The management of any identity management system requires a fundamental understanding of the data model and their inter-relationships. The entities, even though commonly used across the industry, are different for each organization. We define the entities for AGS and its relations as follows.

Identity management (IDM)

IDM system is a repository of persons, accounts, target systems, forms, entitlements, roles and workflows (or business rules); and provisioning engine that helps in managing identity across the organization.


This entity is the company or establishment that is implementing this system.


A person is a human that has a relation with the organization. The person is typically an employee, customer, contractor, or vendor. A person is often referred to as a User. 

Person Life cycle


An account is a digital identity with a set of credentials and attributes that are given to a person to authenticate themselves to devices and applications. A person can have multiple identities for respective applications or for performing different tasks.

Account Life cycle


An application is a software that processes data. Software is generally divided into data processing software and control, system, and operating software. Applications in this case mean a typical enterprise application that is listed in Application Portfolio Management (APM). Typically, an application is supported using multiple systems such as database, web server, AD, etc. This system software is referenced here as target systems. Access to the application can be provided by using an account in a target system and adding entitlement to an account provisioned in a target system.

Example: “Application A” requires an entitlement named “App A person” in the AD target system.

Application Life cycle

Target Systems

A target system is system software where an Account for a person is physically created, either manually or through automated integrations. It is technically known as an application in IDM. A target system may be connected, partially connected, or disconnected.

Connected Systems: A connected system will have fully automated provisioning.

Partially Connected Systems: A partially connected system will have manual provisioning and auto reconciliation.

Disconnected Systems:  A disconnected system will have manual provisioning and manual or no reconciliation.

Target Life cycle


When a person is provisioned into a target system their digital profile is created. A digital profile consists of Name and demographic data. This profile contains a matching attribute and a person identifier. The setup of profile data for each target system is done through forms.

Using forms, target system owners can customize the fields to be included for provisioning. A field marked account name and the matching attribute must be unique across all persons. A field marked matching attribute is used to match the person profile in the IDM and the account in the target system. 


Entitlements represent permissions in a target system. An entitlement can only be granted to a person who has an account in the target system. An entitlement can represent access levels, activity permissions, or membership to a group, in the respective target system only. Entitlements are granted in IDM and get translated into target systems’ configuration when provisioning of that entitlement is complete. In 12C entitlements are typically granted as part of a Role. 

Entitlement Life cycle

Entitlement Assignment Life cycle


A Role is the logical representation of a Persons’ functional and/or job responsibilities. Roles can be broad, e.g. “Employee”; or narrow, e.g. “AP clerk level 1”. Roles are collections of Entitlements. When a role is assigned to a Person they are granted all entitlements associated with that role. A role is most useful when an application requires the granting of multiple entitlements across many target systems.

Role Assignment Life cycle


A workflow is the sequence of business processes through which a piece of work passes from initiation to completion (e.g. request a catalog item). It is used to route requests to approvers for approval and route manual provisioning tasks to the second level approves for fulfillment.