When a user gets into the wrong folder, the wrong cloud console, or the wrong admin portal, the problem is usually not malware first. It is usually access control and identity management done poorly. For cybersecurity basics and the CompTIA® Security+™ exam, you need to know how authentication, authorization, accounting, and auditing work together to stop that failure before it spreads.
Certified Ethical Hacker (CEH) v13
Learn essential ethical hacking skills to identify vulnerabilities, strengthen security measures, and protect organizations from cyber threats effectively
Get this course on Udemy at the lowest price →Quick Answer
Access control and identity management are the rules and systems that decide who a user is, what they can do, and how their activity is tracked. For Security+, the key ideas are authentication, authorization, accounting, least privilege, and implicit deny. These controls protect endpoints, networks, cloud services, and physical resources by limiting access and improving accountability.
Definition
Access control and identity management is the cybersecurity discipline that verifies identities, assigns permissions, and records activity so only approved users can access approved resources. It ties a person, device, or service account to the right level of Access Control across systems, data, applications, and physical spaces.
| Security+ Exam Focus | Access control, identity, and IAM fundamentals as of June 2026 |
|---|---|
| Key Models | RBAC, DAC, MAC, and ABAC as of June 2026 |
| Core Factors | Something you know, have, and are as of June 2026 |
| Important Protocols | Kerberos, SAML, OAuth, and OpenID Connect as of June 2026 |
| High-Risk Areas | Privileged accounts, shared accounts, stale accounts, and misconfigured permissions as of June 2026 |
| Best-Practice Rule | Least privilege with implicit deny as of June 2026 |
Understanding Access Control Fundamentals
Access control is the process of restricting who can view, use, or modify a resource. In practice, that resource might be a file share, an AWS® S3 bucket, a domain controller, a badge reader, or a server console. The point is simple: if a user, device, or service does not need access, it should not get access.
For Security+, the core sequence is identification, authentication, authorization, and accounting. Identification says who you claim to be, authentication proves it, authorization decides what you can do, and accounting records what happened. Authentication and Authorization are easy to confuse on the exam, but they solve different problems.
The identity-to-access chain
- Identification starts with a username, employee ID, certificate subject, or device ID.
- Authentication verifies that identity with a password, token, smart card, biometrics, or a push approval.
- Authorization checks the policy and grants the correct access level.
- Accounting logs the action so security teams can review it later.
Least privilege means giving the minimum access needed to do the job. That one rule cuts risk fast because stolen credentials, accidental clicks, and insider mistakes cause less damage when accounts are restricted. NIST® guidance on access control and security planning repeatedly emphasizes minimizing privilege and using secure defaults, including implicit deny, where anything not explicitly allowed is blocked by default. See NIST CSRC for control guidance.
Good access control is not about making access easy. It is about making the right access easy and the wrong access impossible.
Pro Tip
If a Security+ question asks what happens to traffic or access that is not explicitly permitted, the safest answer is usually implicit deny. That principle appears everywhere from firewall rules to file permissions to cloud security groups.
Access control applies across endpoints, networks, cloud services, and physical environments. A Windows workstation can use local permissions. A firewall can filter traffic. A cloud subscription can use IAM policies. A building can use badge access. The model changes, but the logic stays the same: verify identity, grant only what is needed, and log the result.
How Does Access Control and Identity Management Work?
Identity management is the process of creating, maintaining, updating, and removing digital identities throughout their lifecycle. In a real enterprise, that lifecycle starts when HR opens a ticket or sends a record to IT, and it ends when access is removed after transfer or termination. The system works because identity, privilege, and logging are tied together instead of managed as separate chores.
- Provision the identity by creating the user, device, or service account in a directory or identity provider.
- Authenticate the request using a password, token, certificate, biometric, or MFA challenge.
- Evaluate policy to decide whether the user is allowed to reach the resource.
- Apply authorization based on role, classification, location, device health, or time of day.
- Record activity for audit, compliance, and incident response.
This is the same logic used in modern corporate environments, but the implementation varies. Microsoft® documents this flow clearly in its identity and access documentation on Microsoft Learn, especially for Entra ID, conditional access, and role-based permissions.
What happens behind the scenes
- Access requests may be made by a person, application, or automated process.
- Policy engines compare the request against rules such as group membership, device posture, and network location.
- Session tokens reduce repeated logins but must be protected because they can represent a live authenticated session.
