In the realm of identity governance, the concept of the identity cube is fundamental to the architectural design of SailPoint IdentityIQ. These cubes are more than static containers; they are dynamic entities that capture, reflect, and maintain comprehensive profiles of individuals within an organization. Each identity cube acts as a single source of truth, integrating data from various authoritative systems to provide a holistic view of a user’s access, attributes, and activities.
An identity cube encapsulates several layers of user information. From personal identity attributes to entitlements and role affiliations, every detail is systematically mapped and stored. This integration simplifies auditing, enhances decision-making, and ensures every identity within the enterprise is traceable and manageable. By aligning user access with business context, identity cubes empower organizations to enforce policies while enabling seamless user experiences.
Role Architecture in IdentityIQ
SailPoint’s role model allows for a granular and hierarchical structuring of access privileges through four distinct types of roles. Each role serves a unique purpose in the identity governance strategy and collectively supports refined access control mechanisms.
Organizational roles are designed to reflect the structural hierarchy within a business. These roles mirror departments, teams, or geographical divisions, offering a logical pathway to distribute entitlements based on organizational alignment. Business roles, on the other hand, are task-driven. They define access based on specific job functions, enabling streamlined provisioning for roles such as HR specialists or financial auditors.
IT roles encapsulate technical permissions. They are primarily concerned with system-level access and are instrumental for IT administrators or engineers who require elevated rights. Lastly, entitlement roles represent clusters of permissions, grouped together to simplify the management of frequently assigned access rights. This layered model ensures scalability and precision across access governance activities.
The Structure of Role-Based Access Control
Role-based access control, or RBAC, is an access management approach that assigns permissions to users based on their roles within an enterprise. The strategic implementation of RBAC within SailPoint IdentityIQ fosters a principle-of-least-privilege environment where users are granted only the access necessary for their duties.
RBAC provides several organizational advantages. It mitigates the risks associated with overprovisioning by tying access rights to functional roles rather than individuals. This abstraction not only reduces administrative overhead but also strengthens compliance postures. As roles change due to promotions or lateral moves, the identity cube can dynamically adjust associated permissions, ensuring continuity and security.
Beyond efficiency, RBAC aligns identity governance with business operations. It enables auditable processes, facilitates policy enforcement, and supports automated provisioning. The precision and adaptability of RBAC make it a cornerstone in modern access management.
Centralizing Governance Through Rule Libraries
SailPoint enables administrators to enhance workflows and automation through the use of a centralized rule library. This repository stores various scripting methods that can be invoked across identity processes, from provisioning to lifecycle management. Unlike monolithic code blocks, these rule scripts are modular and reusable, offering a highly flexible framework.
The rule library is a strategic asset for identity architects. By decoupling logic from specific workflows, it promotes consistency and simplifies maintenance. Rules can be invoked independently or as part of complex workflows, enabling nuanced decision-making based on context, user attributes, or external events.
For instance, a rule can dictate access approval based on time-of-day constraints or restrict provisioning to certain departments. As organizations scale, the ability to define and deploy logic centrally reduces redundancy and enhances governance efficacy.
Driving Forces Behind Identity and Access Management
The rise of digital transformation has magnified the need for robust identity and access management solutions. The drivers behind this demand are multifaceted and interlinked, shaping how organizations architect their governance strategies.
Improved security is a primary driver. By controlling who accesses what, and under what conditions, IAM solutions mitigate internal and external threats. They close the gaps left by legacy systems, reducing attack surfaces and limiting the lateral movement of malicious actors.
Regulatory compliance is another critical motivator. With stringent data protection laws becoming the norm, businesses must demonstrate control over sensitive information. IAM systems enable automated reporting, enforce policy adherence, and support audit readiness.
Operational efficiency emerges as both a consequence and a catalyst. By automating identity tasks, organizations can reduce errors, accelerate onboarding, and optimize resource utilization. Lastly, IAM plays a pivotal role in business enablement. It supports agility by providing secure, timely access to systems, helping enterprises adapt to new market demands.
The Imperative of Cloud Identity Management
As organizations extend their infrastructure into cloud environments, the nature of identity governance transforms. Cloud identity management emerges as a critical framework, safeguarding digital ecosystems that span on-premises systems, private clouds, and third-party services.
