Access Certification Thesaurus
This thesaurus covers key terms used across the Access Certification section. Use it to look up an unfamiliar term and navigate directly to the article that explains it in context.
A
Access Certification (UAR)
The process of systematically reviewing and approving or revoking user access to applications and entitlements. Campaigns can be entitlement-based or user-based.
→ Read more in: Entitlement Based Certification | User Based Review
Access Revocation
The action of removing access rights from a user, triggered manually during a review or automatically when a campaign expires.
→ Read more in: Expiration Policy | Multi-Reviewer Campaigns
Admin Assignment (Membership tag)
A system-assigned membership tag applied whenever an administrator assigns access through the webconsole or API.
→ Read more in: Membership Tags
Admin Owner System Access (Membership tag)
A membership tag indicating that a user holds special rights as an Owner or Admin of a Role, Group, or Resource.
→ Read more in: Membership Tags
Application Admin / Owner (Reviewer type)
A reviewer type for application-based campaigns. The person designated as the admin or owner of an application receives the review tasks for that application.
→ Read more in: User Based Review
APPROVAL_PATH (Risk factor)
A risk factor that analyzes the approval workflow used to grant access. Entitlements granted without proper approval carry a higher risk score.
→ Read more in: Risk Factors Configuration
Audit Log
A system record capturing all events related to certification, risk detection, and provisioning actions.
→ Read more in: Risk Event Driven Certification | Expiration Policy | SoD Policies
B
Batch Task
A background scheduled job used for automation, such as generating reports or processing expired campaign requests.
→ Read more in: Certification Reporting | Expiration Policy
Birthright Assignment (Membership tag)
A membership tag applied when access is granted automatically via a business rule.
→ Read more in: Membership Tags
C
Campaign
An access certification campaign is a configured review cycle that defines what access is reviewed, who reviews it, and over what period.
→ Read more in: Entitlement Based Certification | User Based Review | Deleting a Campaign | Campaign Database
Campaign Database
Starting from version 4.2.2, a campaign is stored as a concrete set of database tables rather than a virtual object, enabling richer reporting and data manipulation.
→ Read more in: Campaign as Database Object
Campaign Expiration
The automatic termination of a campaign after the escalation period ends, with configurable consequences for unreviewed access items.
→ Read more in: Expiration Policy | Multi-Reviewer Campaigns
Cascade Extension
An option controlling whether a deadline extension is applied only to the current reviewer or cascaded to all subsequent reviewers.
→ Read more in: Multi-Reviewer Campaigns
Certification Reporting
The set of reports available for an access certification campaign: scope, current state, and results reports.
→ Read more in: Certification Reporting
Current State Report
A certification report representing the live status of an in-progress campaign at the time it is generated, delivered to the administrator's mailbox.
→ Read more in: Certification Reporting
D
Delete Campaign
An administrative action that permanently removes a certification campaign and all its associated requests. Available since version 4.2.2.
→ Read more in: Deleting a Campaign
Department Change (Risk event)
A profile change that qualifies as a risk event and can trigger a risk event driven certification review.
→ Read more in: Risk Event Driven Certification
Direct Violation (SoD)
An SoD violation where the user explicitly and directly holds a conflicting entitlement.
→ Read more in: SoD Policies
Do Nothing (Expiration policy)
An expiration policy option where unreviewed access items are automatically marked as accepted when the campaign expires.
→ Read more in: Expiration Policy
E
Email Template
The notification template used to send emails to reviewers and managers during a certification campaign.
→ Read more in: Entitlement Based Certification | User Based Review
Entitlement
An access right assigned to a user, typically expressed as a Role, Group, Resource, or Organization membership.
→ Read more in: Entitlement Based Certification | SoD Policies
Entitlement Admin / Owner (Reviewer type)
A reviewer type where the owner or admin of a role or group receives the review tasks for entitlements under their management.
→ Read more in: User Based Review
ENTITLEMENT_LIFETIME (Risk factor)
A risk factor assessing how long an entitlement has been held. Long-standing, unreviewed entitlements carry elevated risk.
→ Read more in: Risk Factors Configuration
ENTITLEMENT_ORIGIN (Risk factor)
A risk factor evaluating how an entitlement was granted — direct assignment vs. inherited through a role or group.
→ Read more in: Risk Factors Configuration
ENTITLEMENT_SENSITIVITY (Risk factor)
A risk factor measuring the sensitivity level of an entitlement (e.g., admin access, financial systems contribute more to the overall risk score).
