Alert EnterpriseWiki

Glossary

82 canonical concepts spanning physical access, identity, HR, mobile credentials, and federation standards. Each concept records per-vendor terminology — so when one PACS calls it a "Clearance" and another calls it an "Access Group," the wiki resolves them to the same thing.

82 total
82 shown

Provisioning

20

Access Level

The PACS primitive that grants a cardholder access to a defined set of readers, doors, areas, or floors — usually constrained by a schedule.

Anti-Passback (APB)

A PACS security policy that prevents a cardholder from re-entering a controlled area (or exiting) without first having performed the opposite movement — typically used to stop b…

Badge / Credential

The physical or virtual artifact a cardholder presents at a reader to authenticate.

Cardholder

The principal identity inside a Physical Access Control System (PACS).

Holiday Schedule

A PACS time policy that overrides normal access during designated holiday dates.

Identity Lifecycle Events

The discrete state transitions in an identity's lifecycle that AE Guardian must detect and respond to.

IGA (Identity Governance & Administration)

The discipline of governing the full identity lifecycle at enterprise scale — including birthright provisioning (new hire automatically gets the right access on day one), access…

ISU (Integration System User) — Workday

Workday's dedicated service-account pattern for API integrations.

JIT (Just-In-Time) Provisioning

An identity-provisioning pattern where the user account in the destination system is created at first login rather than provisioned in advance.

Microsoft Graph API

Microsoft's unified REST API for Microsoft 365 + Microsoft Entra ID + Azure services — accessed at graph.

Pass template / SKU

Defines the credential type, artwork, metadata, and policy that apply

PIAM (Physical Identity & Access Management)

The discipline of governing physical-access identities across an enterprise — typically employees, contractors, and long-tenured non-employees.

Post-Provisioning Pass Update (PPPU)

HID's update mechanism for already-provisioned passes.

Provisioning payload

The encrypted/signed bundle delivered from the issuer to the wallet

Provisioning unit

The atomic unit of credential issuance — what gets added to a wallet

SCIM (System for Cross-domain Identity Management)

A REST + JSON-based standard for identity provisioning between systems — defined in RFC 7643 (schema) and RFC 7644 (protocol).

SOC Insights

AlertEnterprise's solution for ingesting badge events and alarm data from PACS to generate hardware-level and identity-level intelligence for the customer's Security Operations…

System of Record (SoR)

The authoritative source for a given piece of identity data.

User invitation

A one-time code or token distributed to a user that authorizes them

VIM (Visitor Identity Management)

The visitor-oriented sister discipline to PIAM.

Authentication

9

Application-ID (TPS-certified)

Identifier HID issues to applications via the Technology Partner

Conditional Access (Entra ID)

Microsoft Entra ID's policy engine that gates authentication based on signals — user, device, location, application, risk level.

MFA (Multi-Factor Authentication)

Authentication that requires two or more independent factors — typically something you know (password / PIN), something you have (TOTP authenticator / FIDO2 security key / push-…

OpenID Connect (OIDC)

An identity layer on top of OAuth 2.

Partner authentication

How an integrator authenticates to the credential provider's API.

Required custom headers

Vendor-specific headers required on every API call beyond standard

SAML 2.0

Security Assertion Markup Language — the dominant enterprise SSO federation protocol since the mid-2000s, defined by OASIS.

System account format

HID Origo's machine-account naming convention for OAuth client_id

Tenancy identifier

The vendor-side primary key that scopes all of a partner's resources.

Identifiers

8

CHUID (Cardholder Unique Identifier)

A standardized cardholder identifier used across PIV (Personal Identity Verification) and PIV-I (PIV-Interoperable) credentials, defined in FIPS 201.

Correlation identifier

Request-scoped identifier carried in HTTP headers (or payload) for

Device-bound credential identifier

Identifier scoped to a specific (credential × device) pair.

Eligible-user data sync

How the customer's identity system (Workday, Okta, Entra ID, etc.

FASC-N (Federal Agency Smart Credential Number)

The federal-issued identifier embedded in a PIV credential, defined in NIST SP 800-73 and FIPS 201.

Federated identifier

Wavelynx's design pattern: identifiers (VUID, PBID, device-bound IDs)

Pass identifier

Unique identifier for a single provisioned wallet pass instance.

User model

How a vendor models the end user.

