Domain 5 Capstone: Identity and Access Management

Domain 5 – Capstone Questions

Question 1

A multinational company deploys a federated identity system using SAML. Users authenticate against their home organization’s IdP, and partner organizations accept the SAML assertions. A partner reports that a terminated employee from the home organization accessed their systems two days after termination.

What is the MOST likely cause?

A. The SAML assertion had an indefinite validity period
B. The home organization’s deprovisioning process did not disable the account before the SAML IdP issued new assertions
C. The partner organization did not validate the SAML assertion signature
D. SAML does not support real-time access revocation across federated partners

Question 2

An organization uses biometric fingerprint scanners for physical access to its data center. The false acceptance rate (FAR) is set low to prevent unauthorized entry. Employees complain that they are frequently rejected and must use a manual override process to enter.

What is the BEST way to address this without significantly weakening security?

A. Increase the FAR threshold until complaints stop
B. Replace biometrics with badge-only access
C. Implement multimodal biometrics or combine fingerprint with a secondary factor so the biometric threshold can be adjusted while maintaining overall security
D. Accept the high rejection rate as necessary for data center security

Question 3

An organization is implementing single sign-on for its employees. Internal applications run on an Active Directory domain. External SaaS applications are accessed through web browsers. The security team wants one authentication event to grant access to both internal and external resources.

Which architecture BEST achieves this?

A. Kerberos for internal AD-integrated applications combined with SAML federation for external SaaS applications, with the AD serving as the identity source for both
B. SAML federation for all applications, eliminating Kerberos entirely
C. OAuth 2.0 tokens for both internal and external application access
D. Separate authentication systems for internal and external applications with password synchronization

Question 4

An organization’s identity governance platform generates a report showing that 15% of all user accounts have not been used in the past 90 days. The accounts belong to a mix of employees on extended leave, completed contractor engagements, and former employees whose terminations were not processed.

What should the identity governance team do FIRST?

A. Disable all 15% of accounts immediately to reduce risk
B. Delete all accounts that have not been used in 90 days
C. Notify managers to review their team members’ account status
D. Categorize the accounts by status (leave, completed contract, unterminated) and apply the appropriate lifecycle action for each category

Question 5

A company deploys a password policy requiring 12-character minimum passwords with complexity rules and 90-day rotation. Despite this, credential stuffing attacks succeed regularly because employees reuse passwords across corporate and personal accounts.

What is the MOST effective additional control?

A. Reduce the rotation period to 30 days
B. Implement multi-factor authentication to make stolen passwords insufficient for access
C. Increase the minimum password length to 16 characters
D. Deploy a password manager for all employees

Question 6

An organization’s IT department manages access to 200 applications. Access requests are submitted via email to individual application owners, with no central tracking. Auditors report that they cannot determine who approved what access, when, or why.

What should the organization implement?

A. A centralized identity governance and administration (IGA) platform with workflow-based access requests, approvals, and audit trails
B. A shared spreadsheet to track all access requests and approvals
C. A policy requiring application owners to retain email approvals for two years
D. An annual access certification to compensate for the lack of request tracking

Question 7

A financial institution requires that loan officers can only approve loans during business hours (8 AM to 6 PM), only from corporate-managed devices, and only when their training certification is current. Loan officers who are on a performance improvement plan should be restricted to read-only access.

Which access control model can natively enforce all of these conditions?

A. Role-Based Access Control with time-based role activation
B. Mandatory Access Control with classification labels
C. Attribute-Based Access Control evaluating time, device, training status, and HR status attributes
D. Discretionary Access Control with enhanced logging

Question 8

A cloud engineering team uses shared root credentials for an AWS account because “it’s faster during incidents.” An unauthorized configuration change is detected in the account, but the team cannot determine which engineer made the change.

What is the FIRST governance action?

A. Enable detailed CloudTrail logging on the account
B. Rotate the root password immediately
C. Restrict root access to the team lead only
D. Eliminate the shared root credential, provision individual IAM accounts with appropriate roles, and implement PAM for emergency root access

Question 9

A hospital needs to allow doctors to quickly authenticate to shared bedside workstations. Doctors move between patients frequently and cannot spend time entering long passwords. The authentication method must be fast, tied to the individual, and satisfy HIPAA requirements for unique user identification.

