Editing Identity and access management (section)

== System capabilities ==
In addition to creation, deletion, modification of user identity data either assisted or self-service, identity management controls ancillary entity data for use by applications, such as contact information or location.
* [[Authentication]]: Verification that an entity is who/what it claims to be using a password, biometrics such as a fingerprint, or distinctive behavior such as a gesture pattern on a touchscreen.
* [[Authorization]]: Managing authorization information that defines what operations an entity can perform in the context of a specific application. For example, one user might be authorized to enter a sales order, while a different user is authorized to approve the credit request for that order.
* [[Role-based access control|Roles]]: Roles are groups of operations and/or other roles. Users are granted roles often related to a particular job or job function. Roles are granted authorizations, effectively authorizing all users which have been granted the role. For example, a user administrator role might be authorized to reset a user's password, while a system administrator role might have the ability to assign a user to a specific server.
* [[Delegation (computer security)|Delegation]]: Delegation allows local administrators or supervisors to perform system modifications without a global administrator or for one user to allow another to perform actions on their behalf. For example, a user could delegate the right to manage office-related information.
* Interchange: The [[Security Assertion Markup Language|SAML]] [[communication protocol|protocol]] is a prominent means used to exchange identity information between two identity domains.<ref>{{cite web|url=http://www.idcommons.org/working-groups/ |title=Working Groups &#124; Identity Commons |publisher=Idcommons.org |access-date=2013-01-12}}</ref> [[OpenID Connect]] is another such protocol.