→ Read more in: Risk Factors Configuration
Escalation
The process of reassigning an incomplete review to a designated escalation reviewer when the primary reviewer fails to finish within the allotted time.
→ Read more in: Multi-Reviewer Campaigns | Expiration Policy
Exemption (SoD)
A formal exception recorded in the system that allows a user to retain conflicting entitlements, provided the SoD policy permits exceptions.
→ Read more in: SoD Policies
Expiration Extension
A configurable option allowing reviewers to extend the deadline of a campaign by a defined maximum number of days.
→ Read more in: Expiration Policy | Multi-Reviewer Campaigns
Expiration Policy
Configuration that defines what happens to unreviewed access items when a campaign expires. Options include Do Nothing, Revoke All Access, and Revoke Only Already Revoked Access.
→ Read more in: Expiration Policy
G
Group (Reviewer type)
A reviewer type where a defined group of users is collectively assigned the review tasks.
→ Read more in: User Based Review
H
Hard Violation (SoD)
An SoD violation type that blocks the provisioning operation entirely, preventing the conflicting entitlement from being assigned.
→ Read more in: SoD Policies
I
Impact Level
A classification (High, Medium, or Low) derived from a risk factor's weight, indicating how critical an access decision is if incorrectly granted.
→ Read more in: Risk Factors Configuration
Indirect Violation (SoD)
An SoD violation where the user has effective access to a conflicting entitlement through inheritance (e.g., via a parent group or role hierarchy).
→ Read more in: SoD Policies
IsCertified
A legacy access right type that previously determined whether a membership would be included in access reviews. Replaced by Membership Tags in version 4.2.2.
→ Read more in: Membership Tags
M
Manager of Access Review (UAR Manager)
The person overseeing a certification campaign. They have access to the dashboard, reports, and can delegate review requests.
→ Read more in: Entitlement Based Certification | User Based Review | Certification Reporting
Membership Tag
Metadata attached to an access assignment that describes how a user obtained that access (e.g., admin assignment, business rule, self-service request). Used to filter entitlements in access reviews.
→ Read more in: Membership Tags
Membership Tags to Exclude
A campaign configuration field allowing reviewers to filter out irrelevant types of access assignments from the review scope.
→ Read more in: Membership Tags | Entitlement Based Certification | User Based Review
Mitigating Control
A compensating measure that reduces the risk of an SoD policy violation without removing the conflicting access. Documented for audit purposes and linked to SoD policies.
→ Read more in: Mitigation Controls for SoD | SoD Policies
Multi-Reviewer Campaign
A campaign configured with multiple reviewers who evaluate access sequentially. Each reviewer acts on items accepted by the previous reviewer.
→ Read more in: Multi-Reviewer Campaigns
O
Organization Certifier (Reviewer type)
A reviewer type where the certifier assigned to a user's organization receives the review tasks.
→ Read more in: User Based Review
P
Policy (SoD)
The top-level SoD object defining a conflict between entitlements. It specifies severity, segments, exceptions rules, and linked mitigating controls.
→ Read more in: SoD Policies
Policy Segment (SoD)
A subset within an SoD policy that specifies which exact roles, groups, resources, or organizations are in conflict with each other.
→ Read more in: SoD Policies
Provisioning
The process of granting or revoking user access. SoD checks run during every provisioning operation.
→ Read more in: Risk Event Driven Certification | SoD Policies
R
Reference Start Date
The anchor date used to calculate when the next automatic campaign execution should occur.
→ Read more in: Entitlement Based Certification | User Based Review
Requested Access (Membership tag)
A membership tag applied when access was granted as a result of a user request submitted through the SelfService portal.
→ Read more in: Membership Tags
Results Report
A certification report generated automatically upon campaign completion, summarizing the final outcome. Sent to the UAR manager's email.
→ Read more in: Certification Reporting
Reviewer
A person or group responsible for evaluating and accepting or revoking user access during a certification campaign.
→ Read more in: User Based Review | Multi-Reviewer Campaigns
Revoke All Access (Expiration policy)
An expiration policy option that revokes all access items in the campaign — regardless of review status — upon campaign expiration.
→ Read more in: Expiration Policy
Revoke Only Already Revoked Access (Expiration policy)
An expiration policy option that only finalizes previously revoked items upon expiration; unreviewed items are marked as accepted.
→ Read more in: Expiration Policy
Risk Event
A user profile change (title change, supervisor change, or department change) that triggers a risk event driven certification review.