Which authentication approach BEST fits this scenario?

A. Proximity badge tap combined with a short PIN for two-factor authentication at the workstation
B. Username and password with a 15-minute session timeout
C. Shared department account with activity logging
D. Biometric fingerprint only with no secondary factor

Question 10

An organization implements RBAC for its ERP system. After one year, the role catalog has grown from 50 roles to 300 roles because each department requested custom roles for specific user situations. Managers report that finding the right role for a new hire takes longer than the old manual permission process.

What is this problem called, and what is the appropriate response?

A. Privilege creep; conduct access recertification
B. Role explosion; perform role engineering to consolidate overlapping roles and establish governance over role creation
C. Separation of duties failure; implement mutual exclusion constraints
D. Over-provisioning; deploy just-in-time access for all users

Question 11

A security architect is designing authentication for a new mobile banking application. Customers will authenticate using the app on their personal phones. The architecture must support phishing resistance, work without passwords, and not require customers to carry additional hardware tokens.

Which authentication standard BEST meets these requirements?

A. SAML with an IdP on the bank’s infrastructure
B. TOTP codes generated by a separate authenticator app
C. SMS-based one-time passwords
D. FIDO2/WebAuthn using the phone’s built-in platform authenticator (biometric or device PIN)

Question 12

A government contractor must ensure that users accessing classified systems have both the appropriate security clearance and a verified need-to-know for the specific project. A user with Top Secret clearance requests access to a Secret-level project they are not assigned to, arguing that their higher clearance should grant automatic access.

What is the correct response?

A. Grant access because Top Secret clearance exceeds the Secret classification requirement
B. Grant temporary access with enhanced monitoring since the clearance level is sufficient
C. Deny access because need-to-know has not been established, regardless of clearance level
D. Escalate to the facility security officer for a clearance verification

Question 13

A company acquires another organization. The acquired company has its own Active Directory, identity management processes, and application portfolio. The acquiring company needs to give acquired employees access to corporate applications while maintaining both directory environments during a 12-month transition.

What is the MOST appropriate identity management approach?

A. Establish a federated trust between the two directories so acquired employees authenticate against their own directory while accessing the acquiring company’s applications
B. Create duplicate accounts for all acquired employees in the acquiring company’s directory
C. Migrate all acquired employees to the acquiring company’s directory immediately
D. Provide acquired employees with shared credentials for the transition period

Question 14

An organization deploys privileged access management (PAM) with credential vaulting and session recording. Six months later, administrators report that they bypass the PAM system by using SSH keys they generated independently, because the PAM checkout process is “too slow during incidents.”

What does this indicate?

A. The PAM system should be replaced with a faster alternative
B. The PAM implementation needs emergency access workflows, and independently generated SSH keys must be discovered and brought under PAM governance
C. SSH key authentication is inherently incompatible with PAM
D. Administrators should be exempt from PAM during declared incidents

Question 15

A university allows students to authenticate to the campus Wi-Fi network using 802.1X. The network team wants to automatically place students on different VLANs based on their enrollment status: full-time students on the unrestricted VLAN, guest auditors on the restricted VLAN, and suspended students on a remediation VLAN.

Which AAA component supports this dynamic VLAN assignment?

A. TACACS+ with per-command authorization
B. Kerberos with service ticket restrictions
C. SAML with attribute-based assertions
D. RADIUS with attribute-value pairs that specify VLAN assignment based on user group membership

Question 16

An organization performs quarterly access reviews. The review process sends each manager a list of their direct reports’ access, and the manager must certify or revoke each permission. Analytics show that one manager with 45 direct reports completes the entire review in under two minutes every quarter, certifying all access without changes.

What control should be added?

