There are many commonly used acronyms in identity management. They’re very useful shorthand if you know them, but frustrating if you don’t.

If you’ve ever wondered ‘what does that acronym stand for?’ this page is for you. We demystify the identity jargon, cut through the obfuscation, and tell you in clear language what acronyms stand for and what they mean. See also our glossary.

Terms used in identity management quick reference

AM | AD | ADLDS | AuthZ | AVP | BHOLD | CAS | CDS | CLM | CM | Cred | CS | CSV | CTAP | DB | DG | DL | DLL | DRE | DRL | DS | DSML | ECMA | ECMA2 | EMPS | ERE | ERL | ERP | FIDO2 | FIM |FTE | GUID | HR | IAM | IdM | ILM | LDAP | LDIF | LDIFDE | MAMFA | MIIS | MIM | MPR | MV | NOS | OOB | OTP | OU | PAM | PCNSPHS | PIM | PTA | RCDC | ROPU | RSO | SCSM | SG | SoR | SID | SQL | SSAU | SSO | SSPR | SSRS | SSSO | STS | TFA | U2F | UAF | UI | URL | WebAuthN | WF | WMI | XML

So here they are – a list of identity and access management acronyms – in alphabetical order:

AMAccess Management is the process of managing a user’s login (see Authentication) and the level of access to resources (see Authorization).
ADActive Directory Simplistically, from an Identity Management point of view, a list of users and groups. More completely, a Directory Service from Microsoft that is included in Windows Server Operating Systems as a set of processes and services. AD includes centralized domain management and a range of directory based identity-related services. In most implementations of MIM, AD is one of the CDS into which Identity Data is written.
ADLDSActive Directory Lightweight Directory Services. A light-weight implementation of AD that runs as a service on Windows Server. ADLDS shares the code base with AD and provides some of the same functionality.

It exposes an LDAP Directory Service Interface for access to its Data Store. ADLDS is often used as a Directory Service for a specific application because it removes the need to extend the AD schema with application specific attributes and objects. 

AuthNAuthentication is the process of validating an identity. The classic method of validation is the username/password combination, however Multi-Factor Authentication (see below) is increasingly used.
Read more about Authentication in our glossary.
AuthZAuthorization is the process of determining if a user has the right to access a service or resource, or perform an action. The granting of access is normally regulated via group membership, allocation of roles or claims. Back to top
AVPAttribute Value Pair A text file format where attributes are represented as a name and value separated with a colon (:). Each pair is stored on a single line and sets of attributes are separated by a blank line. Eg.

ObjectType: person
FirstName: Peter
LastNamer: Smith
Role: Admin
Role: Manager

ObjectType: person
FirstName: John
LastName: Brown
Email: john.brown@bbx.com
Role: Security

There are two major advantages of AVP over a CSV format (see below); individual objects can have a different set of attributes (e.g. not all have to have a populated email address) plus multi-value attributes are easily represented (i.e. the Role attribute above). MIM has an OOB MA for reading AVP files.

BHOLDBHOLD is an optional component supplied with MIM that uses the Role Based Access Control (RBAC) to simplify the allocation of to users. BHOLD can allocate user roles using automate rules plus workflows which are both driven by business rules; the roles are then mapped to access rights (permissions) within individual applications. This can include job separation requirements or access to classified information. With the release of MIM 2016 SP1 Microsoft have de-emphasized BHOLD whilst still supporting it for existing customers, new customers requiring RBAC are being redirected to Access Reviews in Azure.
CASCentral Authentication Service A sign-on web protocol which grants a user access to multiple services after they have been authenticated; i.e. they will not be re-challenged for their credentials as they navigate between different applications. See Single Sign-On (SSO).
CDSConnected Data Source A system to which MIM connects to read and write data via a Management Agent.
CLMCertificate Lifecycle Manager An optional FIM component focused on providing enhanced certificate management for Active Directory and smart cards. Back to top
CMCertificate Manager An optional MIM component mainly focused on managing smart cards; additionally, CM may be used to manage and trace any type of certificate requests. CM includes the ability to manage machine certificates but was really developed around the user context.
CredCredential An item such as an ID card, or a username/password combination, used by persons or entities for the purpose of Authentication.
CSConnector Space A dataset used by a MIM MA to store a subset of the connected system’s data. The contents of each dataset is limited to the objects and attributes that are managed by MIM. This dataset is used to determine the synchronization status of the data – i.e. by comparing the CS data to the data in the CDS, MIM can determine if updates should be exported to the CDS or, alternatively, changed data from the CDS needs to be processed.