- Logs and alerts help identify suspicious behavior like impossible travel, repeated failures, or privilege escalation.
Accounting and auditing are related but not identical. Accounting captures activity records. Auditing is the review and analysis of those records, usually to prove compliance or investigate an incident. Security+ questions often hide that distinction in log analysis scenarios. If a user changes access on a server and the ticket says “review who approved it,” you are looking at auditing. If the question says “store the event for later review,” that is accounting.
The course content in Certified Ethical Hacker (CEH) v13 connects well here because attackers routinely target identity systems first. Once a credential is stolen, the attacker often does not need to exploit a vulnerability in the traditional sense. They simply log in and act like a legitimate user.
Authentication Methods and Factors
Authentication is the process of proving identity. Security+ expects you to know the three factors: something you know, something you have, and something you are. Each factor has strengths, weaknesses, and failure modes, and the best design usually combines more than one factor.
The three authentication factors
- Something you know includes passwords, PINs, passphrases, and challenge answers.
- Something you have includes smart cards, hardware tokens, authenticator apps, and OTP devices.
- Something you are includes biometrics such as fingerprints, facial recognition, and iris scans.
A password is cheap and familiar, but it is also the easiest factor to steal, reuse, phish, or brute-force. A hardware token or smartphone push approval is harder to clone remotely, but it adds cost and user friction. Biometrics are convenient, but they can create privacy concerns and are not secret in the same way a password is secret. If your fingerprint is copied, you cannot change it like you can change a password.
Common authentication methods
| Single-factor authentication | Uses one proof, usually a password; simple but weak when used alone. |
|---|---|
| Two-factor authentication | Combines two different factor types, such as a password plus a token. |
| Multi-factor authentication | Uses two or more factors; stronger than password-only login. |
| Passwordless authentication | Uses certificates, hardware keys, biometrics, or device-based trust instead of a typed password. |
MFA, or multi-factor authentication, is one of the highest-value Security+ concepts because it breaks a lot of real attacks. A stolen password alone becomes far less useful when the attacker also needs a second factor. Microsoft documents passwordless and MFA options through its identity platform, while CISA continues to recommend phishing-resistant MFA for high-risk accounts.
Single-factor login answers one question. Multi-factor login answers the same question twice in different ways.
Adaptive authentication changes the challenge based on context. A user logging in from a managed laptop in the office may get a quick sign-in, while the same user logging in from another country on an unmanaged device may get a step-up challenge or be blocked. That is why adaptive authentication is more useful than a static rule set in many cloud and hybrid environments.
Warning
Biometrics improve convenience, but they should not be treated as the only control for high-value systems. Use them as part of a layered design, not as a standalone answer to every authentication question.
Authorization Models and Access Policies
Authorization is the decision about what an authenticated identity is allowed to do. Security+ expects you to recognize the major models quickly because the exam often describes them in plain English instead of naming them directly. The model tells you who controls access, how rigid the rules are, and how much administrative overhead the system creates.
Role-based access control and other models
- Role-based access control (RBAC) assigns permissions based on job role, such as help desk, accountant, or system administrator.
- Discretionary access control (DAC) lets the resource owner decide who gets access.
- Mandatory access control (MAC) uses labels and classifications, and users cannot override policy.
- Attribute-based access control (ABAC) uses context like location, device type, data sensitivity, and time of day.
RBAC is common because it maps cleanly to job functions. If 50 employees in accounting need the same payroll folder permissions, RBAC is easier to manage than assigning rights one user at a time. DAC is more flexible but can become messy because owners may grant access too freely. MAC is stricter and is common in high-security or classified environments where labels like Confidential or Secret drive access decisions. ABAC is the most context-aware of the four and is useful in cloud and zero-trust style designs where policy must adapt dynamically.
The NIST access control guidance and zero trust references help frame these models from a policy perspective, and the NIST Cybersecurity Framework also reinforces the need for controlled access to assets and identities. If you are studying Security+ and want to compare the models quickly, think about who sets the rule, how often it changes, and whether context matters.
Model comparison
| RBAC | Best for structured organizations with stable job roles and centralized administration. |
|---|---|
| DAC | Best when file owners or data owners need direct control, but it can increase risk. |
| MAC | Best for highly controlled environments where classification matters more than user preference. |
| ABAC | Best when access should change based on attributes like device health or location. |
Least privilege fits all four models, but it is implemented differently. In RBAC, you trim roles. In DAC, you limit owner-driven sharing. In MAC, you apply the correct label. In ABAC, you define precise conditions. The model is just the container; the policy is what actually reduces risk.