The cloud introduces new complexities, such as decentralized applications and remote workforces. Cloud identity management provides a cohesive mechanism to manage access across these diverse landscapes. It ensures users are authenticated and authorized appropriately, regardless of location or device.
Moreover, it introduces visibility and control. Administrators can track who accessed which resource and when, reducing the risk of data breaches. Cloud identity management enables policy enforcement at scale, ensuring that only approved users can access sensitive information, whether hosted internally or in a cloud environment.
Pre-Implementation Considerations for Cloud IAM
Before deploying a cloud identity management solution, several foundational requirements must be met to ensure efficacy and compliance. First among these is adherence to relevant regulatory and internal compliance standards. Organizations must ensure that identity systems can support data privacy laws and industry-specific guidelines.
Next is data integrity. The IAM system must preserve the accuracy and consistency of identity information across disparate platforms. Identity attributes must remain synchronized and verifiable, especially when federated across multiple environments.
Another crucial consideration is safeguarding against data loss. Cloud IAM solutions should integrate with robust backup and disaster recovery mechanisms. They must offer mechanisms to prevent unauthorized access during data transit and storage.
These prerequisites form the bedrock upon which a resilient and scalable identity strategy can be built.
Advantages of SailPoint Cloud IdentityIQ
SailPoint’s cloud-native IdentityIQ solution provides a modern approach to identity governance. One of its key strengths is its ability to deliver comprehensive access management without straining existing infrastructure. Unlike traditional systems, SailPoint’s cloud offering is engineered for high availability and low overhead.
Managing identity data on the cloud through SailPoint is both streamlined and economical. The platform supports rapid deployment, elastic scaling, and seamless updates. It provides enterprises with a nimble foundation for managing the user lifecycle in dynamic environments.
In terms of reliability, SailPoint ensures encrypted storage and regular backups, bolstering trust and continuity. Its centralized dashboard and intelligent analytics help organizations monitor compliance, detect anomalies, and make data-driven decisions in real time.
By adopting SailPoint’s cloud identity solution, enterprises gain not only operational benefits but also strategic agility. It positions them to respond swiftly to evolving security landscapes while maintaining governance fidelity.
Initializing Workflow Variables in SailPoint
Workflows in SailPoint IdentityIQ provide the scaffolding for automating identity processes such as onboarding, provisioning, deprovisioning, and access review. A foundational aspect of these workflows is variable initialization, which enables dynamic and contextual actions based on user attributes, system states, or rule outputs.
There are multiple ways to initialize variables within workflows. The reference method pulls data directly from another variable or object already existing within the workflow. This approach maintains consistency and reduces duplication. String initialization allows administrators to hardcode text values, useful for static configurations or predefined messages.
Rule-based initialization adds a layer of sophistication by invoking a custom logic defined in the rule library. This method is optimal when the variable’s value depends on complex conditions or external data sources. Additionally, administrators can use method calls to retrieve values from objects, often used for system-level data fetching.
For highly flexible scenarios, scripting offers complete control. Through embedded scripts, administrators can define intricate logic flows and manipulate variables in real time. These diverse approaches to variable initialization ensure workflows remain adaptable and intelligent.
Cloud Deployment Models for IdentityIQ
IdentityIQ is engineered to support diverse deployment architectures, catering to the varied needs of enterprises across industries. The flexibility of implementation across different cloud models allows businesses to tailor identity governance according to operational and regulatory requirements.
In a private cloud setup, IdentityIQ is hosted on infrastructure dedicated to a single organization. This model offers enhanced security, granular control, and compliance assurance, making it ideal for industries with stringent data regulations such as finance or healthcare.
The hybrid cloud model combines private infrastructure with public cloud resources. IdentityIQ leverages this structure to balance performance with scalability. Sensitive identity data can remain on-premises, while less critical processes run in the cloud, optimizing resource allocation and cost.
Public cloud deployments offer rapid scalability and lower entry costs. For organizations aiming to accelerate their digital transformation, IdentityIQ can be deployed in a fully managed environment, with updates and maintenance handled by the service provider.
Lastly, community cloud models cater to multiple organizations with similar operational needs, often within the same sector. IdentityIQ facilitates federated identity governance in this model, enabling collaboration without compromising control.