The CS is essentially a version of the related CDS, each managed object in the CDS having a corresponding entry in the CS.

CSVComma Separated File Traditionally a text file format where attributes are represented as a values separated with a comma on a single line. The values may be surrounded by (for example) a quotation character (“) to permit a comma to be used in the value. The file may contain the attribute names as a line at the head of the file.

The word “traditional” was used because many CSV files use a different separator character such as a tab symbol.

MIM has an OOB MA for reading CSV files.

CTAPClient To Authenticator Protocol defines how to communicate between browsers, operating systems and external authenticators (FIDO Security Keys, mobile devices) for a passwordless, second-factor or multi-factor authentication experience.
DBDatabase A structured collection of data. MIM provides a number of MAs to connect to various database formats; i.e. Microsoft SQL, IBM DB 2, Oracle Database. MIM uses Microsoft SQL as its primary internal database repository. Back to top
DGDistribution Group An AD group that enables you to use a single object to manage a set of users. DGs are almost exclusively used as an email list. Typically, you can’t use DGs to assign permissions to its members, Security Groups are used for this purpose.

Managing the membership of groups is a primary purpose of MIM as an IdM system.

DLDistribution List A specific use of DGs used solely as email distribution lists. These lists are for use with email applications such as Microsoft Exchange. You can add and remove contacts from the list so that they will or will not receive email sent to the distribution group.
DLLDynamic Link Library Typically, a file (often called and assembly) that contains set of instructions that can be used by other programs. There are many advantages to using a DLL rather than monolithic piece of code; these include, modularization and the sharing of function across multiple programs. The custom rules that MIM applies to objects in the Connector Space and Metaverse are compiled into DLLs when the MIM architect designs the rules to match the business requirements.
DREDetected Rule Entry An object that is stored in a DRL and used to point a resource to an outbound synchronization rule. This is created when a synchronization rule has an existence test that has been satisfied by the synchronization rule.
DRLDetected Rules List An attribute used to track the results of existence tests. The DRL attribute is multivalued because there may be various existence tests configured for an object. Because an individual DRL existence test is configured in an outbound synchronization rule, each value of the DRL attribute is used to eventually point to the outbound synchronization rule for which the existence test was satisfied. Back to top
DSDirectory Service Systems that store, organize and provide access to shared information across a network. A primary use of a Directory Service in identity management is to Authenticate a user and, in many cases, provide Authorization access to resources.

MIM has a number of OOB MAs for directory access. E.g. Active Directory, ADLDS, IBM Directory Service, Novel eDirectory and Oracle Directory.

DSMLDirectory Service Mark-up Language A representation of directory service information in an XML format. MIM includes an OOB MA that can read a DSML file.
ECMAExtensible Connectivity Management Agent An MA type that can be programmatically extended to connect to a CDS. This approach is useful if Microsoft has not included an OOB MA which will do the job. After you have written the code to read and write to the CDS the ECMA behaves similarly to the OOB MAs; however, they do have limitations and many features provided by OOB MAs are not available to the ECMA programmer. ECMAs are no longer supported by Microsoft and have superseded by ECMA 2. Find out more about ECMA2 in our glossary.
ECMA2Extensible Connectivity Management Agent 2 Introduced in FIM 2010 R2 as a more feature rich version of ECMAs. While the ECMA was simple and effective for providing a quick solution to a specific problem, ECMA2 is much better at providing a generic solution, to be used over and over again within a project or organization, or perhaps as a publicly available product. Most of the features used by the OOB MAs from Microsoft are available to the ECMA2 programmer. Find out more about ECMA2 in our glossary.
EMPS (EMS & EM+S)
Enterprise Mobility Plus Security A Microsoft cloud-based offering combining standalone solutions in a discounted pricing suite, licensed on a per user base. EMPS, also sometimes written as EMS or EM+S, integrates Identity and Access Management, Mobile Application Management and Mobile Device Management solutions with security solutions for information protection and threat management. The EMPS license includes licensing for MIM. Back to top
EREExpected Rule Entry In MIM, an object that links a portal synchronization rule to a resource such as a user or group. The ERE is imported into the Synchronization Service where the rule will be applied to the resource when the appropriate run profile is executed.
ERLExpected Rules List A multi-valued attribute bound to objects in the MIM Portal and the Metaverse that holds a list of EREs for that object.
ERPEnterprise Resource Planning A process by which a company manages and integrates parts of its business. An ERP management information system integrates areas such as planning, purchasing, inventory, sales, marketing, finance and human resources. Organizations will often use their ERP system as a CDS.
FIDO2An open authentication standard of internet scalable protocols, which allow users to authenticate using passwordless strong authentication to websites and services. It consists of the W3C Web Authentication specification, WebAuthn API (Application Programming Interface), and the Client to Authentication Protocol (CTAP). FIDO stands for Fast IDentity Online. Find out more about FIDO2 in our glossary.
FIMForefront Identity Manager An implementation of an Identity Management System from Microsoft. Released in 2010 with a second major release in 2012. FIM has since been superseded by MIM.

