert data and/or configuration.

Note that in case of backward compatibility the behaviour may change which can be perceived as desirable or not.
Brand A brand is a name, term, design, or other feature that distinguishes one seller's product from those of others. A product's brand defines the naming, look and feel, texts that are visible to the end-users. It is related to segment and multi-branding.
Branding Branding is the process and capability to apply the right naming, look and feel and texts to product related items, such as Identity Management pages, emails, etc.
Business Role A business role is a collection of access rights (i.e. permissions and/or application roles)for one or multiple applications; the business role is used to grant those access rights to users or groups of users. A business role typically consists of one or more application roles for one or more relying applications. Business roles typically have names like line manager, HR employee, sales representative, etc..


Term Category Definition
Coarse Grained (Authorisation) Coarse grained authorisation (or coarse grained access control) is the process of granting 'high level' access rights, such as assigning application roles like project manager, contributor or viewer (see also Fine Grained Authorisation).
Consent A consent is an acceptance or approval of what is planned or proposed or done by another.
Within the context of Identity and Access Management, consumers give consent to enterprises on Terms of Service, Privacy Policy and processing of personal data as per the GDPR.
In compliance with the GDPR, consents must be "freely given, specific, informed and unambiguous”. For example, when a consumer orders a book at an online webshop and provides his home address, the consumer needs to give an explicit consent to the Service Provider to also send direct marketing materials on his home address.
Consent Management Consent management can be defined as a system, process or set of policies for allowing consumers to determine which personal information they are willing to share with a service provider and for what purpose.
Contract Consent A contract consent is a consumer's consent on Terms of Service or Privacy Policy or any other legal document. A contract consent is typically given during self-registration or activation. When newer versions of the legal documents are introduced, a new consent may have to be given (during 'step-up activation').
Credential The term credential is used to denote both the thing uniquely possessed by the user and the corresponding information bound to the digital identity.
Example: A X.509 certificate, a password.

In many user authentication methods, there is a subtle relationship between the two kinds of credentials, such as:
  • In modern password systems, the password in the user's mind maps to a one-way cryptographic transform (the 'hash') bound to the user's digital identity.
  • A private key within a smart card that the user holds maps to a public key and a public-key certificate that binds the public key to the user's distinguished name, which uniquely identifies his or her digital identity.
  • A biometric trait (e.g.: the user's fingerprint) maps to a biometric reference bound to the user's digital identity (the biometric reference is a set of biometric data, encoding features extracted from samples derived from that trait at enrollment).

(source: A Taxonomy of User Authentication Methods (Gartner))
Credential Management iWelcome function The iWelcome function 'Credential management' entails the following: passwords and other credentials have a lifecycle of their own, which is managed by the 'credential management' function. This function, for example, includes features to reset a password by either the user itself or by a business representative such as a Service Desk operator. Another example is the activation of SMS authentication as a 2nd factor on a user's identity.


Term Category Definition
Degraded Component Recovery The internal state of component may cause it to provide reduced functionality or performance. In general, the HA setup may not be able to act on this. In general, an external measurement tool inspects the performance of a system to determine whether a component is degraded. Recovery from this may be to restart an application, fence a faulty switch etc.
Delegated (Identity) Management Delegated management is a process in which identity management activities are not executed by IT-staff, but are 'delegated' to business users like department managers or project managers who are responsible and/or accountable for the access rights of a specific group of users.
Disaster Recovery Disaster recovery may be required when there is more than a single point of failure, but that depends in general on the type of failure. When a backend server goes 'down', this is a single failure. Two backend servers going down will involve disaster recovery, though one frontend server and one backend server going down may be handled without disaster recovery.
Domain (Identity) An identity domain is a set of IT systems that use a common set of identities for access management. These IT-systems and identities are controlled by a single organisation.

  • Identifying attributes, such as loginname, are unique within the identity domain.
  • Federation is a mechanism to exchange identity information between two identity domains during authentication, for example by using the SAML-protocol.
  • Identities can be provisioned from one domain to another using SCIM; "System for Cross-domain Identity Management (SCIM) is an open standard for automating the exchange of user identity information between identity domains, or IT systems.”


