⚡ What is IAM?
Identity and Access Management (IAM) is the framework of policies and technologies that ensures the right people have the right access to the right resources — and no more. It covers how identities are created and verified (authentication), what those identities are allowed to do (authorisation), and how access is tracked (accounting). IAM is one of the most heavily tested areas on Security+ SY0-701.

The AAA framework — Authentication, Authorisation, Accounting

AAA is the foundation of IAM. Every access control system is built on these three concepts, and Security+ tests them constantly — both as definitions and in scenario questions where you have to identify which pillar is being described.

AAA — the three pillars
Authentication  → Proving you are who you claim to be
                   "Are you really Sean?"
                   Methods: passwords, MFA, biometrics, certificates

Authorisation   → Determining what you're allowed to do
                   "What can Sean access?"
                   Methods: ACLs, role assignments, permissions

Accounting      → Tracking what you actually did
                   "What did Sean do and when?"
                   Methods: audit logs, SIEM, usage reports

Authentication factors

Authentication factors are the categories of evidence used to verify identity. The exam tests both the categories and examples of each:

Factor Category Examples
Something you know Knowledge factor Password, PIN, security question, passphrase
Something you have Possession factor Smart card, hardware token (YubiKey), authenticator app (TOTP), phone (SMS code)
Something you are Inherence factor Fingerprint, facial recognition, retina scan, voice recognition
Somewhere you are Location factor GPS location, IP address geolocation, network location
Something you do Behaviour factor Typing rhythm, mouse movement patterns, gait recognition
⚡ MFA exam definition

Multi-factor authentication (MFA) requires two or more factors from different categories. Password + PIN is NOT MFA — both are "something you know." Password + authenticator app IS MFA — knowledge factor + possession factor.

Two-factor authentication (2FA) is a subset of MFA using exactly two factors. All 2FA is MFA; not all MFA is 2FA.

Single Sign-On (SSO) and federation

SSO allows a user to authenticate once and access multiple systems without logging in again for each one. It improves user experience and reduces password fatigue — but means a compromised SSO credential gives an attacker access to everything connected to it.

🔑
Authentication Protocol
SAML
Security Assertion Markup Language — XML-based standard for exchanging authentication data between identity providers and service providers. Common in enterprise SSO and web applications.
🌐
Authentication Protocol
OAuth 2.0
Authorisation framework that lets users grant third-party apps limited access to their accounts without sharing passwords. Used by "Sign in with Google/GitHub" flows.
🎫
Authentication Protocol
OpenID Connect (OIDC)
Identity layer built on top of OAuth 2.0. Adds authentication (who you are) to OAuth's authorisation (what you can do). Used for modern federated identity.
🏢
Directory Protocol
LDAP / Active Directory
Lightweight Directory Access Protocol — used to query and manage directory services like Microsoft Active Directory. Stores user accounts, groups, and policies in enterprise environments.
🎟️
Authentication Protocol
Kerberos
Ticket-based authentication protocol used in Windows Active Directory environments. Users authenticate once and receive tickets to access network services without re-entering credentials.
📡
AAA Protocol
RADIUS / TACACS+
Network access control protocols. RADIUS is standard for network access (Wi-Fi, VPN). TACACS+ is Cisco proprietary, encrypts the full packet, and separates AAA functions — often used for device administration.

Access control models

Access control models define how permissions are assigned and enforced. Security+ tests all four models — know the defining characteristic of each and be able to identify which model a given scenario describes:

Model How access is determined Key characteristic Typical use
DAC — Discretionary Resource owner sets permissions Owner controls who gets access — flexible but harder to manage at scale Standard file system permissions (Windows NTFS, Linux chmod)
MAC — Mandatory System enforces based on labels Users cannot change permissions — admin assigns classification labels (Top Secret, Secret, etc.) Government / military systems, SELinux
RBAC — Role-Based Permissions assigned to roles, users assigned to roles Access follows job function — easier to manage than individual permissions Enterprise systems, cloud IAM (AWS IAM roles)
ABAC — Attribute-Based Policies evaluate multiple attributes Most flexible — combines user, resource, environment attributes for fine-grained control Zero Trust environments, complex cloud policies
⚡ Access control model exam shortcuts

DAC: Owner decides. "The file owner can share it with whoever they want."