Pre-Iterate Rules in File Aggregation
When processing data files in aggregation tasks, SailPoint provides the capability to define a pre-iterate rule. This rule is executed a single time for the entire file before individual records are parsed. Its primary purpose is to prepare or validate the data file to ensure a smooth aggregation process.
Typical uses of the pre-iterate rule include unzipping compressed files, verifying the format of date fields, and confirming the freshness of data to prevent the inclusion of stale or outdated information. It acts as a gatekeeper, ensuring only clean and verified data enters the aggregation pipeline.
By employing pre-iterate rules, identity administrators can build robust preprocessing logic. This capability minimizes the risk of data inconsistency, improves error handling, and reinforces the integrity of the identity warehouse.
Application-Level Multifactor Authentication (APMFA)
As identity threats become more sophisticated, multifactor authentication (MFA) has emerged as a vital security control. APMFA, or application-level multifactor authentication, introduces MFA mechanisms directly within applications rather than at the network or gateway level.
APMFA offers granular protection, ensuring that even if an attacker gains access to the network, access to specific applications still requires verification through additional factors such as biometrics, hardware tokens, or time-based codes. This localized enforcement reduces the attack surface significantly.
In the context of identity governance, APMFA fortifies sensitive identity operations like role assignments, access reviews, and approvals. It provides an additional safeguard for administrators and users handling privileged actions. SailPoint supports the integration of APMFA, allowing organizations to embed strong authentication controls into their identity workflows.
Elasticity and Scalability in Identity Governance
Elasticity and scalability are not merely buzzwords in cloud computing—they are foundational principles for resilient and responsive identity governance. Elasticity refers to the system’s ability to expand or contract resource usage based on workload fluctuations. In practical terms, this means that an identity system can automatically allocate more processing power during peak provisioning cycles and scale down during quieter periods.
Scalability, meanwhile, relates to the system’s ability to handle increased loads by upgrading its capacity. For instance, as an organization grows and more users are onboarded, the identity solution should seamlessly support the growing number of identity cubes, workflows, and entitlements.
SailPoint’s architecture is built to accommodate both elasticity and scalability. It ensures that enterprises do not face performance bottlenecks or excessive costs as their identity needs evolve. This dual capability also underpins business continuity, enabling the identity infrastructure to respond to sudden surges in demand, such as during mergers or cloud migrations.
Understanding Cloud Architecture Layers
To effectively implement and manage cloud identity solutions, it is essential to grasp the components of cloud architecture. SailPoint’s compatibility with varied cloud layers allows it to integrate deeply into any environment, ensuring comprehensive visibility and control.
The cloud controller is the central component responsible for managing the cloud infrastructure. It orchestrates the provisioning of virtual resources, enforces policies, and ensures resource availability. Storage controllers manage the underlying data storage infrastructure, ensuring that identity data is securely stored and efficiently accessed.
Cluster controllers coordinate tasks across a group of node controllers, which are responsible for managing the actual virtual machines or containers. Each node controller interacts with specific workloads, ensuring high availability and performance.
The walrus layer functions as an object storage system, supporting backups and logs. By leveraging this architectural layering, IdentityIQ can operate fluidly within the cloud environment, taking advantage of distributed resources while maintaining centralized governance.
The Value of Identity Intelligence
Identity intelligence elevates traditional identity management by transforming raw identity data into actionable insights. It is not merely about storing user data but contextualizing it to understand behavior, detect anomalies, and support strategic decisions.
Through identity intelligence, SailPoint enables organizations to analyze access patterns, identify policy violations, and predict risk exposures. This capability is crucial for proactive governance, allowing interventions before incidents occur.
Centralized storage of identity data enhances its accessibility and usability. By correlating entitlements, activity logs, and role assignments, identity intelligence provides a panoramic view of an organization’s identity landscape. It supports audit readiness, strengthens security posture, and enhances operational awareness.
The emergence of identity intelligence marks a paradigm shift—from reactive access management to intelligent, predictive governance. It empowers stakeholders with the foresight to align access policies with evolving business and regulatory landscapes.
Identity Cubes in SailPoint IdentityIQ
The core of user representation in SailPoint IdentityIQ lies in what is known as an identity cube. These cubes serve as digital containers encapsulating all relevant user attributes. Each identity cube is a holistic profile, including identity details, associated entitlements, role memberships, account data, and lifecycle state.