Term Category Definition
End-User user type An end-user is a person who ultimately uses or is intended to ultimately use a product. The end-user stands in contrast to users who support or maintain the product, such as sysops, system administrators, database administrators,or technicians.


Term Category Definition
Factor An (authentication) factor is a method of authenticating a user. A well-known factor is password verification. Factors are typically decided into the following categories: HAVE-factors (e.g. mobile phone with iWelcome Authenticator app, OTP via SIM-card ) , KNOW-factors (e.g. password verification, OTP via email) and ARE-factors (e.g. iris-scan).
Federation (Identity) IAM Federation is the process of linking a person's identity across (as contained within iWelcome or some other identity provider) to multiple systems for the purpose of authenticating a user that wants to access that system. The process of federation involves an 'identity provider' on one end and a 'relying application' or 'service provider' on the other end. Federation standards and protocols were created with the purpose of cross-domain authentication, but are also used to delegate authentication within a single domain.
Note that iWelcome typically acts as IDP towards relying applications, but when social login is used, iWelcome acts as relying party and, for example, Facebook acts as identity provider.
Field Validation Field-level validation: syntax validation within iWelcome (e.g. email address looks like XXX@YYY.ZZZ, postal code in The Netherlands has 1234XY).
Fine Grained (Authorisation) Fine grained authorisation (or fine grained access control/ fine grained permissions) is the process of granting certain permissions or access rights on the detailed level of objects (e.g. tables, attributes, columns, files, etc..) that reside within an application to which a user has access (see also Coarse Grained Authorisation).
First Factor A first factor is any factor that can be used during the first step of login. A first factor may be followed by a second factor (2FA). The primary factor is a first factor, but the user may be offered the possibility to switch to an alternate first factor for login.
Forward Compatibility Forward compatibility is a design characteristic that allows a system like iWelcome to gracefully accept input intended for or created by a later version of itself. The ability of a system to select known input and ignore unknown input also depends on whether the new later version is backward compatible.
(source: Wikipedia)

One of the benefits of forward compatibility is that a 'rollback' can be performed; the later version may have modified data or configuration and with forward compatibility the older version will gracefully accept that input.


Term Category Definition
Group A group is simply a collection of items, a set (e.g. the set of users whom have been assigned a certain access right).
Groups can be used to assign access rights to a group of users or to indicate scope for permissions (e.g. in the context of delegated management, a user may have permissions to block or unblock a certain group of users).


Term Category Definition
High Availability High Availability (HA) aims to make a service instance resistant to a single point of failure. Another benefit of high availability is that when prepared carefully, replacing a component (replacing, reconfiguring or upgrading) may not involve service unavailability. It should cover all components that make up a system:
  • Network
  • Storage
  • OS instances
  • Applications

This is usually achieved by duplicating functionality. In storage systems, RAID is often used to make a system resistant to failure of a single diskdrive, in networks, multiple physical wires, network cards etc. are used. Note that by increasing the number of components, the number of times a component in a system fails will increase as well.
⚠️ HA does normally not protect against common errors. Since the instances tend to be configured similar (or even the same), an error caused by that configuration, or indeed a defect in that component, will not be prevented by HA from having an impact on the system.


Term Category Definition
IWelcome Administrator user type This is an iWelcome Technical Consultant or Product Owner who configures default settings and configuration files like translations, security etc..
Every configuration option where the tenant administrator has no access to.
Identification Identification is the process where information is provided to iWelcome (or another identity provider) and is used by iWelcome to find (look-up) a single existing identity. Typically identification is done based on a username, email address or UPN (user naming attributes).

IAM Information, such as an identification number, used to establish or prove a person's individuality, as in providing access to an account.
(source: free dictionary)
An identity is a representation (account) of a single user or a single system within an IDP-system which can be used at least for identification and typically also authentication. Identities will mostly be user identities but may also be a system identity. The IDP-system can be iWelcome or a social identity provider like Facebook.
Note that in some B2C applications a single 'account' is used shared by multiple users. E.g.: a parent (or 'master') user with full privileges and one or more child-users having more limited privileges. In such situations each user would have a separate identity.