ILM, FIM & MIM compared in our glossary.

FTEFull Time Employee A human employed by an organization, typically with a monthly salary and other FTE benefits such as a pension. MIM will typically be used to extract FTE identity data from an HR system and then synchronize the data to other CDSs. Back to top
GUIDGlobally Unique Identifier A number that is programmatically generated to create a unique attribute for an entity such as a MV Object. MIM uses a 16-byte field to establish a unique identifier for each MV Object.
HRHuman Resources The department and systems within an organization responsible for managing resources related to employees.
IAMIdentity and Access Management Identity Management is the way we record and manage information about identities, usually people but also computers, departments, printers, etc. Employees are always included, but other types of people are often added to the list – e.g. students contacts, customers, suppliers etc.)

Solutions are concerned with access to resources and system plus the formalization of this process.

Read more about IAM in our glossary.

IdMIdentity Management An IdM system is a group of applications and/or services that co-ordinate the exchange of identity information held in different data repositories throughout an organization. Prior to the implementation of an automated IdM system, most organizations find that information is scattered, duplicated and inconsistent across their identity repositories. An automated IdM system can make organizational data available in an accurate and timely manner, reducing costs through consolidation and process improvements, and reducing security problems caused by out-of-date access rights.

Read more about IdM in our glossary.

ILMIdentity Lifecycle Manager An implementation of an Identity Management System (IdM) from Microsoft. Released in 2007. ILM was superseded by FIM in 2010. Back to top
LDAPLightweight Directory Access Protocol A lightweight version of an interface (X500) for reading and writing data to a tree-like data store. Many directories such as Active Directory, support this interface and MIM includes other MA types that can use LDAP directories as CDSs.
LDIFLDAP Directory Interface Format A standard text data interchange format for representing LDAP directory content and update requests. MIM includes an OOB MA that can read text files of type LDIF.
LDIFDE
LDIF Data Exchange, or

LDAP Directory Interface Format, Data Exchange, or

Lightweight Directory Access Protocol, Directory Interface Format, Data Exchange

LDIFDE.EXE is a Microsoft Server command line tool that exports and imports data between Active Directory and an LDIF text file. In an Identity Management context, it can be used to (for example) reset a development Active Directory to a defined set of users and groups before retesting a set of processes.

MAManagement Agent In MIM, and MA is used to manage the data associated with a specific CDS. The MA not only connects to the CDS, but is responsible for managing the flow of data from MIM (export) and into MIM (import); in addition, for some MAs, password changes can be synchronized from Active Directory using PCNS.

There is at least one MA for each CDS. Many MAs, MIM communicates directly with the data source – these are “call-based”. Some others, an intermediary text file is used, such as AVP, LDIF, CSV, or fixed-width – these are “file-based” MAs. In a third category, a data source communicates with MIM via an intermediary CDS such as a database.

In some cases, the situation may be so complex that none of the alternatives above will; an ECMA2 would be used.