MAC: Labels decide. "The system prevents a Secret-cleared user from accessing Top Secret data regardless of what anyone wants."

RBAC: Role decides. "All managers get the same access automatically because of their role."

ABAC: Policy evaluates everything. "Access is granted only if the user is in HR, the device is compliant, and it's during business hours."

Zero Trust

Zero Trust is a security model built on the principle of "never trust, always verify." Traditional security assumed that anything inside the network perimeter was trustworthy. Zero Trust assumes the network is already compromised and requires verification for every access request regardless of where it originates.

Zero Trust core principles
Verify explicitly      → Always authenticate and authorise based on all available data
                           Identity, location, device health, service, data classification

Least privilege access → Limit access to only what's needed for the specific task
                           Just-in-time and just-enough access, time-limited permissions

Assume breach          → Design as if the network is already compromised
                           Segment networks, encrypt everything, minimise blast radius

Privileged Access Management (PAM)

PAM is a security discipline focused on controlling, monitoring, and auditing privileged accounts — accounts with elevated permissions such as administrators, root users, and service accounts. Privileged accounts are the highest-value targets for attackers because they can do the most damage if compromised.

PAM Concept What it means
Least privilege Users get only the minimum permissions needed to perform their job — no more
Separation of duties No single person has enough access to commit fraud or cause harm alone — tasks requiring two people to complete
Just-in-time access Privileged access granted only when needed and revoked after a time limit — reduces standing privilege exposure
Privileged account vaulting Admin credentials stored in a secure vault — users check out credentials rather than knowing them permanently
Session recording All privileged sessions recorded for audit purposes — accountability and forensic investigation

Identity lifecycle management

Identity lifecycle management covers how accounts are created, maintained, and removed throughout an employee's time at an organisation. The exam tests this primarily through scenarios about what should happen at onboarding, role changes, and offboarding:

Identity lifecycle — key concepts
Provisioning      → Creating accounts and assigning permissions when someone joins
Deprovisioning    → Removing accounts and access when someone leaves — critical security step
Account review    → Periodic audit of who has what access — finds orphaned/over-privileged accounts
Orphaned accounts → Accounts that exist after a user leaves — major security risk
User recertification→ Managers periodically confirm their team's access is still appropriate

Exam scenarios

💬 "A user enters a password and then approves a push notification on their phone. What type of authentication is this?" → MFA (Multi-factor authentication) — knowledge factor + possession factor
💬 "Which access control model assigns permissions based on job function rather than individual users?" → RBAC (Role-Based Access Control)
💬 "A government system uses classification labels (Top Secret, Secret, Unclassified) to control access. Which model is this?" → MAC (Mandatory Access Control)
💬 "Which protocol is used by Windows Active Directory for ticket-based authentication?" → Kerberos
💬 "An organisation wants to allow employees to log in once and access all internal applications. What should they implement?" → SSO (Single Sign-On)
💬 "Which Zero Trust principle states that users should only have access to what they need for a specific task?" → Least privilege access
💬 "An employee leaves the company. Their account is not disabled. What type of account risk does this create?" → Orphaned account
💬 "Which AAA component tracks what actions a user performed and when?" → Accounting
💬 "RADIUS vs TACACS+ — which encrypts the entire authentication packet?" → TACACS+ (RADIUS only encrypts the password)
💬 "Which access control model is most flexible and evaluates multiple attributes like user role, device compliance, and time of day?" → ABAC (Attribute-Based Access Control)

Studying for Security+?

The study guide, practice exams, and free course worth your time for SY0-701.

See Security+ Resources →

Related Articles

What is Cryptography? Common Network Attacks What is a VPN? Firewall Basics Best Security+ Resources Network+ vs Security+ OSI Model Explained All Study Resources