The set of characteristics by which a person or thing is recognisable or known.
Identity Analytics iWelcome This is the process of providing data about an identity's characteristics, attributes and behaviours for analysis by tenant-roles such as security officer, marketing, etc.
Identity Lifecycle The identity lifecycle is the logic that describes how events impact upon the identity's readiness to be used by relying applications. The identity lifecycle is impacted by registration, activation and termination processes.
The identity lifecycle is not impacted by authorisation processes; changes in a user's access rights may happen while the identity is 'active'.
The status of an identity reflects it's readiness to be used by relying applications for authentication and getting access to one or more relying applications.
From the point of view of 'Joiners/Leavers/Movers' process, the definition states that the 'Joiners' and the 'Leavers' process do impact upon the identity's state, whereas the 'Mover' process does not.
Note that a user's credentials ( and authentication tokens ) have a lifecycle of their own.
Identity-as-a-Service Identity-as-a-Service (IDaaS) is often defined in the market as an authentication infrastructure that is built, hosted and managed by a service provider. This term is used by iWelcome because it's well known in the market, but in effect iWelcome provides a broader set of capabilities. The term Identity and Access Management as a Service would be more appropriate.
Impersonation In every day life, impersonation is the act of intentionally copying another person's characteristics, or deceive someone by pretending you are another person.
In identity management, impersonation is the ability for a privileged user to act on behalf of another (end-)user using that enduser’s access rights without the need to authenticate as that enduser nor having access to that enduser's credentials.
Inbound Federation IAM Inbound (identity) federation lets your local systems accept the credentials of users from third-party identity providers (other domains), such as social networking sites and partner organisations. Other 3rd party identifiers that could be used for federation are banks, government institutions or Apple's AppleID. With inbound federation, iWelcome acts as relying party and relies upon 3rd party identity providers.
Inbound Provisioning Inbound provisioning is the the process of provisioning iWelcome with identities.
Inbound provisioning is part of iWelcome function 'User management'.


Term Category Definition
Knowledge Based Authentication (KBA) Knowledge based authentication is a type of authentication which looks to prove that the person providing identity information truly is that exact person. As its name suggests, KBA is based knowledge that individual has. KBA typically makes use of security questions which the user has answered or makes use of personal information that was obtained in another way (social security number, passport number) and can even be use dynamic information (e.g. timestamp of last login).
Although password verification can be argued to be a KBA-method, the term KBA is typically used to indicate methods that make use of knowledge about 'real-life' meaningful data.


Term Category Definition
Managed-Registration Managed registration is registration executed by a business representative.
Multi-Branding Multi-branding is the capability to apply multiple brands' branding from a single iWelcome environment.


Term Category Definition
Out-of-Band Authentication (OOB) Out-of-band authentication is a type of two-factor authentication that requires a secondary verification method through a separate communication channel along with the typical ID and password.
Out-of-band authentication is often used in financial institutions and other organizations with high security requirements. The practice makes hacking an account more difficult because two separate and unconnected authentication channels would have to be compromised for an attacker to gain access.
Outbound Federation IAM Outbound federation allows remote systems to use iWelcome as identity provider. When multiple relying applications use iWelcome as identity provider, the user will experience Single Sign-On.


Term Category Definition
Password Change Password change is the process that allows a logged-in user to change his password. This process involves entering the old password and then entering the new one twice.
Password Complexity Password complexity is about the complexity of a password 'as such'. Password complexity is enforced by password complexity rules such as minimum length and minimum of characters in certain character subsets, like lowercase, uppercase, numbers, special characters.
Password complexity is defined by iWelcome to exclude requirements on reuse of passwords and password expiry.
Password Policy A password policy is a set of rules designed to enhance computer security by encouraging users to utilize strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. The password policy may either be advisory or mandated by technical means.

