Skip to content

Glossary

Access
noun
The ability of an authenticated user, role, or service to perform specific actions/activities. The specific activities a user can perform are determined by the permissions given to the user.
Access model
noun
A template of authorized access across all applications.

Note

Access models were called Entitlement Roles in Permission Assist versions 6.3 and older.
Access request
noun
A detailed record of information (or ticket) used to request a change to user permissions within an application.
Access requests are created when a reviewer flags a review item or when a personnel event is created. They are sent to the provision engineers so they have all of the information they need to resolve issues efficiently. Any actions taken are recorded for auditing purposes, including pre-approvals, post-verification, who took action, date/time stamps for each action, and more.
Access model owner
noun
An Access Model Owner is a specific role within Permission Assist. They are responsible for making sure the access model is set up and properly managed. To be an Access model owner within Permission Assist, you must be defined as the owner on the Settings tab within the access model (Manage > Access models > select an access model > Settings tab). Access model owners have full ownership and modification permissions of their assigned access models, including the ability to enable/disable, configure enrollments, and manage application privileges.

Note

Access Model Owners are required for all access models created in Permission Assist version 5.4 and later. Access models created before version 5.4 are grandfathered in and do not require an owner unless changes are made within the access model's Settings tab.
Administrator
noun
An Administrator is a specific role within Permission Assist. They are the people who are primarily responsible for the overall administration and configuration of Permission Assist. To be an Administrator within Permission Assist, you must be part of the Administrators group within the System Configuration > System Authentication area. Administrators have full access to the System Configuration settings and limited access to the features within the Manage menu, including Identities and Applications. Administrators may have access to other features within Permission Assist if they also belong to another group.
Application manager
noun
An Application Manager is a specific role within Permission Assist. They are generally considered the "owner" of an application and are responsible for the administration functions and maintenance of that application. Within Permission Assist, any identity that is assigned within the Responsibilities tab (Manage > Applications > select the application > Responsibilities tab) is an application manager.
If a review is set up to require application managers, they are able to complete review items for users within their assigned application (this is their primary responsibility as a reviewer). In addition to reviewing items, they can also complete the following tasks within Permission Assist: - Add and maintain applications - Change application settings - Import privilege/access data - See access requests for applications they manage (on the Change Management Taskboard)
Application security data
noun
The data that was imported from your various applications. Permission Assist imports application security data from various applications, such as the core software, digital banking application, wire transfer application, and other applications.
Examples of application security data include users, user permissions, roles, role permissions, and metadata such as the last login date, password expiration dates, and more.
Area reviewer
noun
An Area Reviewer is a specific role within Permission Assist. They are assigned to review a specifically defined set of permission data (a Reviewable Area) within an application.
Assurance
noun

Confidence that users have access to the right permissions.

Confidence is gained through various processes that verify users are given the appropriate permissions. For example, completing a review is one way to prove assurance.