A. Increase the review frequency to monthly for that manager
B. Remove the manager’s ability to perform access reviews
C. Implement micro-certifications that flag high-risk or changed access for detailed review, and flag bulk approvals completed below a minimum time threshold for secondary review
D. Reduce the number of the manager’s direct reports

Question 17

A company uses OAuth 2.0 to allow a third-party scheduling application to access employees’ calendar data. An employee grants the scheduling app access, then leaves the company. The employee’s corporate account is deprovisioned, but the scheduling application retains an active OAuth refresh token.

What is the security risk?

A. The refresh token may allow the scheduling application to continue accessing calendar data after the employee’s account should have been fully deprovisioned, if the authorization server does not revoke tokens tied to deprovisioned accounts
B. OAuth tokens are encrypted and cannot be revoked
C. The scheduling application now has access to all corporate data
D. The former employee can use the refresh token to regain corporate account access

Question 18

A security team is evaluating identity proofing methods for a new customer-facing application that handles financial transactions. They need to verify that the person creating an account is who they claim to be, with a level of assurance that satisfies KYC (Know Your Customer) regulations.

Which identity proofing approach provides the HIGHEST assurance?

A. Self-registration with email verification
B. Government-issued ID verification with liveness detection (verifying a live person matches the ID document) combined with knowledge-based verification
C. Social media account verification
D. Phone number verification via SMS

Question 19

An organization runs a Kerberos-based authentication environment. The security team discovers that an attacker compromised the Kerberos Ticket Granting Service (TGS) secret key. With this key, the attacker can forge service tickets for any service in the realm.

What type of attack does this describe, and what is the remediation?

A. Pass-the-hash; reset all user passwords
B. Kerberoasting; implement stronger service account passwords
C. Replay attack; enable timestamp validation
D. Golden Ticket attack; reset the KRBTGT account password twice (to invalidate both current and previous keys) and investigate the scope of compromise

Question 20

An organization is implementing zero-trust architecture. The security team defines a policy: “No user or device is trusted by default, regardless of network location. Every access request is authenticated, authorized, and encrypted. Authorization decisions incorporate device health, user identity, resource sensitivity, and real-time risk assessment.”

Which combination of IAM components is MOST aligned with this policy?

A. Kerberos for authentication, RBAC for authorization, VPN for network access
B. SAML for authentication, MAC for authorization, firewall rules for enforcement
C. OIDC/OAuth for authentication and API authorization, ABAC with risk-based adaptive policies for authorization decisions, and micro-segmentation with policy enforcement points at every resource boundary
D. LDAP for authentication, DAC for resource-level authorization, and NAC for network admission

Executive Pattern Summary

Domain 5 covers the full spectrum of identity and access management — from proving who someone is to governing what they can do throughout their relationship with the organization. Before reviewing your answers, internalize these six patterns that connect every topic in this domain:

1. Identity before access. Authentication must precede authorization. Proofing must precede authentication. Every access decision starts with a verified identity. When a scenario describes an access problem, trace it back — was the identity properly established, verified, and managed?
2. Match the model to the problem. DAC for user discretion. MAC for label-enforced confidentiality. RBAC for enterprise scalability. ABAC for context-dependent decisions. The exam never asks for the “most secure” model — it asks for the most appropriate one given the constraints described.
3. Lifecycle gaps create risk. Privilege creep, orphaned accounts, unmanaged service accounts, and delayed deprovisioning all result from the same root cause: incomplete lifecycle governance. The mover process is where most organizations fail. Access reviews are the primary detective control.
4. Protocol matches context. Kerberos inside the enterprise. SAML across organizational boundaries. OIDC for modern apps. RADIUS for network access. TACACS+ for device administration. FIDO2 for phishing resistance. Select based on what is being authenticated, where, and against what threat.
5. Accountability requires individual identity. Shared accounts, shared credentials, and generic logins all destroy the ability to attribute actions to specific people. Every exam question involving a “who did it” problem traces back to a failure of individual accountability.
6. Governance over operations. Technical controls implement decisions. Governance makes the decisions. When the scenario asks what should change, the answer is usually a process, a policy, or an accountability structure — not a configuration setting or a technical tool.