(source: Wikipedia)
Password Reset Password reset is the process which allows a user to replace his forgotten password with a new password. The process sends a password reset email to the user's (private) email address.
Personal Details iWelcome uses this term to indicate all personal details, including both personalia and contact details.
Personalia iWelcome uses this term to indicate the personal details that are (typically) constant during a user's life: name, gender, date of birth, place of birth. It excludes contact information like addresses, phone numbers etc.
Primary Factor The primary factor is the factor for which the user gets a login-screen by default when he tries to login. Typically 'password verification' is the primary factor.
Private Email Link Login This is a process in which a user is identified and authenticated by using a one-time link (OTL) that was sent to their private email address.
Profiling Profiling, per GDPR, is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement.
Proofing/ Identity Proofing Proofing is the process of validating that the legitimate owner of an identity is the person who he claims to be 'in real life'. Proofing involves an additional party besides the iWelcome and the user. An example is face-to-face identification of the user using a passport or other legal document.
Provisioning IAM Provisioning is the process of creating (user)accounts and associated access rights in (target) applications or systems, as well as changing or deactivating those accounts. Mostly 'provisioning' refers to the automated process to do so. Also user-groups and/or roles may be provisioned towards the relying application.


Term Category Definition
Recovery Point Objective (RPO) A recovery point objective is defined by business continuity planning. It is the maximum targeted period in which data might be lost from an IT service due to a major incident.
(source: Wikipedia)

The RPO gives systems designers a limit to work. RPO is not determined by the existent backup regime.
Recovery Time Objective (RTO) The recovery time objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.
(source: Wikipedia)

It can include the time for trying to fix the problem without a recovery, the recovery itself, testing, and the communication to the users. Decision time for users representative is not included.
Registration Registration is the process of entering (minimal) user details that uniquely identify the user and that can be used for the creation of an identity for that user in iWelcome.
Registration may take place in:
  • iWelcome (e.g. self-service) and/or
  • Another system (e.g. an Authoritative source) that will subsequently create an identity in iWelcome using a provisioning mechanism (e.g. SCIM or user management connector).

Registration may be executed by:
  • The user itself (self-registration), or
  • Done by a another person representing the business/ company that owns the relying application. This person can be an HR-employee or manager (managed registration).
Relying Application A relying application is an IT-system that relies on iWelcome for authentication of users based on federative authentication and / or provisioning of user accounts.
Role Based Access Control
An industry standard in which permissions are not granted to users on a per-user basis, but instead permissions are bundled into roles and roles are assigned to persons.


Term Category Definition
SSO and Federation iWelcome function The iWelcome function 'SSO and federation' function enables a user to use one set of credentials to log on to relying applications and services. It is scoped as outbound federation, as the inbound federation is part of iWelcome's 'Authentication' function.
Segment A segment is a part of the total set of identities that are contained within an iWelcome environment and whose identity's lifecycles can be managed independently of identities in other segments within the same iWelcome environment. All identity identifiers are unique within the context of a segment. Often the relation between a segment and brand is 1 to 1.
Self-Registration Self-registration is the registration executed by the user himself.
Self-Service Self-service is a component (set of features) in iWelcome that can be used by users to manage their own identity, manage their own credentials and manage their own user attributes.
This functionality allows business representatives to manage other users' identities, credentials, tokens and user attributes is not considered as part of self-service.


Term Category Definition
Tenant Administrator user type This is a user that administers and configures iWelcome on behalf of the organisation that is iWelcome's customer.
Text A label, email template, text message.

(authentication token)
An (authentication) token is a container for the actual credential used to derive the authentication information sent to a user authentication service.
Example: A smart-card that holds a X.509 certificate, a YubiKey.

(source: A Taxonomy of User Authentication Methods (Gartner))
Token Completion Token completion is a process to ensure an identity is set-up with sufficient credentials and (authentication) tokens, as indicated by an authentication policy.


Term Category Definition
User user type A user is a physical person that tries to use one or multiple IT-systems. A user may have one or multiple user accounts and may have one or multiple identities.
User Management iWelcome function The iWelcome function 'User management' covers all functionality that is directly related to the identities and their lifecycle.,It includes inbound provisioning, self-registration, activation, etc.
User Management Service (UMS) User Management Service is the name of a micro-service within the iWelcome architecture.
User Principle Name (UPN) In Windows Active Directory, a User Principal Name (UPN) is the name of a system user in an email address format.