CompTIA Security+identity-and-access-management

Identity and Access Management

Authentication factors, access control models, and the tools that manage identity.

Identity and Access Management (IAM) is how an organization proves who a user is (authentication), decides what they may do (authorization), and records what they did (accounting). On the Security+ (SY0-701) exam, IAM questions reward you for recognizing authentication factors, matching a scenario to the correct access control model, and applying least privilege. Learn the categories below and most IAM items become pattern-matching.

Core Idea

  • Authentication answers "who are you?"; authorization answers "what are you allowed to do?" Keep the two ideas separate — a valid login does not by itself grant access to a resource.
  • True multifactor authentication (MFA) combines factors from different categories (know, have, are), not two of the same kind. Two passwords are not MFA.
  • Least privilege and separation of duties limit the damage a single compromised or malicious account can do. They are the default "correct" governance answers on the exam.

Authentication Factors

Factors fall into five categories:

  • Something you know — password, PIN, security question.
  • Something you have — hardware/software token, smart card, phone with an authenticator app.
  • Something you are — biometrics (fingerprint, face, iris, retina).
  • Somewhere you are — location or geolocation (IP, GPS), used as context.
  • Something you do — behavioral traits like typing rhythm or gait.

MFA requires two or more different categories. A password plus a one-time code from a token is MFA; a password plus a security question is not (both are "something you know"). Biometrics are measured by false acceptance rate (FAR), false rejection rate (FRR), and the crossover error rate (CER) where the two meet — a lower CER means a more accurate system.

Access Control Models

  • Mandatory Access Control (MAC): access is enforced by the system using labels and clearances; users cannot change permissions. Used in high-security/government settings.
  • Discretionary Access Control (DAC): the data owner sets permissions at their discretion (typical file-share NTFS permissions). Flexible but easier to misconfigure.
  • Role-Based Access Control (RBAC): permissions are assigned to roles, and users inherit them by job function — scales well in large organizations.
  • Rule-Based Access Control: access follows global rules/conditions (e.g., a firewall ACL or "no logins after hours"), applied uniformly regardless of user.
  • Attribute-Based Access Control (ABAC): access decisions use multiple attributes (user, resource, action, environment) evaluated by policy — the most granular and dynamic model.

Least privilege gives users the minimum access needed; separation of duties splits a sensitive process so no one person controls it end to end (deterring fraud).

Identity Lifecycle, SSO, and Federation

The identity lifecycle runs from provisioning (creating and entitling an account at hire) through changes, to deprovisioning (promptly disabling access at termination) — orphaned accounts are a common finding.

Single Sign-On (SSO) lets a user authenticate once and reach many services. Federation extends trust across organizations so an identity from one domain is honored by another. Key protocols:

  • SAML — XML-based; common for enterprise web SSO between an identity provider (IdP) and service provider (SP).
  • OAuth 2.0 — an authorization framework for delegated access via tokens (not for authentication by itself).
  • OpenID Connect (OIDC) — an authentication layer built on top of OAuth 2.0.
  • Kerberos — the ticket-based protocol behind Windows/Active Directory; a Key Distribution Center issues tickets, and it relies on time synchronization.
  • LDAP — the directory-services protocol for querying identity stores (LDAPS adds TLS).

Privileged Access and Credential Management

Privileged Access Management (PAM) controls high-power accounts (admins, root, service accounts) with credential vaulting, just-in-time elevation, session recording, and automatic password rotation. Enforce strong password policies (length, complexity, history, lockout) and encourage password managers to generate and store unique credentials. Passwordless methods and passkeys (FIDO2/WebAuthn) use device-bound cryptographic keys, resisting phishing and credential reuse because no shared secret is transmitted.

High-Yield Exam Patterns

  • "Two passwords" or "password + PIN" is not MFA — both are "something you know."
  • Scenario says the system enforces labels/clearances and users can't change themMAC; owner sets permissionsDAC; permissions by job functionRBAC.
  • "Most granular / decision uses multiple attributes and context" → ABAC.
  • OAuth = authorization/delegation; OIDC = authentication; SAML = enterprise web SSO.
  • Terminated employee still has access → failure to deprovision; fix with prompt account disablement.
  • "One person shouldn't control the whole process" → separation of duties; "minimum access needed" → least privilege.

Common Traps to Avoid

  • Confusing authentication with authorization — a login proves identity, not entitlement.
  • Calling any two-step prompt "MFA" when both steps are the same factor category.
  • Mixing up OAuth (authorization) with OpenID Connect (authentication).
  • Assuming DAC is "most secure" — MAC is the strict, label-enforced model; DAC is owner-discretionary and more error-prone.
  • Forgetting that Kerberos depends on synchronized clocks — clock skew breaks ticket validation.

Flashcards

Card 1 of 14

1/14

Keyboard: Space/Enter to flip • Arrow keys to navigate

Ready to Test Your Knowledge?

This quiz has 8 questions and each one has 4 options.

Quiz Details

8 Questions

Multiple choice with instant self-check

Final Review

See correct answers and explanations at the end

Build your own lesson in minutes.

Upload a source document and turn it into flashcards, quizzes, and a study-ready lesson bank.