Glossary

Access Certification, also known as Access Attestation or User Access Reviews, is the process of reviewing the appropriateness of the entitlements assigned to a service user in a downstream application. 

Access Review, also known as Access Attestation, Access Certification, or User Access Review, is the process of reviewing the appropriateness of the entitlements assigned to a service user in a downstream application.

An Application Connector is the mechanism that allows Clarity to securely communicate with Downstream Applications.

An Application Owner is a Clarity Identity responsible for application specific self-service access requests and User Access Reviews.

This is configured on the Application Configure Screen or during the app onboarding process.

Applications > Choose Application > Pen Icon (top right)

An attribute is a piece of information used to describe a service user, entitlement, or identity. Common examples include First Name, Last Name, Job Title, Department, etc.

Clarity Connect is a virtual appliance which establishes a connection between on-premise applications and a Clarity tenant.

A Downstream Application is any application that supplies Clarity with service users, entitlements, and attributes.

An Entitlement is an assignable permission found in a downstream application. Common examples include licenses, groups, and policies.

An Entitlement Group is a set of entitlements linked together, allowing for simplified bulk entitlement provisioning.

An Entitlement Owner is a Clarity Identity responsible for entitlement specific self-service access requests and User Access Reviews.

Ways to configure:

• Entitlements > Pick an Entitlement > Click Gear Icon (top right).
• Entitlements > Bulk Edit > Owner Column

This is an automatically generated list of entitlements that a significant percentage of the role members have in common.  You may want to consider making this entitlement part of the role.

This is found in the Manage page of an individual role.

An Entitlement or Resource Type is an attribute of an entitlement defined by a downstream app. Common examples include Groups, Licenses, Policies, or Roles. 

An exception is an entitlement granted to an Identity outside of their Roles (Role Based Access Control).

An Exclusion is created when an Entitlement is manually removed from an Identity, but this Entitlement is part of that Identity's roles (Role Based Access Control).

In Clarity, a Friendly Name is a configurable option for each Entitlement in your tenant, that allows you provide human-readable, user friendly name.  These can be optionally shown in Access Reviews.

These can be configured in Entitlements > Bulk Edit

Grant Type details how an Identity received access to an entitlement, either through a role or as an exception to its role.  

High-Risk is flag used to denote Entitlements or Roles that have an elevated level of risk and require additional attention and review.  

Entitlements:

• Entitlements > Filter by App > Choose Entitlement > Gear Icon
• Entitlements > Bulk Edit > High Risk Column

Roles:

• Roles > Click your Role > Manage > Gear Icon
• Roles > Bulk Edit > High Risk Column

An identity is a single entity's (employee, contractor, service account) grouping of service users, attributes, and assigned entitlements.

An identity is a single entity's (employee, contractor, service account) grouping of service users, attributes, and assigned entitlements.

Identity Reconciliation is the process of matching downstream application service users with an Identity found in Clarity. 

This configurable option for an Identity allows you define if this is an Employee, Contractor, or Service Account (see below for adding additional custom Types).

Built-in options: Employee, Contractor, Service Account

Configured additional custom options in Settings > Username / Identifiers > Identity Types (bottom)

An entitlement granted as part of a parent entitlement, but not directly assigned.

An Integration is any application, service, or data source used in Clarity for pulling in information about your users and their access.

Lifecycle Management refers to the processes that handle an employee's journey from on-boarding to off-boarding. This can also be defined by the terms Joiner, Mover, and Leaver.

One or more Identities related to and assigned to a Parent Identity.

Organizational Units are a top down hierarchical structure used to generate Roles in Clarity.  

An account that is marked as inactive in your Source of Truth (or the highest value source for Identity Attribute Precedence), but active in one or more of your downstream applications.

An Entitlement that grants access to one or more Entitlements.

A Proxy Entitlement is a custom entitlement created to represent another entitlement using a different name.  This can be created under the Proxy Service in the Marketplace as a way to represent certain entitlements under a custom/manual application created by you.

Role Based Access Control is an approach to managing access by provisioning pre-approved access based on an Identity's function within an organization.

A Remediator is responsible for verifying and/or requesting the remediation action (entitlement or account removal) for an Access Review item that was denied.

A Reviewer is responsible for deciding whether access or other Access Review items are appropriate or inappropriate. In Clarity this is typically a Supervisor or an Application/Entitlement Owner.

A value between 0 and 100, with higher numbers representing an increased risk of material impact on your institution is associated with the item.

A Role is a group of entitlements provisioned for an Identity during life cycle management events. 

Role Based Access Control is an approach to managing access by provisioning pre-approved access based on an Identity's function within an organization.

The Role, or Access, Overlap feature provides you with a percentage of the overlap between other Identities in your organization. This will provide you with information based on your Role configuration in your Organizational Units.

A Role Owner is a Clarity Identity responsible reviewing and approving changes to your Roles (Role Access Reviews).

This can only be modified from the Roles > Bulk Edit Page.

Bulk approve or deny access without thorough review.

Approve automatically without further review.

These are user-defined groups of Entitlements visible in the Self Service Request interface. 

Clarity admins can create these groups to provide a more intuitive and streamlined process for your users when they are looking for a particular entitlement in the Request Access interface.

A Service Identifier is the unique identifier for a Service User in a downstream application. Example - GUID in Microsoft.  

A Service User is a user, or service account, discovered by Clarity in a downstream application.

Service User Entitlements are the pairings of users and active entitlement access in downstream applications. 

A Single Source of Truth (SSoT) is the master record for identity data. SSoT’s are typically the company’s HR platform or the enterprise directory service like Active Directory.

Sync Options defines the frequency Clarity queries downstream applications for Service Users, Entitlements, and Attributes.

Tags are labels within Clarity which help you distinguish or target certain items within Clarity.  Most notably they can be used to perform targeted Access Reviews.

Tags can be applied to Applications, Identities, Entitlements, and Roles.

Read Only: The application is only permitted to read the data from the application connection, no data is ever written back to the source.

Read + Provision/Deprovision: Clarity is permitted to read information from the source as well as adding or removing access to entitlements (when users are hired or terminated).

Write: Similar to Read + Provision/Deprovision above, however Clarity can also write attributes back to the source.

Single Source of Truth:

Partial Source of Truth: Application which provides some of the identities for your organization. 

Ex: HR platform, Azure Active Directory

Recipient only: Identities will not be created based on this source of truth. 

Ex: Zoom, Slack

Unique Identifiers are used by Clarity to differentiate connected applications that are associated with the same product. Example: an environment has two Salesforce environments and two Salesforce connectors. The unique identifiers could be Salesforce-A and Salesforce-B. 

An unmatched active Service User, not tied to an Identity, was found in a Downstream Application. These generate Identity Resolution Alerts.