Access Certification

Access Certification, also known as Access Attestation or User Access Reviews, is the process of reviewing the appropriateness of the entitlements assigned to a service user in a downstream application. 

Access Review

Access Review, also known as Access Attestation, Access Certification, or User Access Review, is the process of reviewing the appropriateness of the entitlements assigned to a service user in a downstream application.

Application Connector

An Application Connector is the mechanism that allows Clarity to securely communicate with Downstream Applications.

Application Owner

An Application Owner is a Clarity Identity responsible for application specific self-service access requests and User Access Reviews.

This is configured on the Application Configure Screen or during the app onboarding process.

Applications > Choose Application > Pen Icon (top right)


An attribute is a piece of information used to describe a service user, entitlement, or identity. Common examples include First Name, Last Name, Job Title, Department, etc.


Clarity Connect

Clarity Connect is a virtual appliance which establishes a connection between on-premise applications and a Clarity tenant.


Downstream Application

A Downstream Application is any application that supplies Clarity with service users, entitlements, and attributes.



An Entitlement is an assignable permission found in a downstream application. Common examples include licenses, groups, and policies.

Entitlement Group

An Entitlement Group is a set of entitlements linked together, allowing for simplified bulk entitlement provisioning.

Entitlement Owner

An Entitlement Owner is a Clarity Identity responsible for entitlement specific self-service access requests and User Access Reviews.

Ways to configure:

  • Entitlements > Pick an Entitlement > Click Gear Icon (top right).
  • Entitlements > Bulk Edit > Owner Column
Entitlement Suggestions

This is an automatically generated list of entitlements that a significant percentage of the role members have in common.  You may want to consider making this entitlement part of the role.

This is found in the Manage page of an individual role.

Entitlement Type

An Entitlement or Resource Type is an attribute of an entitlement defined by a downstream app. Common examples include Groups, Licenses, Policies, or Roles. 


An exception is an entitlement granted to an Identity outside of their dedicated role.


Friendly Name

In Clarity, a Friendly Name is a configurable option for each Entitlement in your tenant, that allows you provide human-readable, user friendly name.  These can be optionally shown in Access Reviews.

These can be configured in Entitlements > Bulk Edit


Grant Type

Grant Type details how an Identity received access to an entitlement, either through a role or as an exception to its role.  


High Risk

High-Risk is flag used to denote Entitlements or Roles that have an elevated level of risk and require additional attention and review.  


  • Entitlements > Filter by App > Choose Entitlement > Gear Icon
  • Entitlements > Bulk Edit > High Risk Column


  • Roles > Click your Role > Manage > Gear Icon
  • Roles > Bulk Edit > High Risk Column



An identity is a single entity's (employee, contractor, service account) grouping of service users, attributes, and assigned entitlements.


An identity is a single entity's (employee, contractor, service account) grouping of service users, attributes, and assigned entitlements.

Identity Reconciliation

Identity Reconciliation is the process of matching downstream application service users with an Identity found in Clarity. 

Identity Type

This configurable option for an Identity allows you define if this is an Employee, Contractor, or Service Account (see below for adding additional custom Types).

Built-in options: Employee, Contractor, Service Account

Configured additional custom options in Settings > Username / Identifiers > Identity Types (bottom)

Inherited Entitlement

An entitlement granted as part of a parent entitlement, but not directly assigned.


An Integration is any application, service, or data source used in Clarity for pulling in information about your users and their access.


Lifecycle Management

Lifecycle Management refers to the processes that handle an employee's journey from on-boarding to off-boarding. This can also be defined by the terms Joiner, Mover, and Leaver.

Linked Identity

One or more Identities related to and assigned to a Parent Identity.


Organizational Units

Organizational Units are a top down hierarchical structure used to generate Roles in Clarity.  

Orphaned Account

An account that is marked as inactive in your Source of Truth, but active in one or more of your downstream applications.


Parent Entitlement

An Entitlement that grants access to one or more Entitlements.

Proxy Entitlement

A Proxy Entitlement is a custom entitlement created to represent another entitlement using a different name.  This can be created under the Proxy Service in the Marketplace as a way to represent certain entitlements under a custom/manual application created by you.



Role Based Access Control is an approach to managing access by provisioning pre-approved access based on an Identity's function within an organization.


A Remediator is responsible for verifying and/or requesting the remediation action (entitlement or account removal) for an Access Review item that was denied.


A Reviewer is responsible for deciding whether access or other Access Review items are appropriate or inappropriate. In Clarity this is typically a Supervisor or an Application/Entitlement Owner.


A value between 0 and 100, with higher numbers representing an increased risk of material impact on your institution is associated with the item.


A Role is a group of entitlements provisioned for an Identity during life cycle management events. 

Role Based Access Control

Role Based Access Control is an approach to managing access by provisioning pre-approved access based on an Identity's function within an organization.

Role Overlap

The Role, or Access, Overlap feature provides you with a percentage of the overlap between other Identities in your organization. This will provide you with information based on your Role configuration in your Organizational Units.

Role Owner

A Role Owner is a Clarity Identity responsible reviewing and approving changes to your Roles (Role Access Reviews).

This can only be modified from the Roles > Bulk Edit Page.

Rubber Stamp

Bulk approve or deny access without thorough review.

Rubber Stamping

Approve automatically without further review.


Self Service Group

These are user-defined groups of Entitlements visible in the Self Service Request interface. 

Clarity admins can create these groups to provide a more intuitive and streamlined process for your users when they are looking for a particular entitlement in the Request Access interface.

Service Identifier

A Service Identifier is the unique identifier for a Service User in a downstream application. Example - GUID in Microsoft.  

Service User

A Service User is a user, or service account, discovered by Clarity in a downstream application.

Service User Entitlements

Service User Entitlements are the pairings of users and active entitlement access in downstream applications. 

Single Source of Truth

A Single Source of Truth (SSoT) is the master record for identity data. SSoT’s are typically the company’s HR platform or the enterprise directory service like Active Directory.

Sync Options

Sync Options defines the frequency Clarity queries downstream applications for Service Users, Entitlements, and Attributes.



Tags are labels within Clarity which help you distinguish or target certain items within Clarity.  Most notably they can be used to perform targeted Access Reviews.

Tags can be applied to Applications, Identities, Entitlements, and Roles.

Trust Permission

Read Only: The application is only permitted to read the data from the application connection, no data is ever written back to the source.

Read + Provision/Deprovision: Clarity is permitted to read information from the source as well as adding or removing access to entitlements (when users are hired or terminated).

Write: Similar to Read + Provision/Deprovision above, however Clarity can also write attributes back to the source.

Trust Relationship

Single Source of Truth:

Partial Source of Truth: Application which provides some of the identities for your organization. 

Ex: HR platform, Azure Active Directory

Recipient only: Identities will not be created based on this source of truth. 

Ex: Zoom, Slack


Unique Identifier

Unique Identifiers are used by Clarity to differentiate connected applications that are associated with the same product. Example: an environment has two Salesforce environments and two Salesforce connectors. The unique identifiers could be Salesforce-A and Salesforce-B. 

Unreconciled User

An unmatched active Service User, not tied to an Identity, was found in a Downstream Application. These generate Identity Resolution Alerts.

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.