→ Read more in: Risk Event Driven Certification
Risk Factors
Individual attributes or signals used to calculate the overall risk score of a user's access. Five factors are available: Entitlement Sensitivity, Entitlement Origin, Entitlement Lifetime, Approval Path, and UAR Awareness.
→ Read more in: Risk Factors Configuration
Risk Score
The overall risk assessment computed by combining the weighted values of all enabled risk factors for a user's entitlement set.
→ Read more in: Risk Factors Configuration
RISK_EVENT_TYPE
An audit log attribute indicating which type of risk event (title change, supervisor change, or department change) triggered a log entry.
→ Read more in: Risk Event Driven Certification
RISK_WAS_ADDRESSED
An audit log attribute indicating whether a user's access has been reviewed since the risk event occurred (true = reviewed, false = not yet reviewed).
→ Read more in: Risk Event Driven Certification
S
Scheduled Interval
The frequency at which a campaign is automatically launched: annually, semi-annually, or quarterly.
→ Read more in: Entitlement Based Certification | User Based Review
Scope Report
A certification report showing the initial state of a campaign: which users, which access, and which reviewers are included. Generated automatically when a campaign is initiated.
→ Read more in: Certification Reporting
Segregation of Duties (SoD)
A security and compliance control that prevents any single user from holding a combination of conflicting access rights that could enable fraud or abuse of privilege.
→ Read more in: SoD Policies | Mitigation Controls for SoD
Select Reviewer (Reviewer type)
A reviewer type where a specific named user is chosen to perform the review.
→ Read more in: User Based Review
SelfService Portal
The end-user portal where users can submit access requests and, when configured, review their own access.
→ Read more in: User Based Review | Membership Tags
Self-Review (Reviewer type)
A reviewer type that allows the target user to review their own access via the SelfService portal.
→ Read more in: User Based Review
Sequential Review
A review process in multi-reviewer campaigns where reviewers act one after another, each evaluating only the access accepted by the previous reviewer.
→ Read more in: Multi-Reviewer Campaigns
Service Account Owner (Reviewer type)
A reviewer type for related accounts, where the primary user acts as the reviewer.
→ Read more in: User Based Review
SoD Violation
An instance where a user holds a combination of entitlements defined as conflicting by an SoD policy. Can be Soft (allowed but recorded) or Hard (provisioning blocked).
→ Read more in: SoD Policies
SOX / SOC 2 / ISO 27001
Regulatory and compliance standards that SoD policies help enforce by controlling conflicting access rights.
→ Read more in: SoD Policies
Soft Violation (SoD)
An SoD violation type that allows the provisioning operation to proceed but records the conflict and notifies the responsible manager group.
→ Read more in: SoD Policies
Supervisor (Reviewer type)
A reviewer type that routes the review to the user's direct supervisor. If no supervisor is assigned, the review goes to the Sysadmin account.
→ Read more in: User Based Review
Supervisor Change (Risk event)
A profile change that qualifies as a risk event and can trigger a risk event driven certification review.
→ Read more in: Risk Event Driven Certification
T
Title Change (Risk event)
A profile change that qualifies as a risk event and can trigger a risk event driven certification review.
→ Read more in: Risk Event Driven Certification
Type of Certification
A campaign field determining the scope of the review: User (all access for selected users) or Application (specific applications and entitlements).
→ Read more in: Entitlement Based Certification | User Based Review
U
UAR — see Access Certification
UAR Manager — see Manager of Access Review
UAR_AWARENESS (Risk factor)
A risk factor tracking whether entitlements have been reviewed in recent User Access Reviews. Unreviewed entitlements carry higher risk.
→ Read more in: Risk Factors Configuration
User Manager (Reviewer type)
A reviewer type assigning the review to the supervisor of the user whose access is being reviewed.
→ Read more in: User Based Review
User Selection
Campaign configuration that determines which users are included in the review, for example by filtering on user type (contractor, service account, etc.).
→ Read more in: User Based Review
User Type
A classification of users (e.g., contractors, service accounts, employees) used in User Selection to scope a campaign to a specific population.
→ Read more in: User Based Review
V
Violation (SoD) — see SoD Violation
Violation Detection
The process of evaluating a user's full entitlement set against all active SoD policies to identify conflicts. Detection is triggered on every provisioning operation and when a policy is updated.
→ Read more in: SoD Policies
Violation Remediation
The process of resolving an SoD violation by either removing the conflicting access or granting a formal exemption.
→ Read more in: SoD Policies