Domain 4 of 5 · Chapter 6 of 9

Identity and Access Management

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Security+ premium course — no separate purchase.

Included in this chapter:

  • The identity lifecycle and access-control models
  • Authentication factors, MFA, and password concepts
  • Federation, SSO protocols, and interoperability
  • Privileged Access Management (PAM) and exam-pattern recognition

Access-control models: who sets the policy

ModelWho controls permissionsDecision basisCanonical use / exam tell
MAC (Mandatory)The system, by policy; owner cannot overrideSubject clearance vs object security labelClassified/military data; SELinux enforcing
DAC (Discretionary)The resource owner, at their discretionOwner-set ACL / permissions on the objectFile-system ACLs; 'owner can share the file'
RBAC (Role-Based)Admins, via role definitionsUser's assigned role(s) → role's permissionsAccess follows job function; group/role membership
ABAC (Attribute-Based)Policy author, via attribute rulesAttributes of subject, object, action, environmentFine-grained, context-aware (device, location, time)
Rule-basedAdmins, via global conditionsCondition rules (e.g., source IP, time-of-day)ACL conditions applied uniformly to all subjects

Decision tree

System must enforceclassification?Yes (labels)MACclearance vs label;owner can't overrideNoShould the resource owner decide sharing?YesDACowner-set ACLs; file permissionsNoAccess keyed to job function alone?YesRBACusers to roles, roles to permissionsNoDecision depends on subject/object context?Yes (device, location, time)ABACattributes of subject/object/action/envNoRule-baseduniform conditions (IP, time-of-day)Always: enforce least privilege on top of any model

Cheat sheet

  • Provisioning binds an account to a proofed identity
  • Deprovisioning: disable first, then remove
  • Attestation recertifies access on a schedule
  • MAC is system-enforced and non-discretionary
  • DAC lets the owner decide
  • RBAC: users to roles, roles to permissions
  • ABAC decides from subject/object/action/environment attributes
  • Rule-based and time-of-day apply uniform conditions
  • Least privilege bounds every access model
  • FIDO2/WebAuthn security keys are phishing-resistant
  • SMS/PSTN out-of-band auth is RESTRICTED
  • Push fatigue defeats simple push approval
  • Biometrics are unique but not secret or revocable
  • Password length beats forced complexity and rotation
  • Block reuse; managers and passwordless reduce secret risk
  • SAML = enterprise web SSO (authentication)
  • OAuth 2.0 is delegated authorization, not authentication
  • OIDC adds the identity layer on top of OAuth
  • LDAP is the directory store, not a federation protocol
  • PAM password vaulting stores and rotates privileged secrets
  • Just-in-time access eliminates standing privilege
  • Ephemeral credentials expire so there's nothing to steal
  • MFA combines two of the three factor categories
  • SSO concentrates risk at the IdP: enforce MFA there

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. CompTIA Security+ (SY0-701) certification and exam objectives
  2. Digital Identity Guidelines: Enrollment and Identity Proofing (SP 800-63A)
  3. Role-Based Access Control (RBAC) project (INCITS 359-2012 model)
  4. Guide to Attribute Based Access Control (ABAC) Definition and Considerations (SP 800-162)
  5. Digital Identity Guidelines: Authentication and Lifecycle Management (SP 800-63B)
  6. The OAuth 2.0 Authorization Framework (RFC 6749)