Identity and Access Management Components
Identity and access management (IAM) is the set of processes and technologies used to manage digital identities and the permissions attached to them. It includes onboarding, changing access, revoking access, and proving that access is appropriate. Without IAM, identity sprawl happens quickly and nobody can answer the basic question: who has access to what?
Core IAM building blocks
- User provisioning creates accounts and assigns initial access based on role or request.
- Deprovisioning removes access when a user leaves, changes roles, or no longer needs a resource.
- Directory services store identities in a centralized place such as Active Directory or cloud identity stores.
- Group policy applies configuration and security settings to users or devices based on membership.
- Single sign-on (SSO) lets a user authenticate once and reach multiple approved services.
- Federated identity lets one organization trust another identity provider for authentication.
The biggest operational mistake in IAM is stale access. If a user changes departments but keeps old permissions, the environment accumulates hidden risk. If a contractor leaves and the account stays active, that account becomes an easy target. User provisioning and deprovisioning need a real workflow, not just ad hoc tickets.
Identity providers and service providers are central to federated identity. The identity provider proves who the user is. The service provider trusts that proof and grants access to its own resource. That trust relationship is what makes SSO practical across SaaS platforms, internal portals, and cloud applications.
IAM fails quietly. The account that was created correctly but never removed is often the account that becomes a breach later.
For government and enterprise workforce context, the NICE/NIST Workforce Framework and guidance from BLS both show that identity-heavy roles are foundational in IT operations and security. The BLS Occupational Outlook Handbook consistently lists strong demand for cybersecurity-related work, which is exactly why employers care so much about access governance and IAM discipline.
Access Control Technologies and Tools
Security+ does not just test ideas. It tests whether you know what tools implement those ideas. Access control technologies are the practical mechanisms that enforce identity and permission decisions in real systems.
Common tools and what they do
- Access control lists (ACLs) specify which users or groups can access a resource and what they can do with it.
- Group policy automates security settings, application restrictions, and user environment rules in managed Windows environments.
- Directory permissions control access in centralized identity systems such as Active Directory or LDAP-backed directories.
- Privileged access management (PAM) secures administrative accounts by controlling checkout, approval, and session monitoring.
- Virtual private networks (VPNs), jump boxes, and secure gateways provide controlled remote access paths instead of direct exposure.
- Smart cards, hardware tokens, and biometric readers support stronger authentication methods.
SSO solutions reduce password fatigue because users authenticate once and then reuse a trusted session across multiple applications. That helps usability, but it also concentrates risk, which is why the SSO session must be protected well. If the attacker gets the session token, the convenience feature becomes the attack path.
For PAM, the practical goal is to keep admin credentials out of everyday workflows. A technician should not use the same account to read email and manage domain controllers. Separate admin accounts reduce the blast radius of phishing, malicious downloads, and careless browsing. Cisco® and other major vendors document remote access and identity-aware architectures in their official materials, and those designs line up closely with Security+ expectations.
Key Takeaway
Tools enforce policy, but policy still has to be designed correctly. A strong ACL on a bad share is still a bad design. A PAM platform with shared admin habits is still a risk. The tool does not replace the control objective.
Authentication Protocols and Identity Standards
Authentication protocols define how identity information is exchanged between systems. Security+ expects you to know what each protocol is for, not every packet detail. If you can explain the purpose of Kerberos, SAML, OAuth, and OpenID Connect, you are already covering a large chunk of the exam’s identity content.
Kerberos, SAML, OAuth, and OpenID Connect
- Kerberos uses ticket-based authentication in enterprise environments, especially in Active Directory domains.
- SAML supports enterprise federation and is commonly used for browser-based single sign-on.
- OAuth is about delegated authorization, allowing one service to access another service on a user’s behalf.
- OpenID Connect adds authentication on top of OAuth so an application can verify identity.
Kerberos works by giving a user a ticket after the initial authentication step. The user then presents tickets to services instead of repeatedly sending a password. That is efficient and reduces password exposure, but it also depends on time synchronization and trust in the key distribution process. Microsoft documents Kerberos behavior extensively in Microsoft Learn, and that makes it one of the most practical protocols to study for enterprise identity questions.