By centralizing this information, identity cubes function as the foundational units that power governance, compliance, and automation within the platform. IdentityIQ leverages identity cubes to apply provisioning logic, perform access reviews, and monitor segregation of duties violations.
The dynamic nature of identity cubes allows them to be continually updated through aggregation jobs, ensuring they reflect real-time states from connected systems. Whether pulling HR data, directory services, or cloud-based identity stores, the identity cube is a living representation of the user within the SailPoint ecosystem.
Types of Roles in SailPoint IdentityIQ
Roles in SailPoint IdentityIQ form the scaffolding upon which access governance is structured. These roles group together entitlements and permissions, creating bundles that can be assigned and managed collectively. There are four primary types of roles that serve distinct governance functions:
Organizational Roles
These roles represent a user’s position within the enterprise hierarchy—departments, job titles, regions, or business units. They help determine access based on structural alignment and can be used to enforce location-specific or departmental policies.
Business Roles
Business roles encapsulate what a user needs to perform a specific function. For instance, a business role for a sales representative might include access to CRM tools, email, and reporting dashboards. These roles streamline provisioning and support compliance by enabling standardized access.
IT Roles
IT roles are designed to represent technical groupings of entitlements. They often underpin business or organizational roles but can also stand independently to manage infrastructure or application-specific access rights.
Entitlement Roles
Entitlement roles are the most granular level of access bundling. These roles typically consist of one or more specific permissions or rights. They offer precision in managing who has access to what and are especially useful in fine-tuning access during policy enforcement.
Role-Based Access Control (RBAC)
Role-based access control (RBAC) is a strategy wherein user access is governed by roles rather than individual entitlements. RBAC ensures that individuals are granted only the level of access required to fulfill their job responsibilities, thereby enhancing security and simplifying audit procedures.
In SailPoint IdentityIQ, RBAC aligns with roles to define clear access boundaries. Users inherit permissions through role assignments, which can be managed manually or automatically based on attribute-driven rules. This model reduces access sprawl, enforces least privilege, and facilitates separation of duties.
RBAC in IdentityIQ not only streamlines access management but also enables lifecycle automation. When a user changes roles or exits the organization, their access rights update or deprovision accordingly, ensuring that entitlements remain synchronized with their responsibilities.
The Rule Library: A Repository of Logic
The rule library in SailPoint IdentityIQ is a curated collection of reusable methods that encapsulate custom logic. These methods can be invoked across workflows, certifications, policies, and other areas of the platform. The primary advantage of the rule library lies in its modularity and reusability.
Each rule in the library serves a discrete function—from calculating attribute values and evaluating policy violations to interacting with external systems. These rules are authored using BeanShell or other supported scripting languages and are often tailored to organizational logic.
By centralizing these scripts, the rule library allows developers and identity administrators to avoid redundancy, enforce consistency, and speed up configuration. Over time, this curated repository becomes a strategic asset, housing logic that reflects institutional knowledge and governance policies.
Key Drivers in Identity and Access Management
Several fundamental drivers underscore the importance of identity and access management in modern organizations. These drivers transcend industries and are pivotal in shaping IAM strategies.
Improved Security
Identity management serves as a defense perimeter. Controlling who accesses what, when, and how reduces the risk of internal threats, credential abuse, and data exfiltration. IAM strengthens the organization’s security architecture by applying fine-grained controls and continuous monitoring.
Audit and Compliance
Regulatory frameworks demand traceability and accountability. Identity governance enables detailed auditing, ensuring that every access request, approval, and change is logged and verifiable. SailPoint supports compliance mandates such as GDPR, HIPAA, and SOX through policy enforcement and certification campaigns.
Operational Efficiency
Automated provisioning, access requests, and deprovisioning processes remove bottlenecks from manual workflows. IdentityIQ empowers IT teams to manage identities at scale while reducing human error and turnaround times.
Business Enablement
By ensuring that employees, contractors, and partners have timely access to the right resources, IAM facilitates productivity and collaboration. SailPoint’s contextual identity features support agile provisioning without compromising control.
Cloud Identity Management: An Evolving Necessity
With the rapid shift towards cloud-first strategies, cloud identity management has become a strategic imperative. Organizations are increasingly dependent on SaaS platforms, cloud infrastructure, and hybrid environments, making traditional IAM tools insufficient.
