000034057 - Glossary of Terms for RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Sep 27, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034057
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
IssueThis article contains definitions to various terms used in RSA Identity Governance & Lifecycle. It is common for new users to be confused between terms such as User / Account and Group / Role / Rule and how they interrelate. 


  • Account

An account provides access to an application used in your organization through entitlements and application roles. The entitlements and application roles associated with accounts are collected by Entitlement Data Collectors (EDC). Accounts are not identities or users but may match the user ID attribute collected for an identity. Accounts provide access to applications for a user/real person.

  • Entitlement

Entitlements define the access privileges granted to one or more users in an organization to a specific application and the data within the application.

  • Group

A group is a container that includes accounts and sub-groups of accounts collected from account data sources by Account Data Collectors (ADC). You view them under the Users tab in the User Interface (UI). Collecting groups at the Identity level was deprecated in version 6.5 and completely removed in 7.0. Entitlement Collectors (EDC) resolve references to groups with accounts and entitlements but do not create a group.

  • Group versus Role

A user gets access to a group through their accounts who are members of a group, whereas a role gets users added to it as members. Adding entitlements to a group would result in users indirectly automatically getting the entitlement. Entitlements added to a role just mean the user should have that entitlement but it's not automatic unless you configure the workflow to automatically generate indirect entitlements.

  • Identity

An identity defines users in an organization who have access privileges to a quantifiable portion of an organization’s data and applications and corresponds to a real person who may have more than one account on various systems and applications.

  • Role and Role Set

Note: This is applicable only if the Role module is implemented for your installation. If you have system administrator privileges, you can enable the module in Admin > System Settings. In addition, enabling Business Role Manager will help you develop new roles and evaluate changes to existing roles.

A role represents an aggregation of users (included individually or within an included group or role) and entitlements (granular entitlements, application roles, other roles). RSA G&L enables you to view all the roles in the system, collect roles, and organize roles into role sets. A role set is simply a collection of roles.

  • Rule

Note: This is applicable only if the Rules module is implemented for your installation. If you have system administrator privileges, you can enable the module in Admin > System Settings.

RSA Identity G&L enables you (a business manager or an IT security officer, for example) to create and process business rules that detect and notify you about various conditions reflected in collected data that you want to monitor, and possibly rectify, so that you can maintain compliance with your organization’s security and regulatory policies. For example, you can configure a rule to detect whether users in a particular location, business unit or department are able to access a particular application resource ro which they do not have access but should.

Rules can also serve to provide decision support in user access request and role modeling processes. For example, RSA G&L would use a rule to evaluate an entitlement access request for a user to determine whether the request grant would violate a business rule if it were allowed.

A rule violation occurs when a user entitlement matching a rule’s condition is detected in the RSA G&L data store.

Conditions you can detect with rules include:

  • Users have entitlements they should not have.
  • Users do not have entitlements they should have.
  • Users have entitlements that violate segregation of duties rules.
  • User attributes have changed, which indicate that users have joined, moved within, or left your organization.
  • User entitlement changes.
  • Users have entitlements that have not been approved through a change request.
  • Role membership and role metrics changes.

Entitlements in the context of a business rule include:

  • Directly granted entitlements and entitlements granted through accounts.
  • Directly granted application roles.
  • Indirectly granted entitlements through groups and roles.

Reports can be generated on rules, rule violations, and rule violation exceptions.

  • User

User corresponds to an identity or real person who has access through accounts to one or more applications used in your organization.