Audit
noun
An independent examination to assess the quality and effectiveness of internal controls, risk management, and compliance initiatives in an organization.
Audit log
noun
A list of user activities within an application. Activities are usually ordered chronologically (by the date and time they occurred).
Audit trail
noun
A chronological report of activities that can be used to reconstruct - from start to finish - a sequence of events related to a specific operation, procedure, or event.
Authentication
noun
Verifying that an identity is who they claim to be and that they are allowed access to an application or resource.
Authorization
noun
The process of determining what a user is able to do within an application.
Baseline
noun
A set of information that has been formally verified and documented as of a specific point in time. Often, a baseline of data is used as a starting point for tracking changes over time.
Connector
noun
A software component that can either bring application security data into Permission Assist or send application security data to another application.
There are two types of connectors:
  • Read-only
  • Read/write
Connector update
noun
Correcting problems within the connector to ensure the permissions are reported accurately as intended.
Examples:
  • Import fails with an error message
  • Missing users
  • Missing groups
  • Missing permissions
  • Incorrectly formatted results
Connector enhancement
noun
The addition of new features or improving existing features to ensure that permissions are reported accurately as intended.
Examples:
  • Additional support for optional file formats
  • Support for new optional files (adding context)
  • Addition of metadata
  • New parameters for result crafting
Compliance
noun
The act of following regulatory requirements, standards, and best practices for the secure administration of user identities and access privileges. It ensures that an organization's IAM policies are consistent with legal, regulatory, and industry standards for maintaining user identities and regulating access to resources. IAM compliance is critical for safeguarding sensitive information, reducing security threats, and avoiding legal consequences.
Continuous monitoring
noun
Frequent and ongoing assurance processes that happen in real-time. Continuous monitoring is used to detect anomalies, unauthorized access, policy violations, or risky situations as they happen and alert the appropriate people so they can take action, if needed.
Control
noun
Policies, procedures, and mechanisms that govern how identities can access and interact with resources.
Controls enforce the higher-level policies and guidelines defined by a security team (see also governance). Examples include access controls, security controls (i.e., safeguards or countermeasures), change controls, and so on.
Defined manager
noun
A Defined Manager is a specific role within Permission Assist. They are an identity who has been assigned to an organizational unit. If a review is set up to require a defined manager, the manager is able to complete review items for users within their organizational unit (defined within the identity source).
Elaboration
noun
The act of adding additional information to an identity, user account, application, or individual permission. For example, adding risk ratings to critical permissions is an elaboration.
Event
noun
Any observable occurrence in a system. Some examples of events include the following:
  • A review is started
  • A review item is approved
  • An access request is verified
IAM (Identity Access Management)
noun
Identity access management (IAM) is a framework that guides
organizations in managing digital identities and controlling user access. IAM recommendations and solutions are often ideal in theory but also very complex and hard to implement. Permission Assist helps customers implement a practical IAM approach to help ensure identities are given the right level of access to the right things at the right time.
IAM focuses on the technical execution of identity management—authenticating users, managing accounts, and enforcing access controls. It includes processes like single sign-on (SSO), multi-factor authentication (MFA), and provisioning/deprovisioning.
Identities (list)
noun
The list of identities a customer wants to manage. In Permission Assist, you can view the list by going to the Manage menu and selecting Identities.
Identity
noun
A unique person or resource. Examples include employees, service accounts, vendor accounts, bots, and so on.

Note

The terms "user account" and "employee" are commonly referred to as identities; however, they are not proper synonyms. A user account refers to a security entry point for a single application, of which an identity may have many. An employee is a single person of a single type, whereas an identity may also be a non-employee person (vendor) or even a non-human persona (service account).

In Permission Assist, identities are imported from your identity source (or what we refer to as your directory source). By importing data from your directory source, Permission Assist gives you better visibility into your identity data, which means you can:

  • see how many identities you have
  • more easily find identities that should have been removed
  • identify unnecessary identities such as old training accounts or testing accounts
  • locate duplicated identities or identities in unexpected OUs or folders
  • find inconsistencies in metadata such as status (active/inactive), job titles, email addresses, and so on
Identity sources
noun
The applications or resources that Permission Assist uses to import identity information.
Import
verb
Bringing application security data from a third-party application into Permission Assist.
noun
A record of information related to each import. Each time application security data is imported into Permission Assist, the import is logged within the application's Import tab (Manage > Applications > select an application > Imports tab). The import includes the date and time of the import, who imported the data, some statistical data related to the import, user changes, group changes, and the physical reports (if reports were used to import data).
IGA (Identity Governance and Administration)
noun
IGA is the governance layer that oversees IAM. It's a framework of policies and technologies for ensuring access is appropriate, compliant, and secure over time. IGA includes policy enforcement, access reviews, risk analysis (like segregation of duties), audit readiness, and lifecycle management. It answers the question: “Is this access still necessary and compliant?”
Incremental provision engine
Proper noun
A tool within Permission Assist that progressively walks a Provision Engineer through access request changes and allows Permission Assist to do some of the work automatically. With progressive provisioning, the Provision Engineer decides which actions they want to take, and allows Permission Assist to do the work (see example below).