SailPoint’s cloud identity solutions provide visibility and control across these distributed environments. It ensures that access rights are coherent, auditable, and governed centrally, even when applications span public clouds, private networks, and hybrid platforms.
Cloud identity management strengthens the security posture by offering contextual and risk-based access controls. It enables real-time remediation, anomaly detection, and integration with modern authentication protocols.
Preconditions for Implementing Cloud Identity Solutions
Before embarking on a cloud identity management initiative, organizations must address foundational concerns to ensure a secure and effective rollout.
Compliance Readiness
A clear understanding of industry and regional compliance requirements is critical. The identity solution must support audit trails, consent management, and data localization, especially in sectors governed by stringent privacy laws.
Data Loss and Storage Concerns
Cloud environments introduce risks related to unauthorized data access and loss. It is essential to implement robust encryption, backup policies, and failover mechanisms. SailPoint supports secure cloud storage through integration with trusted platforms.
Ensuring Data Integrity
Maintaining the consistency and accuracy of identity data across systems is fundamental. Any discrepancies between source systems and identity records can lead to access anomalies. SailPoint uses aggregation and reconciliation processes to ensure that identity data remains synchronized and trustworthy.
Advantages of SailPoint Cloud Identity Management
SailPoint’s cloud identity management platform offers a multitude of benefits that make it suitable for modern enterprise needs.
Firstly, it delivers full-spectrum identity and access governance without requiring deep dependencies on traditional server environments. This reduces infrastructure overhead and accelerates implementation.
Data management on the cloud is streamlined and cost-effective. SailPoint’s architecture supports efficient data aggregation, transformation, and governance at scale. This efficiency is especially valuable for global enterprises with distributed operations.
Moreover, the platform offers secure and resilient data backup mechanisms. Enterprises can depend on these capabilities for data recovery, compliance, and long-term storage needs. With built-in high availability and disaster recovery support, SailPoint ensures business continuity.
By combining agility with control, SailPoint enables organizations to move confidently into the cloud era while upholding their governance commitments.
Workflow Variables, Cloud Models, Pre-Iterate Rules, and Advanced Concepts in SailPoint
In SailPoint IdentityIQ, workflows represent a sequence of steps to execute identity-related processes such as provisioning, approvals, or notifications. A vital component in these workflows is the use of variables, which store temporary or persistent data throughout the lifecycle of the workflow execution.
There are several dynamic methods for initializing variables within these workflows, allowing for flexibility and customization:
Reference Initialization
This method enables the workflow to reference data from existing identity attributes or other runtime variables. It’s often used when a workflow step depends on context-sensitive information.
String Initialization
Sometimes variables are initialized with hardcoded string values. This approach is suitable for static or default values that require no external input.
Rule-Based Initialization
Rules written in BeanShell or compatible languages can dynamically set the value of a variable. These rules provide exceptional control, allowing administrators to evaluate conditions, retrieve external data, or compute values on the fly.
Method Invocation
Call method initialization allows the workflow to execute a specific Java method to retrieve or compute a variable value. This method is often used for advanced logic that isn’t easily encapsulated in simpler rule structures.
Scripting Approach
Scripts offer a flexible way to define variables through inline logic. This method is favored for scenarios where the data transformation or computation is specific to a particular workflow step.
Using these mechanisms, workflows become powerful orchestration tools, capable of adapting to changing identity states, business rules, and system behaviors.
Supported Cloud Models for SailPoint IdentityIQ
SailPoint IdentityIQ has been architected to provide deployment flexibility across various cloud computing paradigms. This allows organizations to align identity governance initiatives with their broader cloud strategies.
Private Cloud
Organizations with stringent compliance or data residency requirements often choose private cloud deployments. IdentityIQ can be hosted on internal data centers or private IaaS platforms, offering complete control over infrastructure and security policies.
Hybrid Cloud
In hybrid cloud environments, organizations can leverage on-premise and cloud components simultaneously. SailPoint supports this model seamlessly by synchronizing data across environments, ensuring governance remains consistent and auditable.
Public Cloud
For organizations aiming for scalability and cost-efficiency, deploying SailPoint in a public cloud (such as AWS, Azure, or GCP) offers significant advantages. SailPoint adapts to the public cloud’s elastic nature while retaining enterprise-grade governance.
