{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-apis/platform/iam/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"type":"markdown"},"seo":{"title":"Glossary","keywords":"documentation, api, portal, banking, payment, account information, aritma, psd2, open banking, reconciliation","description":"Developer documentation for Aritma's banking and financial APIs - payments, account information, webhooks, authentication and integrations.","meta":[{"name":"google-site-verification","content":"hplqlK_5O42BZjNnjtVQMEpxv9JkxcD1eH4J1T-NQmI"}],"llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"glossary","__idx":0},"children":["Glossary"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Term"},"children":["Term"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Subject"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Anything that can be granted permissions in Aritma IAM. Subjects can be users, clients, or groups."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["User"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A human identity linked to an Aritma ID account. Users can log in interactively via Aritma ID or via an SSO provider."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["An OIDC service client used for machine-to-machine API access. Clients authenticate using the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["client_credentials"]}," grant and are assigned policies just like users."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Group"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A named collection of subjects. Policies assigned to a group apply to all members automatically."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Policy"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The binding that grants a subject permission to perform an action on a scope. Every resource-based access decision resolves to one or more policies."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Action"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A string that represents what a subject is allowed to do, e.g. ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["banking.manage"]}," or ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["banking.ais.read"]},". Actions form a hierarchy — granting a parent action implicitly grants all child actions beneath it."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Scope"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A URI that identifies the resource a policy applies to, e.g. ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/subscriptions/123/resource-groups/..."]},". The same subject can have different permissions on different scopes. Permissions over a scope is inherited by subscopes."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Tenant"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Your organization's isolated environment on the Aritma platform. All IAM resources (users, clients, groups, policies) are scoped to a tenant."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Tenant Role"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["An OIDC role that represents a subject's standing within a tenant, e.g. ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["TenantAdmin"]},". Tenant roles are returned as claims in access tokens and are used for coarse-grained authorization."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SSO"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Single Sign-On. Lets users authenticate via an external identity provider (IdP) instead of managing separate Aritma ID credentials."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Identity Provider (IdP)"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["An external system that authenticates users, such as Microsoft Entra ID, Google, or a custom OIDC provider."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OIDC"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["OpenID Connect. An authentication layer built on top of OAuth 2.0. Used by Aritma IAM for both SSO federation and client authentication."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OAuth 2.0"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["An authorization framework. Clients obtain access tokens by presenting credentials to a token endpoint and then include the token in API requests."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SCIM"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["System for Cross-domain Identity Management (",{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://www.rfc-editor.org/rfc/rfc7644"},"children":["RFC 7644"]},"). An open standard that allows an identity provider to automatically provision and deprovision users and groups in Aritma."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SCIM Token"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A bearer token issued by Aritma IAM and configured in your identity provider to authorize SCIM provisioning requests."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Auto-provisioning"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["When enabled on an SSO provider, Aritma automatically creates a user subject the first time they log in — no pre-invitation required."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Delegation"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["When enabled on an SSO provider, tokens issued by that IdP can be used to call Aritma APIs directly, without exchanging them for an Aritma token."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Claim"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A key-value pair included in an OIDC access or identity token. Claims convey information about the authenticated subject (name, email, roles, permissions) to consuming applications."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Domain Verification"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Proving ownership of an email domain by publishing a DNS TXT record. Required before you can create users directly (without invitations) for email addresses on that domain."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["client_credentials"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["An OAuth 2.0 grant type used by machine-to-machine clients. The client exchanges a client ID and secret for an access token directly, with no user interaction."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["authorization_code"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["An OAuth 2.0 grant type used by user-facing applications. The user is redirected to the authorization endpoint, authenticates, and an authorization code is exchanged for tokens."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PKCE"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Proof Key for Code Exchange. An extension to the authorization code flow that prevents authorization code interception attacks. Required for public clients that cannot store a client secret."]}]}]}]}]}]},"headings":[{"value":"Glossary","id":"glossary","depth":1}],"frontmatter":{"title":"Glossary","seo":{"title":"Glossary"}},"lastModified":"2026-05-08T13:38:07.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/apis/platform/iam/about/glossary","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}