Access Certification

Access Certification, also known as Access Attestation or User Access Reviews, is the process of reviewing the appropriateness of the entitlements assigned to a service user in a downstream application. 

Access Review

Access Review, also known as Access Attestation, Access Certification, or User Access Review, is the process of reviewing the appropriateness of the entitlements assigned to a service user in a downstream application.

Application Connector

An Application Connector is the mechanism that allows Clarity to securely communicate with Downstream Applications.

Application Owner

An Application Owner is a Clarity Identity responsible for application specific self-service access requests and User Access Reviews.

This is configured on the Application Configure Screen or during the app onboarding process.

Applications > Choose Application > Pen Icon (top right)


An attribute is a piece of information used to describe a service user, entitlement, or identity. Common examples include First Name, Last Name, Job Title, Department, etc.


Clarity Connect

Clarity Connect is a virtual appliance which establishes a connection between on-premise applications and a Clarity tenant.


Downstream Application

A Downstream Application is any application that supplies Clarity with service users, entitlements, and attributes.



An Entitlement is an assignable permission found in a downstream application. Common examples include licenses, groups, and policies.

Entitlement Group

An Entitlement Group is a set of entitlements linked together, allowing for simplified bulk entitlement provisioning.

Entitlement Owner

An Entitlement Owner is a Clarity Identity responsible for entitlement specific self-service access requests and User Access Reviews.

Ways to configure:

  • Entitlements > Pick an Entitlement > Click Gear Icon (top right).
  • Entitlements > Bulk Edit > Owner Column
Entitlement Suggestions

This is an automatically generated list of entitlements that a significant percentage of the role members have in common.  You may want to consider making this entitlement part of the role.

This is found in the Manage page of an individual role.

Entitlement Type

An Entitlement or Resource Type is an attribute of an entitlement defined by a downstream app. Common examples include Groups, Licenses, Policies, or Roles. 


An exception is an entitlement granted to an Identity outside of their dedicated role.


Grant Type

Grant Type details how an Identity received access to an entitlement, either through a role or as an exception to its role.  


High Risk

High-Risk is flag used to denote Entitlements or Roles that have an elevated level of risk and require additional attention and review.  


  • Entitlements > Filter by App > Choose Entitlement > Gear Icon
  • Entitlements > Bulk Edit > High Risk Column


  • Roles > Click your Role > Manage > Gear Icon
  • Roles > Bulk Edit > High Risk Column



An identity is a single entity's (employee, contractor, service account) grouping of service users, attributes, and assigned entitlements.

Identity Reconciliation

Identity Reconciliation is the process of matching downstream application service users with an Identity found in Clarity. 


Organizational Units

Organizational Units are a top down hierarchical structure used to generate Roles in Clarity.  

Orphaned Account

An account that is marked as inactive in your Source of Truth, but active in one or more of your downstream applications.


Proxy Entitlement

A Proxy Entitlement is a custom entitlement created to represent another entitlement using a different name.  This can be created under the Proxy Service in the Marketplace as a way to represent certain entitlements under a custom/manual application created by you.



Role Based Access Control is an approach to managing access by provisioning pre-approved access based on an Identity's function within an organization.


A value between 0 and 100, with the higher the number, the more risk of material impact on your institution is associated with the item.


A Role is a group of entitlements provisioned for an Identity during life cycle management events. 

Role Based Access Control

Role Based Access Control is an approach to managing access by provisioning pre-approved access based on an Identity's function within an organization.

Role Owner

A Role Owner is a Clarity Identity responsible reviewing and approving changes to your Roles (Role Access Reviews).

This can only be modified from the Roles > Bulk Edit Page.

Rubber Stamping

Approve automatically without further review.


Service Identifier

A Service Identifier is the unique identifier for a Service User in a downstream application. Example - GUID in Microsoft.  

Service User

A Service User is a user, or service account, discovered by Clarity in a downstream application.

Service User Entitlements

Service User Entitlements are the pairings of users and active entitlement access in downstream applications. 

Single Source of Truth

A Single Source of Truth (SSoT) is the master record for identity data. SSoT’s are typically the company’s HR platform or the enterprise directory service like Active Directory.

Sync Options

Sync Options defines the frequency Clarity queries downstream applications for Service Users, Entitlements, and Attributes.



Tags are labels within Clarity which help you distinguish or target certain items within Clarity.  Most notably they can be used to perform targeted Access Reviews.

Tags can be applied to Applications, Identities, Entitlements, and Roles.

Trust Permission

Read Only: The application is only permitted to read the data from the application connection, no data is ever written back to the source.

Read + Provision/Deprovision: Clarity is permitted to read information from the source as well as adding or removing access to entitlements (when users are hired or terminated).

Write: Similar to Read + Provision/Deprovision above, however Clarity can also write attributes back to the source.

Trust Relationship

Single Source of Truth:

Partial Source of Truth: Application which provides some of the identities for your organization. 

Ex: HR platform, Azure Active Directory

Recipient only: Identities will not be created based on this source of truth. 

Ex: Zoom, Slack


Unique Identifier

Unique Identifiers are used by Clarity to differentiate connected applications that are associated with the same product. Example: an environment has two Salesforce environments and two Salesforce connectors. The unique identifiers could be Salesforce-A and Salesforce-B. 

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.