There are many commonly used acronyms in identity management. They’re very useful shorthand if you know them, but frustrating if you don’t.

If you’ve ever wondered ‘what does that acronym stand for?’ this page is for you. We demystify the identity jargon, cut through the obfuscation, and tell you in clear language what acronyms stand for and what they mean. See also our glossary.

Terms used in identity management quick reference

AD | ADLDS | AuthZ | AVP | BHOLD | CAS | CDS | CLM | CP | CPSCred | CS | CSV | CTAP | DB | DG | DL | DLL | DRE | DRL | DS | DSML | ECMA | ECMA2 | EMPS | ERE | ERL | ERP | FIDO2 | FIM |FTE | GUID | HR | HSM | IAM | IdM | ILMLDAP | LDIF | LDIFDE | MAMFA | MIIS | MIM | MPR | MV | NOS | OOB | OTP | OU | PAM | PCNSPHS | PIM | #PKI | PTA | RA |RCDC | ROPU | RSO | SCSM | SG | SoR | SID | SQL | SSAU | SSO | SSPR | SSRS | SSSO | STS | TFA | U2F | UAF | UI | URL | WebAuthN | WF | WMI | XML

So here they are – a list of identity and access management acronyms – in alphabetical order:

ADActive Directory: Simplistically, from an Identity Management point of view, a list of users and groups. More completely, a Directory Service from Microsoft is included in Windows Server Operating Systems as a set of processes and services. AD includes centralized domain management and a range of directory-based identity-related services. In most implementations of MIM, AD is one of the CDS into which Identity Data is written.
ADLDSActive Directory Lightweight Directory Services: A lightweight implementation of AD that runs as a service on Windows Server. ADLDS shares the code base with AD and provides some of the same functionality.

It exposes an LDAP Directory Service Interface for access to its Data Store. ADLDS is often used as a Directory Service for a specific application because it removes the need to extend the AD schema with application-specific attributes and objects. 

AuthNAuthentication: The process of validating an identity. The classic method of validation is the username/password combination, however, Multi-Factor Authentication is increasingly used.
Read more about Authentication in our glossary.
AuthZAuthorization: The process of determining if a user has the right to access a service or resource or perform an action. The granting of access is normally regulated via group membership, allocation of roles, or claims. Back to top
AVPAttribute Value Pair: A text file format where attributes are represented as a name and value separated with a colon (:). Each pair is stored on a single line and sets of attributes are separated by a blank line. Eg.

ObjectType: person
FirstName: Peter
LastNamer: Smith
Role: Admin
Role: Manager

ObjectType: person
FirstName: John
LastName: Brown
Email: john.brown@bbx.com
Role: Security

There are two major advantages of AVP over a CSV format; individual objects can have a separate set of attributes (e.g., not all have to have a populated email address) plus multi-value attributes are easily represented (i.e., the Role attribute above). MIM has an OOB MA for reading AVP files, and Identity Panel can read and write them.

BHOLDBHOLD: An optional component supplied with MIM that uses the Role Based Access Control (RBAC) to simplify the allocation of users. Effectively defunct.
CASCentral Authentication Service: A sign-on web protocol that grants a user access to multiple services after they have been authenticated; i.e., they will not be re-challenged for their credentials as they navigate between different applications. See Single Sign-On (SSO).
CDSConnected Data Source: A system to which MIM connects to read and write data via a Management Agent.
CLMCertificate Lifecycle Manager: An optional FIM component focused on providing enhanced certificate management for Active Directory and smart cards. Effectively defunct. Back to top
CPCertificate Policy: Defines the measures taken to confirm the identity of a certificate requestor and the intended purposes of the certificate when issued.
CPSCertificate Practice Statement: Defines the measures taken to secure CA operations and the management of CA-issued certificates.
CredCredential: An item such as an ID card, or a username/password combination, used by persons or entities for Authentication.
CSConnector Space: A dataset used by a MIM MA to store a subset of the connected system’s data. Each dataset’s contents are limited to the objects and attributes that are managed by MIM. This dataset is used to determine the synchronization status of the data – i.e., by comparing the CS data to the data in the CDS, MIM can determine if updates should be exported to the CDS or if changed data from the CDS needs to be processed.