Community Cloud
Though less commonly used, community clouds cater to collaborative ventures or industry consortia. SailPoint can be tailored to function effectively in such shared governance ecosystems where multiple entities require unified identity oversight.
This flexible deployment capability ensures that SailPoint remains viable regardless of an organization’s cloud maturity or architectural preferences.
Pre-Iterate Rule in SailPoint IdentityIQ
The pre-iterate rule is a specialized construct in SailPoint IdentityIQ used in data aggregation processes. It is invoked once per data file, before any records within the file are processed individually.
This rule is typically employed to perform preparatory tasks such as:
- Unzipping compressed files
- Validating timestamps to detect stale or outdated data
- Loading environmental parameters or external libraries
- Initializing temporary storage or data structures
Because the pre-iterate rule executes a single time per aggregation job, it helps ensure efficiency and avoids redundancy. It forms an integral part of identity data ingestion pipelines, providing assurance that the environment is primed for consistent and accurate data processing.
Application-Level Multifactor Authentication (APMFA)
APMFA stands for application-level multifactor authentication. It refers to enforcing multiple authentication methods within the scope of specific applications, rather than across the enterprise network as a whole.
This technique ensures high-security coverage by augmenting password-based authentication with secondary factors such as tokens, biometric inputs, or mobile confirmations. When integrated with SailPoint, APMFA contributes to enhanced control over critical applications, mitigating credential theft and unauthorized access.
Application-level multifactor authentication is especially valuable in environments where different applications have varying security needs. It enables administrators to enforce rigorous controls on sensitive systems while maintaining usability for routine applications.
Elasticity and Scalability in Cloud Identity Management
Two pivotal properties underpinning effective cloud identity management are elasticity and scalability. While often used interchangeably, these concepts differ in function and application.
Elasticity
Elasticity describes the ability of the identity management system to expand or contract its resource usage based on workload demand. For example, during peak hours or provisioning surges, the system can allocate additional processing power, then scale back during idle times.
This dynamic resource allocation reduces costs while maintaining performance, making it especially relevant in multi-tenant and SaaS environments.
Scalability
Scalability, on the other hand, relates to the system’s capacity to handle increased workload by enhancing its capabilities. In practice, this might mean upgrading memory, adding servers, or optimizing databases to accommodate a growing user base or additional integrations.
SailPoint is engineered to excel in both areas. Its architecture supports modular deployment, enabling organizations to scale up or scale out depending on their growth trajectory and infrastructure preferences.
These traits ensure that identity governance remains responsive and performant, regardless of environmental volatility or expansion.
Layers in Cloud Architecture Relevant to IdentityIQ
Understanding the layered nature of cloud architecture helps in deploying SailPoint IdentityIQ effectively. Each layer plays a distinct role in the identity management ecosystem:
Cloud Controller
The central coordinator that manages resource allocations, monitoring, and orchestration across cloud environments. In IAM, it may interact with provisioning workflows and data collectors.
Cluster Controller
Handles management of groupings or clusters of resources. It ensures workloads are balanced and scaled across compute nodes effectively.
Node Controller
Responsible for the operation of individual computer instances. It interacts directly with IdentityIQ’s components during aggregation and task execution.
Storage Controller
Manages persistent data storage—user records, logs, configurations—ensuring integrity, availability, and backup adherence.
Walrus Layer
This layer often handles object storage. For IAM, it is used to store audit records, backup files, and temporary data objects that support governance.
Together, these layers ensure that SailPoint integrates smoothly into complex cloud ecosystems while maintaining robust performance and governance.
Identity Intelligence: Synthesizing Meaningful Insights
Identity intelligence refers to the transformation of raw identity data into actionable insights that support strategic decision-making. In complex organizations, identity-related data often resides across disparate systems, leading to a fragmented understanding.
SailPoint’s platform aggregates, correlates, and analyzes this data to provide a unified, context-rich view of access and behavior. This includes understanding:
- Who has access to what
- How access levels change over time
- Where policy violations are likely
- When anomalies signal risks
Identity intelligence not only supports compliance and audit readiness but also enhances operational security. By providing intuitive dashboards, anomaly detection, and predictive modeling, it enables security teams to stay ahead of potential threats.
This intelligence is further enriched through machine learning algorithms, which identify patterns and outliers in user behavior. The result is a proactive approach to identity governance—one that adapts and evolves alongside organizational complexity.