Credential Formats

4

Card Format

The bit-layout structure of a physical or virtual access credential — defines how the reader interprets the bytes streamed off the card / wallet pass.

Credential format

The on-device data structure that an NFC reader actually authenticates

Seos

HID's proprietary credential technology — the on-chip data

Trusted Service Manager (TSM)

Intermediary HID infrastructure that brokers credential delivery

Transport

6

Component Interface (PeopleSoft)

PeopleSoft's mechanism for exposing PeopleSoft business logic to external integrators.

IFlow (SAP BTP Integration Flow)

An Integration Flow in SAP Business Technology Platform / Cloud Integration.

OSDP (Open Supervised Device Protocol)

An open, bidirectional, SIA-standardized reader-to-controller protocol — the modern replacement for the one-way wiegand reader protocol.

Panel / Controller

The intermediate hardware that aggregates one or more readers, makes the local access-grant decision, drives the door strike / mag-lock, and reports events upstream.

Reader

The edge hardware that physically reads a credential — typically mounted at a door, turnstile, or elevator call panel.

Wiegand

The legacy one-way reader-to-controller protocol that dominated PACS deployments from the 1980s through the 2010s.

Lifecycle States

6

Active (lifecycle state)

Credential is provisioned, present on the user's device, and

Failed (lifecycle state)

Issuance or revocation could not complete.

Pending (lifecycle state)

Initial state after issuance request, before the wallet has

Provisioning (lifecycle state)

Issuance has begun and the wallet is processing the credential.

Revoked (lifecycle state)

Terminal state.

Suspended (lifecycle state)

Credential is paused — it remains on-device but doesn't authenticate

Webhooks

5

Webhook authentication

How the receiver verifies a webhook came from the vendor.

Webhook delivery shape

How many events ship per HTTP request.

Webhook failure handling

What happens when a webhook delivery fails.

Webhook payload specification

The wire-format spec a vendor's webhooks conform to.

Webhook subscription model

How partners register interest in events.

Key Material

5

LEGIC Orbit

LEGIC's HSM-backed key management service.

LEGIC Trusted Service

LEGIC's key-handling service infrastructure.

Master key store

Where the issuer's master keys (from which per-credential keys are

Per-credential key diversification

Wavelynx's deterministic process for deriving a unique per-credential

Wrapped key material

Symmetric credential keys delivered to the wallet platform in

Standards

3

OSS-SID (Standard Interface Data)

OSS Association standard companion to OSS-SO, specifying the data

OSS-SO (Standard Offline)

OSS Association standard for offline-capable electronic access

PIV / FIPS 201

Personal Identity Verification (PIV) — the federal standard for identity credentials, defined in FIPS 201 by NIST.

Apple Platform

7

Apple Credential Provider (UAP role)

Apple's role definition under the Apple Wallet Access Program (UAP)

Apple Enhanced Contactless Polling (ECP)

Apple's proprietary contactless protocol that adds a control-channel

Apple Wallet Access Program (UAP)

Apple's program for credential providers and credential managers

Enhanced Contactless Polling (ECP)

Apple's proprietary extension to ISO/IEC 14443.

Express Mode

Apple device feature that allows the credential to authenticate

Power Reserve Mode

When the iPhone or Apple Watch enters low-battery shutdown, recent

Terminal Requested Authentication (TRA)

Reader-side configuration that forces the Apple device to require

Google Platform

4

Collector ID

Identifier the NFC reader transmits to the Android device on each

Google Access Hub (LEGIC service)

LEGIC's Google Wallet integration service — analogous role to their

Google Wallet — no user-initiated provisioning

Structural feature gap vs.

Smart Tap

Google's proprietary NFC protocol for delivering data from an

AE Internal

5

AE Wallet App

AE's mobile-native client (iOS, Android).

AE Web (provisioning UI)

Browser-based provisioning surface.

Guardian NFC Cloud Service

AE's cloud orchestration layer between Guardian and the credential

Guardian Platform

AE's PIAM (Physical Identity & Access Management) platform — the

LEGIC Connect

LEGIC's cloud platform for issuing and managing mobile credentials.

Verifying access
Desktop only

The AE Mobile Wiki needs a bigger screen.

The diagrams, comparisons, and animated flows aren't built for phones. Open this link on your laptop or desktop browser and you'll see the full reference.

wiki.alertenterprise.app

Same Google sign-in as the AE App Hub — you'll be in once you open it on a larger screen.