The CS is essentially a version of the related CDS, with each managed object in the CDS having a corresponding entry in the CS.

CSVComma Separated File: Traditionally a text file format where attributes are represented as values separated with a comma on a single line (but some CSV files use a different separator, for example, tab). The values may be surrounded by (for example) a quotation character (“) to permit a comma to be used in the value. The file may contain the attribute names as a line at the head of the file. MIM has an OOB MA for reading CSV files, and Identity Panel can also read and write them.
CTAPClient To Authenticator Protocol: Defines how to communicate between browsers, operating systems, and external authenticators (FIDO Security Keys, mobile devices) for a password-less, second-factor, or multi-factor authentication experience.
DBDatabase: A structured collection of data. MIM provides several MAs to connect to various database formats; i.e. Microsoft SQL, IBM DB 2, and Oracle Database. MIM uses Microsoft SQL as its primary internal database repository. Back to top
DL or DGDistribution List (or Distribution Group): Groups used as email distribution lists (for use with email applications such as Microsoft Exchange). You can add and remove contacts from the list so that they will or will not receive emails sent to the distribution group. They are not normally used to assign permissions.
DLLDynamic Link Library: Typically, a file (often called an assembly) containing a set of instructions that can be used by other programs. There are many advantages to using a DLL rather than a monolithic piece of code; these include modularization and the sharing of functions across multiple programs. The custom rules that MIM applies to objects in the Connector Space and Metaverse are compiled into DLLs when the MIM architect designs the rules to match the business requirements.
DREDetected Rule Entry: An object stored in a DRL and used to point a resource to an outbound synchronization rule. This is created when a synchronization rule has an existence test that has been satisfied by the synchronization rule.
DRLDetected Rules List: An attribute used to track the results of existence tests. The DRL attribute is multivalued because there may be various existence tests configured for an object. Because an individual DRL existence test is configured in an outbound synchronization rule, each value of the DRL attribute is used to eventually point to the outbound synchronization rule for which the existence test was satisfied. Back to top
DSDirectory Service: Systems that store, organize, and provide access to shared information across a network. A primary use of a Directory Service in identity management is to Authenticate a user and, in many cases, provide Authorization access to resources.

MIM has several OOB MAs for directory access. E.g., Active Directory, ADLDS, IBM Directory Service, Novel eDirectory, and Oracle Directory.

DSMLDirectory Service Mark-up Language: A representation of directory service information in an XML format. MIM includes an OOB MA that can read a DSML file.
ECMAExtensible Connectivity Management Agent: A MA type that can be programmatically extended to connect MIM to almost any data source. This approach is useful if Microsoft has not included an OOB MA which will do the job. These are somewhat limited and are no longer supported by Microsoft, being superseded by ECMA 2. Find out more about ECMA2 in our glossary.
ECMA2Extensible Connectivity Management Agent 2: A MA type introduced in FIM 2010 R2, and a more feature-rich version of the ECMA. While the ECMA was simple and effective for providing a quick solution to a specific problem, ECMA2 is much better at providing a generic solution, to be used repeatedly within a project or organization, or perhaps as a publicly available product. Most of the features used by the OOB MAs from Microsoft are available to the ECMA2 programmer. ECMA2 MAs can be used with Entra, extending its provisioning capability to on-premises, legacy systems. Find out more about ECMA2 in our glossary.
EMPS (EMS & EM+S)
Enterprise Mobility Plus Security: A Microsoft cloud-based offering combined standalone solutions in a discounted pricing suite, licensed on a per-user base. EMPS, also sometimes written as EMS or EM+S, integrates Identity and Access Management, Mobile Application Management, and Mobile Device Management solutions with security solutions for information protection and threat management. The EMPS license includes licensing for MIM. Back to top
EREExpected Rule Entry: In MIM, an object that links a portal synchronization rule to a resource such as a user or group. The ERE is imported into the Synchronization Service where the rule will be applied to the resource when the appropriate run profile is executed.
ERLExpected Rules List: A multi-valued attribute bound to objects in the MIM Portal and the Metaverse that holds a list of EREs for that object.
ERPEnterprise Resource Planning: A process by which a company manages and integrates parts of its business. An ERP management information system integrates areas such as planning, purchasing, inventory, sales, marketing, finance, and human resources. Organizations will often use their ERP system as a CDS.
FIDO2Fast Identity Online: An open authentication standard of internet scalable protocols, which allows users to authenticate using password-less strong authentication to websites and services. It consists of the W3C Web Authentication specification, WebAuthn API (Application Programming Interface), and the Client to Authentication Protocol (CTAP). FIDO stands for Fast IDentity Online. Find out more about FIDO2 in our glossary.
FIMForefront Identity Manager: An implementation of an Identity Management System from Microsoft. Released in 2010 with a second major release in 2012. FIM has since been superseded by MIM.