Note

The Incremental Provision Engine is only available for applications that use a read/write connector. Examples include Microsoft AD and Jack Henry Symitar.
Metadata
noun
Additional information about the data.
Within Permission Assist, metadata is most commonly referred to when talking about user information that isn’t permission information. This data can be found by going to Manage > Applications > select an application > Users tab and selecting a user. The information displayed at the top of the tab is user information that includes metadata such as last login date, password expiration, and so on.
Offboarding
noun
The process of removing all of an identity's access to various applications and resources. Offboarding typically happens when an employee leaves the organization.
The Operations module within Permission Assist allows personnel managers to initiate and track the process of offboarding employees. When the process is complete, reports are available so you can provide credible evidence of the process to internal or external auditors.
Onboarding
noun
The process of giving an identity access to the applications and resources they need to complete their job duties. Onboarding happens when a new employee joins the organization.
The Operations module within Permission Assist allows personnel managers to initiate and track the process of onboarding new employees. When the process is complete, reports are available so you can provide credible evidence of the process to internal or external auditors.
Operations module
noun
The features within Permission Assist that help you streamline the provisioning process related to personnel events. Reporting is available so you can provide credible evidence of the process.
Operations Features
  • Onboarding — manages the process of assigning appropriate permissions when a new person joins your financial institution. Permission Assist automatically matches the new employee to their appropriate access model(s). Personnel managers no longer need to guess which permissions they can have or copy from a previous employee and risk being overprivileged.
  • Offboarding — manages the process of removing permissions when an identity needs to be removed. Permission Assist gathers all an identity’s current permissions using the most recent import data and routes access requests to the appropriate provision engineer.
  • Role Transition manages the process of an employee transitioning from one role or job title to another. The role transition can be scheduled to happen immediately or for a future date. This feature also allows you to manage the “in-between” situations where an employee needs to be in both roles during the transition.
  • Leave of Absence — manages the process of an employee going on a leave of absence. The leave can be scheduled to happen immediately or for a future date. The return date can also be scheduled for a specific date or left open to be defined later.
  • Change User — used to request a change of permissions within an application for a specific user.
  • Reporting — generate detailed reports to track a specific personnel event from start to finish or generate a detailed audit package to prove all actions were completed appropriately.
Personnel event
noun
A human resources event that results in a change to an identity's access.
Examples: onboarding (new hires), offboarding (when people leave), job role transitions, and temporary leaves of absence.
Personnel manager
noun
A Personnel Manager is a specific role within Permission Assist. They are assigned to the Personnel Manager group in the System Configuration > Authentication area. Personnel Managers have access to view and create personnel events such as onboarding, offboarding, role transitions, and leaves of absence. They can also view access requests related to personnel events on which they are the reporter. They cannot complete access requests related to their events unless they also belong to the Provision Team or they are a Provision Engineer for a specific application.
Plugin
noun
Legacy code term for what is now called a Connector in customer-facing contexts. A software component that can either bring application security data into Permission Assist or send application security data to another application.
Permission Dumbbells
A visual comparison tool in the Review Items Taskboard that shows permissions from the previous review alongside the current review, with color coding to indicate changes and elevations.
Pre-approval process
noun
A process in which Permission Assist can mark review items as approved. When an item is pre-approved, it means Permission Assist has analyzed the item according to both the system criteria (built into Permission Assist) and the pre-approval conditions and has determined the item meets that criteria.
Principle of least privilege
noun
A standard that says users should only be authorized to use the applications they need and, when given authorization, they should have the fewest permissions possible to complete their daily work.
Provisioning
verb
Changing user access.
In Permission Assist, provisioning often refers to changing user access within the context of personnel events like onboarding, offboarding, and so on. Provisioning is either completed manually by a provision engineer or through Permission Assist using the Incremental Provision Engine.
Provision Engineer
A Provision Engineer is a specific role within Permission Assist. They have responsibilities related to access requests. People can be given Provision Engineer responsibilities by doing either of the following:
  • Assigning an identity to the Provision Team group within the System Configuration area.

Identities who are members of the Provision Team group have full access to the features within the Change Management Taskboard and are able to take action on access requests for all applications. They do not have access to any other features within Permission Assist unless they also belong to another group.

  • Giving someone Provision Engineer responsibilities within an application.

Identities who have been given provision engineer responsibilities for a specific application can only take action on access requests that relate to their assigned application(s). They cannot see or take action on any other access requests.