MFAMulti-Factor Authentication A security mechanism that requires more than one method of authentication to verify the user’s identity. For example, a security fob, a text to a phone, a randomly selected series of characters from secret key etc. etc. Read more about MFA in our glossaryBack to top
MIISMicrosoft Identity Integration Server An IdM product released in 2003. Superseded by ILM in 2007
MIMMicrosoft Identity Manager An Identity Management System from Microsoft. MIM has some distinct components, including the MIM synchronization service that can connect to a wide range of CDSs and synchronize objects and attributes, and the MIM service with it associated portal and application database which provides a management portal plus storage of identity and configuration data. MIM was released in 2016 and had a service pack release in 2017.

Read more about MIM in our glossary.

MPRManagement Policy Rule An object that exists in the MIM Portal to grant permissions within the portal or/and to run workflows. There are two types of MPRs; Set Transition MPRs which can only run workflows, and Request MPRs which can grant permissions and run workflows. A MIM administrator can use MPRs to establish who can use the MIM Portal and when the MIM Service will run required workflows.
MVMetaverse The central data repository in the MIM synchronization engine which stores the combined data values from all CDSs objects for an identity. Typically and identity will be stored as a single object in the Metaverse, attributes for the identity will be provided by the appropriate CDS. For example, the Metaverse object for Jane Smith might have her last name taken from the HR CDS, email from the AD CDS and mobile number from a telephone exchange CDS.

The synchronization rules (portal and synchronization service) are responsible for transforing the attributes and objects between the CDSs and Metaverse.

NOSNetwork Operating System A computer operating system designed to support computers and identities that are connected in a network. AD is an example of a NOS. Back to top
OOBOut Of The Box The features and capabilities of an application which are provided by the manufacturer.
OTPOne-Time Password A password that is valid for only one login. MIM SSPR can be configured to use OTPs to enable a user to re-write their AD password.
OUOrganizational Unit A subdivision within an AD domain where users, groups, computers, and other OU’s can be stored. Organizations usually create a hierarchy of OUs to mirror their functional or business structure. Each domain can implement its own organizational unit hierarchy. The MIM AD MA can be used to import or export objects to a particular OU in AD or even to create new OUs.
PAMPrivileged Access Management A technique (and usually a software component) for managing privileged users in an organization. A privileged account has more access to a system than a normal user; when these accounts requested for use, PAM can provide extra authentication or authorization to ensure that the correct person is invoking the account. PAM is often used to elevate the account to have the privileges on a just-in-time basis and for a limited period.

See our glossary for more information about PAM.

PCNSPassword Change Notification Service An optional service included with MIM that can be installed on AD domain controllers. PCNS captures a user password change at the Domain Controller and passes it to the MIM synchronization server which in turn send the new value to CDSs that have been appropriately configured to receive it. In this way, a user’s Active Directory password is replicated to accounts in other CDSs. In some organizations, PCNS is used as an alternative to SSO and is referred to as Reduced Sign-On (RSO). Back to top
PHSPassword Hash Synchronization is the default authentication option in Azure AD Connect – whenever a password is changed on premises, the password hash from Active Directory is synchronized into Azure AD. ReSee our glossary entry for more information.
PIMPrivileged Identity Management The process or technology focused on managing, monitoring, and protecting powerful privileged user accounts within the IT infrastructure of an enterprise. See our glossary entry for more information.
PTAPass-through authentication is a feature of Azure AD Connect. It is a simple service in the form of an agent running on one or several on-premises domain-joined servers, validates a user’s sign-on on behalf of Azure AD directly with the on-premises AD. See our glossary entry for more information.
RBACRole-Based Access Control An approach to restricting system access to authorized users. RBAC is used by enterprises to implement discretionary access control over various resources based on a role assigned to a user. RBAC is sometimes referred to as role-based security. MIM includes BHOLD, which is an optional component that can provide RBAC.
RCDCResource Control Display Configuration In MIM, an XML blob that is used to configure the UI which presents resources in the portal MIM portal. The UI can be modified by changing the XML. Each resource type can have a separate RCDC for creating, editing, or viewing that particular resource.
ROPURun On Policy Update In MIM also known as Run Mapping, ROPU is a feature that can be enabled for an action workflow when run from a Set Transition MPR. Marking a workflow with ROPU will apply the workflow to all members of the Set whenever the MPR that calls the workflow is modified.
RSOReduced Sign-On  A technique where a user’s logon password is the same in multiple CDCs; in the MIM world, this can be achieved using PCNS. (See also SSO). Back to top
SCSMSystem Center Service Manager A Microsoft integrated platform to help an organization improve the productivity of existing IT environments whilst aligning to industry best practices. MIM uses the SCSM Data Warehouse to help store and manage component for MIM Reporting.
SGSecurity Group An Active Directory group that is used to allocate a user’s access permissions to a resource; the alternative of manually adding a user’s permissions to each resource is to be avoided for security and manageability reasons. Managing the membership of groups is a very important purpose of MIM as an IdM system.
SoRSystem of Record A CDS that is designated as an authoritative source for a certain identity attribute. For example, the HR system is normally the SoR for a person’s last name.