ILM, FIM & MIM are compared in our glossary.

FTEFull-Time Employee: A person employed by an organization, typically with a monthly salary and other FTE benefits such as a pension. MIM will typically be used to extract FTE identity data from an HR system and then synchronize the data to other CDSs. Back to top
GUIDGlobally Unique Identifier: A number that is programmatically generated to create a unique attribute for an entity such as a MV Object. MIM uses a 16-byte field to establish a unique identifier for each MV Object.
HRHuman Resources: The department and systems within an organization responsible for managing resources related to employees.
HSMHardware Security Module: A physical device that safeguards and manages digital keys for strong authentication and provides crypto-processing.
IAMIdentity and Access Management: Identity Management is the way we record and manage information about identities, usually people but also computers, departments, printers, etc. Employees are always included, but other types of people are often added to the list – e.g. students contacts, customers, suppliers, etc.)

Solutions are concerned with access to resources and systems plus the formalization of this process.

Read more about IAM in our glossary.

IdMIdentity Management: An IdM system is a group of applications and/or services that coordinate the exchange of identity information held in different data repositories throughout an organization. Before the implementation of an automated IdM system, most organizations found that information was scattered, duplicated, and inconsistent across their identity repositories. An automated IdM system can make organizational data available in an accurate and timely manner, reducing costs through consolidation and process improvements, and reducing security problems caused by out-of-date access rights.

Read more about IdM in our glossary.

ILMIdentity Lifecycle Manager: An implementation of an Identity Management System (IdM) from Microsoft. Released in 2007. ILM was superseded by FIM in 2010. Back to top
LDAPLightweight Directory Access Protocol: A lightweight version of an interface (X500) for reading and writing data to a tree-like data store. Many directories such as Active Directory, support this interface and MIM includes other MA types that can use LDAP directories as CDSs.
LDIFLDAP Directory Interface Format: A standard text data interchange format for representing LDAP directory content and update requests. MIM includes an OOB MA that can read text files of type LDIF.
LDIFDE
LDIF Data Exchange, or

LDAP Directory Interface Format, Data Exchange, or

Lightweight Directory Access Protocol, Directory Interface Format, Data Exchange:

LDIFDE.EXE is a Microsoft Server command line tool that exports and imports data between Active Directory and an LDIF text file. In an Identity Management context, it can be used to (for example) reset a development Active Directory to a defined set of users and groups before retesting a set of processes.

MAManagement Agent: In MIM, an MA is used to manage the data associated with a specific CDS. The MA not only connects to the CDS but is responsible for managing the flow of data from MIM (export) and into MIM (import); in addition, for some MAs, password changes can be synchronized from Active Directory using PCNS.

There is at least one MA for each CDS. For many MAs, MIM communicates directly with the data source and is termed “call-based”. In some others, an intermediary text file is used, such as AVP, LDIF, CSV, or fixed-width – these are “file-based” MAs. In a third category, a data source communicates with MIM via an intermediary CDS such as a database.

In some cases, the situation may be so complex that none of the alternatives above are appropriate and an ECMA2 would be used.

MFAMulti-Factor Authentication: A security mechanism that requires more than one method of authentication to verify the user’s identity. For example, a security fob, a text to a phone, a randomly selected series of characters from a secret key, etc. Read more about MFA in our glossaryBack to top
MIISMicrosoft Identity Integration Server: An IdM product released in 2003. Superseded by ILM in 2007
MIMMicrosoft Identity Manager: An Identity Management System from Microsoft. MIM has some distinct components, including the MIM synchronization service that can connect to a wide range of CDSs and synchronize objects and attributes, and the MIM service with its associated portal and application database which provides a management portal plus storage of identity and configuration data. MIM was released in 2016 and had a service pack release in 2017.