Quick Review
A review type that allows Permission Assist to automatically pre-approve review items for identities whose permissions haven't changed or have been reduced since the last review.
Read-only connector
noun
A connector that imports application security data into Permission Assist and organizes the data in an easy-to-read format.
A read-only connector cannot change information within a third-party application; it can only get information from the application.
Read/write connector
noun
A connector that is integrated with a third-party application in a way that allows Permission Assist to:
  • import application security data into Permission Assist
  • send application security data to a third-party application
  • update application security data within the third-party application
Recon session
noun
Recon sessions are meetings between Continuous and the customer. They are used to gather application security data and are typically scheduled in the following situations:
  • Developing a new connector: In this case, the recon session gathers the information needed to determine which import strategy is best for your situation. If developing a new connector is the ideal route, we’ll work with you to create a connector that pulls in permission information quickly and enhances understanding.
  • Updating an existing connector: In this case, the recon session is used to identify and understand the changes related to users and user permissions.
Remediation
noun
A special kind of provisioning that is used to fix (or correct) a user’s access. In Permission Assist, remediation happens within the context of a review (or user access audit). For example, if you are in the process of an annual audit and you find something wrong with a user’s access, flagging the item begins the remediation process to fix or correct that user’s access by changing their permissions.
Reporting Only
noun
Reporting Only is a specific role within Permission Assist. They are assigned to the Reporting Only group in the System Configuration > Authentication area. Members of this group have read-only access to reporting areas. They can view reports under the Reports menu and are able to view and print data for all reviews and applications. They do not have access to any other features within Permission Assist unless they also belong to another group.
Review
noun
An assurance process that is used to verify that each user has appropriate access within the applications they use.
Reviews are typically done at least once a year to meet regulatory requirements, risk management goals, and compliance initiatives defined by the bank or credit union.
Within Permission Assist, reviews are “point-in-time” reviews. This means that when a review is started, users and permissions are determined using the most recent import data, and they do not change throughout the review. For example, if an Active Directory review is started today, and a new identity is added to Active Directory tomorrow, the new identity will not be included in the review. Similarly, if an Active Directory review is started today, and an identity’s permissions are changed tomorrow, the user’s permissions within the review item will remain what they were when the review was started.
Reviewer
noun
A Reviewer is a specific role within Permission Assist. They are responsible for reviewing user permissions. Application Managers, Supervisors, Security Team members, or other defined managers can all be reviewers.
Reviewable Area
noun
A specifically defined set of permission data within an application assigned to an Area Reviewer.
Review Item
noun
A single unit of work in a review. Each review item represents a user (or group) within an application whose permissions need to be reviewed by one or more reviewers.
Role-based access control
noun
A method of assigning permissions to users based on their job role.
Security Team
noun
A Security Team member is a specific role within Permission Assist. They are assigned to the Security Team group in the System Configuration > Authentication area. Security Team members are usually responsible for overseeing all tasks related to the review process, including: adding applications, importing permission data, creating Access Models, creating/managing reviews, generating reports, and so on.
Separation of duties
noun
A security method that requires more than one person to complete a task. This method is used to prevent fraud, sabotage, theft, misuse of information, and security breaches.
Separation Rules
noun
Rules that define combinations of permissions that should not coexist (toxic combinations), used to detect separation-of-duties violations during reviews.
Connector sponsorship
noun
An agreement to work with Continuous to develop a new connector. There are two types of sponsorships:
  • Continuous sponsorships - In these sponsorships, Continuous agrees to fund the development of the connector, and there is no cost to the customer. These agreements are sometimes offered when a customer is implementing Permission Assist. They are primarily used to ensure that a customer’s most critical systems can be added to Permission Assist.

Note

Continuous sponsorships must be used within the expiration timeframe defined in the customer’s license agreement.

  • Purchased sponsorships - In these sponsorships, the customer agrees to pay a one-time cost for the development of the connector. Purchased sponsorships do not expire.
Supervisor
noun
A Supervisor is a specific role within Permission Assist. They are responsible for reviewing permissions for their direct reports or others the Security Team has assigned to them. A person could also be given Supervisor access to Permission Assist if:
  • they've been assigned Supervisor responsibilities for at least one group within a particular application.
  • they've been assigned responsibilities on behalf of another supervisor.

If the review is set up to require Supervisors, Supervisors are able to complete review items for their direct reports or other users who have been assigned to them (this is their primary responsibility as a reviewer). In addition to reviewing items, they can also see access requests (on the Change Management Taskboard) that they've created by flagging items within a review.

Webhook
noun
A webhook is a method that allows one system to notify another system when a specific event happens. For example, if a webhook is available between Permission Assist and an HR application, Permission Assist can send a message to the HR system when a personnel event is created. This message could contain all the details related to the personnel event, including employee information and permissions.
Webhooks are particularly useful because they provide nearly real-time data updates, which means the receiving system gets the information nearly as soon as the event happens, without needing to constantly check for updates.