In some environments, an attribute may have multiple SoRs; in these cases, MIM will be configured choose with system should be authoritative based on other identity data.

SIDSecurity Identifier A unique value used to identify a trustee. In AD each account has a unique SID issued by a Windows domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in an access token for that user. The system uses the access token to identify the user in all subsequent interactions with Windows security.
SQLStructured Query Language Used to communicate with a database. American National Standards Institute (ANSI) defines SQL as the standard language for relational database management systems.

MIM provides MAs that use SQL statements to perform tasks such as update data on a database, or retrieve data from a database; namely the SQL Server MA and the Oracle Database MA. Back to top

SSAUSelf-Service Account Unlock A feature of MIM SSPR that enables users to use the SSPR authentication and authorization processes to prove who they are and then unlock their AD accounts without contacting.
SSOSingle Sign-On A technique where a person is required to only Authenticate once even when accessing different resources – e.g. after logging onto Active Directory, they are not challenged for credentials when accessing an HR system. However, it is – confusingly – also sometimes used for Same Sign-On (same credentials used in two places, but you have to enter them again).

Read more about SSO in our glossary.

SSPRSelf-Service Password Reset An optional feature of the MIM Portal that enables users to prove who they are and have their AD password reset without contacting the helpdesk.
SSRSSQL Server Reporting Services A server-based report generating software system from Microsoft. Administered via a Web interface that enables developers and administrators to connect to SQL databases and use SSRS tools to format SQL reports in many complex ways. It also provides a Report Builder tool for less technical users to format SQL reports of lesser complexity.
SSSOSeamless single sign-on – a term used by Microsoft meaning something like “SSO without having to enter your credentials again”, because SSO can mean “same sign-on”. Read more about SSSO in our glossary.
STSSecure Token Service A cross-platform open standard core component of a web services single sign-on infrastructure (SSO) framework specification. MIM uses STS to enable access to the MIM Web Service on port 5725 and 5726. Back to top
TFATwo-Factor Authentication see MFA
U2FUniversal 2nd Factor the original FIDO project that strengthens and simplifies two-factor authentication (2FA).
UAFUniversal Authentication Framework part of the original FIDO project to provide passwordless authentication.
UIUser Interface The means by which a user can interact with a computer system. MIM uses the Synchronization Service Manager as the UI for the MIM Synchronization Service. MIM also uses the MIM Portal as the UI for accessing the MIM Service.
URLUniversal Resource Locator A web address made up usually of words and sometimes numbers that enables a web browser to find a web-based resource such as a website. The MIM Portal uses URLs to enable a user to browse to various pages within the portal from the Home Page or the Navigation Bar.
WebAuthNWeb Authentication is a web standard published by the World Wide Web Consortium. It is a core component of FIDO2.
WFWorkflow Used to co-ordinate and automate tasks with the goal of improving organizational efficiency. The MIM Portal enables creation and application of Windows Workflow Foundation Workflows, sometimes used to enhance the Synchronization Service’s state-based rules.
WTFA strong expression of surprise or horror. Or in this case, to test that you’ve been paying attention!
WMIWindows Management Instrumentation A core management technology built into Windows Operating Systems; WMI can be scripted to enable organizations to manage local and remote computers. WMI can read and write various pieces of information about the internal state of computer systems by modelling objects found in Windows systems. These computer system objects are modelled using classes.
XMLExtensible Markup Language A set of rules for encoding documents in a format that is both human and machine readable. MIM includes several mechanisms for reading or creating XML files. Back to top

If you’d like expert help with identity in your organization get in touch with Oxford Computer Group. And if you need identity training in MIM or Azure, then you’re in the right place! Look at our courses and read our awesome student feedback!