Read more about MIM in our glossary.

MPRManagement Policy Rule: An object that exists in the MIM Portal to grant permissions within the portal or/and to run workflows. There are two types of MPRs; Set Transition MPRs which can only run workflows, and Request MPRs which can grant permissions and run workflows. A MIM administrator can use MPRs to establish who can use the MIM Portal and when the MIM Service will run required workflows.
MVMetaverse: The central data repository in the MIM synchronization engine which stores the combined data values from all CDSs objects for an identity. Typically an identity will be stored as a single object in the Metaverse, attributes for the identity will be provided by the appropriate CDS. For example, the Metaverse object for Jane Smith might have her last name taken from the HR CDS, email from the AD CDS, and mobile number from a telephone exchange CDS.

The synchronization rules (portal and synchronization service) are responsible for transforming the attributes and objects between the CDSs and Metaverse.

NOSNetwork Operating System: A computer operating system designed to support computers and identities that are connected in a network. AD is an example of a NOS. Back to top
OOBOut Of The Box: The features and capabilities of an application are provided by the manufacturer.
OTPOne-Time Password: A password that is valid for only one login. MIM SSPR can be configured to use OTPs to enable a user to re-write their AD password.
OUOrganizational Unit: A subdivision within an AD domain where users, groups, computers, and other OU’s can be stored. Organizations usually create a hierarchy of OUs to mirror their functional or business structure. Each domain can implement its own organizational unit hierarchy. The MIM AD MA can be used to import or export objects to a particular OU in AD or even to create new OUs.
PAMPrivileged Access Management: A technique (and usually a software component) for managing privileged users in an organization. A privileged account has more access to a system than a normal user; when these accounts are requested for use, PAM can provide extra authentication or authorization to ensure that the correct person is invoking the account. PAM is often used to elevate the account to have privileges on a just-in-time basis and for a limited period.

See our glossary for more information about PAM.

PCNSPassword Change Notification Service: An optional service included with MIM that can be installed on AD domain controllers. PCNS captures a user password change at the Domain Controller and passes it to the MIM synchronization server which in turn sends the new value to CDSs that have been appropriately configured to receive it. In this way, a user’s Active Directory password is replicated to accounts in other CDSs. In some organizations, PCNS is used as an alternative to SSO and is referred to as Reduced Sign-On (RSO). Back to top
PHSPassword Hash Synchronization: The default authentication option in Microsoft Entra Connect – whenever a password is changed on-premises, the password hash from Active Directory is synchronized into Microsoft Entra ID. See our glossary entry for more information.
PIMPrivileged Identity Management: The process or technology focused on managing, monitoring, and protecting powerful privileged user accounts within the IT infrastructure of an enterprise. See our glossary entry for more information.
PKIPublick Key Infrastructure: A collection of hardware, software, people and policies used to issue, store, use, and revoke digital certificates.
PTAPass-through authentication: A feature of Microsoft Entra Connect. It is a simple service in the form of an agent running on one or several on-premises domain-joined servers, that validates a user’s sign-on on behalf of Microsoft Entra ID directly with the on-premises AD. See our glossary entry for more information.
PTAPass-through authentication: A feature of Microsoft Entra Connect. It is a simple service in the form of an agent running on one or several on-premises domain-joined servers, that validates a user’s sign-on on behalf of Microsoft Entra ID directly with the on-premises AD. See our glossary entry for more information.
RARegistration Authority: Collects and verifies subscribers’ identity and information.
RCDCResource Control Display Configuration: In MIM, an XML blob is used to configure the UI that presents resources in the MIM portal. The UI can be modified by changing the XML. Each resource type can have a separate RCDC for creating, editing, or viewing that particular resource.
ROPURun On Policy Update: In MIM also known as Run Mapping, ROPU is a feature that can be enabled for an action workflow when run from a Set Transition MPR. Marking a workflow with ROPU will apply the workflow to all members of the Set whenever the MPR that calls the workflow is modified.
RSOReduced Sign-On:  A technique where a user’s logon password is the same in multiple CDCs. In the MIM world, this can be achieved using PCNS and in Identity Panel Suite through password sync. (See also SSO). Back to top
SCSMSystem Center Service Manager: A Microsoft-integrated platform to help an organization improve the productivity of existing IT environments whilst aligning with industry best practices. MIM uses the SCSM Data Warehouse to help store and manage components for MIM Reporting.
SGSecurity Group: An Active Directory group that is used to allocate a user’s access permissions to a resource; the alternative of manually adding a user’s permissions to each resource is to be avoided for security and manageability reasons. Managing the membership of groups is a very important purpose of MIM as an IdM system.
SoRSystem of Record: A CDS is designated as an authoritative source for a certain identity attribute. For example, the HR system is normally the SoR for a person’s last name.

