Identity and Access Management

What the Exam Is Really Testing

Picture this: a fired employee walks out the door on Friday, but their Active Directory account stays active until someone remembers to disable it the following Tuesday. Over the weekend, they download the customer database. That gap — between when access should have ended and when it actually did — is exactly the kind of failure the exam builds questions around.

Identity is the new perimeter. In a world where users access resources from anywhere, controlling who gets access to what — and under what conditions — is the foundation of every security decision.

Expect questions that ask you to select the right access control model for a scenario, trace the identity lifecycle from provisioning to deprovisioning, and distinguish between federation protocols like SAML, OAuth, and OpenID Connect.

The Identity Lifecycle

Provisioning

Creating a user account and assigning appropriate access rights. Effective provisioning means:

• Verifying the user's identity (identity proofing) before creating the account
• Assigning access based on their role, not based on requests
• Using automated provisioning from HR systems when possible
• Applying the principle of least privilege from day one

Identity Proofing

The process of verifying that a person is who they claim to be before granting them an identity in the system. Methods include:

• Government-issued ID verification
• In-person verification by a trusted authority
• Knowledge-based verification (information only the real person would know)
• Biometric enrollment with identity documents

Access Reviews

Periodic audits of user access to ensure privileges remain appropriate. Users change roles, take on new projects, or leave departments — their access should change accordingly. Without reviews, privilege accumulation (privilege creep) creates excessive access over time.

Deprovisioning

Removing access when it is no longer needed. This includes:

• Disabling accounts immediately upon termination
• Revoking access when roles change
• Recovering company assets (laptops, tokens, badges)
• Removing accounts from groups and distribution lists

Deprovisioning failures are a common source of insider threats and audit findings. A terminated employee with active credentials is a critical risk.

Access Control Models

RBAC (Role-Based Access Control)

Access is determined by the user's role in the organization. All users with the "HR Manager" role get the same set of permissions.

• Most common model in enterprise environments
• Easy to manage at scale
• New employee gets access by being assigned a role
• Risk: role explosion when too many unique roles are created

ABAC (Attribute-Based Access Control)

Access decisions are based on attributes of the user, resource, action, and environment. Extremely flexible.

• User attributes: department, clearance level, location
• Resource attributes: classification, owner, type
• Environmental attributes: time of day, network location, device type
• Example: "Allow access to confidential documents only for users in the legal department, during business hours, from a managed device"

MAC (Mandatory Access Control)

Access is controlled by the system based on security labels and clearance levels. Users cannot override or change access permissions.

• Used in military and government classified environments
• Resources have classification labels (Top Secret, Secret, Confidential)
• Users have clearance levels
• Access is granted only when clearance meets or exceeds classification
• Most restrictive model

DAC (Discretionary Access Control)

The resource owner decides who gets access. The owner can grant or revoke permissions at their discretion.

• Common in file systems (Windows NTFS, Linux file permissions)
• Flexible but difficult to manage at scale
• Risk: owners may grant excessive access without oversight
• Least restrictive model

Rule-Based Access Control

Access is determined by predefined rules, often independent of the user. Examples include firewall rules (allow traffic from specific IP ranges) and time-based access restrictions.

SSO and Federation

Single Sign-On (SSO)

SSO allows users to authenticate once and access multiple applications without re-entering credentials. Benefits include:

• Reduced password fatigue (fewer passwords to remember)
• Faster access to resources
• Centralized authentication control
• Simplified deprovisioning (disable one account, lose access to everything)

Risk: if the SSO credential is compromised, the attacker gains access to all connected applications.

Federation

Federation extends trust across organizational boundaries. Two or more organizations agree to trust each other's identity systems, allowing users from one organization to access resources in another without creating new accounts.

Federation Protocols

• SAML (Security Assertion Markup Language) — XML-based protocol for exchanging authentication and authorization data. Common in enterprise SSO for web applications. Uses assertions (authentication, attribute, authorization) passed between Identity Provider (IdP) and Service Provider (SP).
• OAuth 2.0 — Authorization framework (not authentication). Allows a third-party application to access user resources without sharing credentials. Example: "Sign in with Google" to access a third-party app.
• OpenID Connect (OIDC) — Authentication layer built on top of OAuth 2.0. Adds identity verification to OAuth's authorization framework. Returns an ID token with user identity information.

For the exam: SAML for enterprise SSO, OAuth for authorization delegation, OpenID Connect for authentication on top of OAuth.

Directory Services

LDAP (Lightweight Directory Access Protocol)

The protocol used to query and manage directory services. LDAP organizes objects in a hierarchical tree structure (Distinguished Names, Organizational Units). Used by applications to look up user information and authenticate.

Active Directory (AD)

Microsoft's directory service built on LDAP and Kerberos. The backbone of identity management in most Windows enterprise environments. Provides:

• Centralized user and group management
• Group Policy enforcement
• Kerberos-based authentication
• Trust relationships between domains and forests

Account Types

• User accounts — Individual accounts tied to a specific person. Provide accountability through audit trails.
• Service accounts — Accounts used by applications and services to access resources. Should have tightly scoped permissions and no interactive login.
• Shared accounts — Accounts used by multiple people. Destroy accountability and should be avoided. If required, implement compensating controls for auditing.
• Privileged accounts — Administrator and root accounts with elevated permissions. Require additional controls: MFA, privileged access management (PAM), session monitoring, and just-in-time access.

Pattern Recognition

When you see IAM questions, look for these patterns:

• Employees changing roles but keeping old access = privilege creep, need access reviews
• Government classified environment = MAC
• Enterprise with many employees in similar roles = RBAC
• Complex, context-dependent access rules = ABAC
• File owner controls permissions = DAC
• Cross-organization access = federation
• Terminated employee still has access = deprovisioning failure

Trap Patterns

Watch for these distractors:

• "OAuth authenticates users" — OAuth is authorization only. OpenID Connect adds authentication.
• "SSO eliminates the need for strong passwords" — SSO consolidates authentication but makes the SSO credential even more critical to protect.
• "RBAC means each user gets unique permissions" — RBAC assigns permissions to roles, not individuals. Users inherit role permissions.
• "Disable the account at end of day" — Deprovisioning for terminated employees should be immediate, not delayed.

Scenario Practice

Question 1

An audit reveals that several employees who changed departments six months ago still have access to their previous department's sensitive file shares.

What process failure does this indicate?

A. Weak password policy enforcement
B. Lack of periodic access reviews
C. Missing multi-factor authentication
D. Insufficient network segmentation

Question 2

A government agency requires that users can only access documents at or below their assigned clearance level. Users cannot change these access settings.

Which access control model is in use?

A. Discretionary Access Control (DAC)
B. Role-Based Access Control (RBAC)
C. Mandatory Access Control (MAC)
D. Attribute-Based Access Control (ABAC)

Question 3

A company wants its employees to use their corporate credentials to access a third-party SaaS application without creating separate accounts in the SaaS platform.

What should be implemented?

A. LDAP replication to the SaaS provider
B. SAML-based federation with the SaaS application
C. Shared service accounts for SaaS access
D. VPN connection to the SaaS provider's network

Key Takeaway

Identity management goes beyond login screens. It covers who gets access to what, how that access is granted, and — just as importantly — when it gets taken away. Every IAM question on the exam comes back to one of those three pieces.

When you see an IAM scenario, ask yourself: what determines access (role, attributes, labels, or owner discretion)? Is the question about granting, reviewing, or revoking access? Is authentication happening within one organization or across boundaries? And are we talking about authorization (OAuth) or authentication (SAML, OIDC)? Get those distinctions right, and the correct answer usually becomes obvious.