After completing numerous SailPoint projects here at Identropy, both large and small, I thought it would be useful to put together a cheat sheet of SailPoint specific terms for newbies to the technology. Hopefully this will be beneficial for customers and consultants alike so they can get in on the fun SailPoint-speak.  Enjoy!

I've broken the glossary of terms into 3 sections:

  • General SailPoint Terms
  • SailPoint "Lifecycle" Terms
  • SailPoint "Certification" Terms

General SailPoint Terms


Account - Created on a per Application basis and gives a user the ability to authenticate to an Application.

Aggregation - Process to collect account and entitlement data from applications.  The Authoritative Source should be aggregated first to create the Identity Cubes followed by the Target applications to populate the Identity Cubes with account and entitlement data.

Application Owner - A User that is responsible for either the Business or Technical aspect of the application.

Authoritative Source - Authoritative Sources are the HR system (i.e. Workday, SuccessFactors, Ultipro, FieldGlass, etc.).  This data is considered to be the “golden” user data used to create the Identity Cubes with the user accounts correlated into the appropriate Identity Cubes.

Birthright - The creation of a user’s Identity Cube and initial application accounts and entitlements triggered by the Authoritative Source.  Common applications are Active Directory, Office 365, and ServiceNow.

Connector - The ability to connect IdentityIQ to Applications within your environment.  The connector is used to manage user data such as aggregate account/group data, provision, de-provision, and change passwords.

Correlation - Process of combining all the information discovered by IdentityIQ (identity attributes, entitlements, activity, policy violations, history, certification status, etc.) to create and maintain the IdentityIQ Identity Cubes.

Entitlement - Attributes that denote access on a target application.  Entitlements can be loaded directly into the Entitlement Catalog, aggregated directly during a group aggregation or promoted during account aggregation. 

Entitlement Owner - A User that is responsible for either the Business or Technical aspect of the entitlement.

Identity Cube - Integrated and normalized data from authoritative systems that have had: 1) correlation rules applied to ensure the correct data is attached to the correct Identity in the system; and, 2) Governance roles, policies, and risks models applied.  The data within this cube can then be applied to the Compliance Manager and/or Lifecycle Manager modules.

LOA - Leave of Absence.

Manager - Any user Identity which has at least one direct report as defined in the HR system.

Populations - Query based groups created from the results of searches run from the Identity Search page. 

Provision or Provisioning - The granting of Identity information or entitlements to an account on a target system.  This may occur in an automated or manual fashion.

Role - Virtual bundle (grouping) that assigns access, usually in the form of entitlements.  IT roles contain “bottom-up” entitlements that can be detected or provisioned, while business roles have “top-down” match criteria for automatic assignment and links to required IT roles.  Usually, business roles can be requested manually or are assigned automatically. 

Secondary Account - Secondary Accounts include all accounts that are used by more than one user (i.e. shared, service, etc.), that are generally not deleted when any one individual leaves.  For example, each secondary account will be stored in an individual cube.  The cube will only contain the secondary account and the name of the cube will reflect: It is not a user - What application it resides on - The account type - The name of the account - Owner name.

Workgroups - Workgroups enable the assignment of object ownership, certification, revocations, and work items to pre-defined lists of identities (i.e grouping identities).

Work Item - An action-approval item that is sent and tracked by IdentityIQ.


SailPoint "Lifecycle" Terms


Access Request - The process of adding application accounts and entitlements.  This process can either use the Joiner process (new account) or the Mover process (add or remove entitlements).

Approval - A process triggered by Access Request for the specified people to approve.  The most common approvers are the Direct Report Manager and Entitlement Owner.

Joiner - An on-boarding Lifecycle Event.

Leaver - A termination Life Cycle Event.

Life Cycle Event - Triggered workflows that are launched, usually because of a refresh task.  The most common Lifecycle Events are Joiner, Leaver, and Mover.  Each LCE consists of a triggering mechanism and the workflow steps.  The triggering mechanism is often a rule that evaluates the previous Identity with the new Identity and determines whether the given event should be launched. 

Lifecycle Manager - A licensed module within IdentityIQ that allows users to request access to various applications and supports the triggering of automated process that occurs during a user’s employment lifecycle.

Mover - A transfer Life Cycle Event.


SailPoint "Certification" Terms


Access Review - When a Certification campaign is launched, it is broken down to a per Manager or per Entitlement Owner basis.

Certification - An OOTB feature that is part of the Compliance Manager suite of functionality.  Certifications can be either scheduled or triggered by Identity lifecycle changes.  Pre-defined certification types include: manager, application owner, entitlement owner, role membership, role composition, account group permissions, account group membership, and advanced. All certifications have a general lifecycle which can include the following phases: Staging Period, Active Phase, Challenge Phase, Revocation Phase, Sign-Off, End Phase, & Automatic Closing.  Individual notifications and escalations can be specified during creation of the certification.

Challenge Period - The Certification phase when the user can challenge all revocation requests.  This period may or may not be enabled.

Days - This term is intended to reflect actual calendar days.

Revocation Period - The Certification phase when all revocation work is completed.  Revocation work can be configured to be automated or manual.  This period may or may not be enabled.

Staging Period - The Certification phase prior to the launch of a Scheduled campaign where the administrator can review the configurations and make updates as needed.

Transfer Certification - A Transfer Certification is triggered when key Authoritative Source attributes change such as Job Code or Department Code.  The new Manager will receive a Work Item requiring the action to review the user’s existing account and entitlement.  Any accounts or entitlements no longer required will be removed by the new Manager.


Effective Identity Management Strategy



Mark Gyorey

Mark Gyorey

Sr Director of Professional Services After making the switch into Identity and Strong Authentication almost 15 years ago I have discovered two passions: Professional Services and Customer Success! I am very fortunate to work at a company like Identropy which embraces Core Values as away of doing business. When I am not working I can be found raiding the refrigerator, mountain biking on amazing single track, running, or enjoying the California sunshine.