In some environments, an attribute may have multiple SoRs; in these cases, MIM or HyperSync in Identity Panel Suite will be configured with a system that should be authoritative based on other identity data.

SIDSecurity Identifier: A unique value used to identify a trustee. In AD each account has a unique SID issued by a Windows domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in an access token for that user. The system uses the access token to identify the user in all subsequent interactions with Windows security.
SQLStructured Query Language: Used to communicate with a database. American National Standards Institute (ANSI) defines SQL as the standard language for relational database management systems.

MIM and HyperSync (part of Identity Panel Suite) provide connectors that use SQL statements to perform tasks such as updating data on a database or retrieving data from a database. Back to top

SSAUSelf-Service Account Unlock: A feature of MIM SSPR that enables users to use the SSPR authentication and authorization processes to prove who they are and then unlock their AD accounts without contacting a helpdesk.
SSOSingle Sign-On: A technique where a person is required to only Authenticate once even when accessing different resources – e.g., after logging onto Active Directory, they are not challenged for credentials when accessing an HR system. However, it is – confusingly – also sometimes used for Same Sign-On (same credentials used in two places, but you have to enter them again).

Read more about SSO in our glossary.

SSPRSelf-Service Password Reset: An optional feature of the MIM Portal, and in Microsoft Entra ID and Identity Panel Suite that enables users to prove who they are and have their AD or Entra ID password reset without contacting the helpdesk.
SSRSSQL Server Reporting Services: A server-based report-generating software system from Microsoft. Administered via a Web interface that enables developers and administrators to connect to SQL databases and use SSRS tools to format SQL reports in many complex ways. It also provides a Report Builder tool for less technical users to format SQL reports of lesser complexity.
SSSOSeamless single sign-on: A term used by Microsoft meaning something like “SSO without having to enter your credentials again”, because SSO can mean “same sign-on”. Read more about SSSO in our glossary.
STSSecure Token Service: A cross-platform open standard core component of a web services single sign-on infrastructure (SSO) framework specification. MIM uses STS to enable access to the MIM Web Service on ports 5725 and 5726. Back to top
TFATwo-Factor Authentication: See MFA
U2FUniversal 2nd Factor: The original FIDO project that strengthens and simplifies two-factor authentication (2FA).
UAFUniversal Authentication Framework: Part of the original FIDO project to provide password-less authentication.
UIUser Interface: How a user can interact with a computer system.
URLUniversal Resource Locator: A web address made up usually of words and sometimes numbers that enables a web browser to find a web-based resource such as a website.
WebAuthNWeb Authentication: A web standard published by the World Wide Web Consortium. It is a core component of FIDO2.
WFWorkflow: Used to coordinate and automate tasks to improve organizational efficiency. The MIM Portal enables the creation and application of Windows Workflow Foundation Workflows, sometimes used to enhance the Synchronization Service’s state-based rules. Entra ID provides Lifecycle Identity Workflows for identity-related tasks and Logic Apps for general-purpose workflows.
WTFWTF: A strong expression of surprise or horror. Or in this case, to test that you’ve been paying attention!
WMIWindows Management Instrumentation: A core management technology built into Windows Operating Systems; WMI can be scripted to enable organizations to manage local and remote computers. WMI can read and write various pieces of information about the internal state of computer systems by modeling objects found in Windows systems. These computer system objects are modeled using classes.
XMLExtensible Markup Language: A set of rules for encoding documents in a format that is both human and machine readable. Back to top

If you’d like expert help with identity in your organization get in touch with Oxford Computer Group. And if you need identity training in MIM, Entra, or Identity Panel Suite, then you’re in the right place! Look at our courses and read our awesome student feedback!