SAML is common when a user signs into a corporate portal and then reaches a third-party SaaS app without another login prompt. OAuth is different. It lets a user grant an app limited access, such as allowing a calendar app to read events without giving it the mailbox password. OpenID Connect sits on top of OAuth and adds identity claims, which is why it is often the right answer when a question asks about authentication in a modern app stack.
Certificate-based authentication is another major concept. It uses digital certificates and public key infrastructure (PKI) to prove identity and trust. PKI provides the certificates, chains of trust, and validation process behind smart card login, mutual TLS, and many device trust workflows. For technical grounding, the IETF RFCs and vendor documentation are the best reference points, especially when comparing certificates to password-based login.
If the question is about proving who a user is, think authentication. If the question is about letting one app act for another app, think authorization delegation and OAuth.
Managing Privileged and Shared Accounts
Privileged accounts are high-risk targets because they can change configurations, create users, disable controls, and access sensitive data. Admin credentials are valuable to attackers for the same reason they are valuable to defenders: they can do almost anything. That is why Security+ treats privileged access as a separate risk category.
Why privileged accounts need extra control
- Separate admin accounts keep elevated work away from normal daily use.
- Just-in-time access grants privilege only when needed and for a limited time.
- Just-enough administration limits the scope of what an admin can do.
- Temporary privilege elevation requires approval or workflow before escalation.
Shared accounts are even worse because they destroy accountability. If three admins use the same login, no one can confidently prove who made a change. That breaks incident response, audit trails, and discipline. It also makes insider abuse easier to hide. A shared root or local administrator password is a classic exam trap because it looks convenient but undermines every control around it.
Monitoring matters just as much as the control itself. Session recording, command logging, and detailed event logs help prove what happened during privileged sessions. That is especially important for systems covered by ISACA COBIT-style governance expectations or internal audit requirements. If an admin session touches production databases, the organization should be able to reconstruct the action path.
Warning
Never treat convenience as a reason to share credentials. Shared access may feel faster, but it usually creates a larger incident later and makes the investigation harder.
Identity Governance, Auditing, and Monitoring
Identity governance is the oversight layer that makes sure identities and permissions remain appropriate over time. IAM creates and enforces access. Governance checks whether that access still makes sense. That difference matters because access that was valid last quarter may be unnecessary now.
What governance looks like in practice
- Access reviews confirm whether a person still needs the permissions they have.
- Certifications or recertification require managers or data owners to reapprove access periodically.
- Logging captures login attempts, privilege changes, and policy decisions.
- Anomaly detection flags patterns like unusual travel, impossible logins, or new device use.
- Account lockout events can reveal brute force attacks or user mistakes.
Auditing is where all of this becomes measurable. If a user suddenly gets elevated access, the system should log who approved it, when it happened, and what changed. If a disabled account keeps authenticating, that is a red flag. If a contractor logs in after the engagement ended, that is a process failure, not just a technical event.
SIEM is a security tool that collects, correlates, and alerts on log data from many sources. Security information and event management platforms help teams detect access misuse by tying together authentication logs, privilege changes, endpoint events, and cloud activity. For a useful reference point, look at the guidance from SANS Institute and vendor documentation for log collection and correlation workflows.
Identity governance also shows up in regulatory and workforce contexts. HIPAA/HHS guidance, PCI DSS requirements, and ISO 27001 control expectations all push organizations toward better access review discipline. The exact language differs, but the message is the same: if access matters, it must be reviewed, logged, and revoked when no longer needed.
Common Access Control Risks and Misconfigurations
The most common access control failures are rarely exotic. They are usually basic mistakes repeated at scale. Security+ emphasizes this because real incidents often begin with obvious weaknesses that were never fixed.
Typical failures to recognize
- Weak passwords and password reuse make credential stuffing easy.
- Overprivileged accounts let a single compromise cause broad damage.
- Misconfigured ACLs expose files, shares, or applications to the wrong users.
- Open shares often appear during audits and internal scans as accidental exposure.
- Improper cloud permissions can publish data or let users modify infrastructure they should not control.
- Phishing and MFA fatigue attacks trick users into approving access they did not initiate.
- Stale accounts and orphaned accounts linger after users leave or change roles.
The Verizon Data Breach Investigations Report and IBM Cost of a Data Breach reports consistently show that credential misuse, stolen credentials, and access errors are recurring breach drivers. Those reports are valuable because they reinforce a simple truth: identity failures are not theoretical. They are one of the most reliable ways attackers get in. See the latest reports from Verizon DBIR and IBM Cost of a Data Breach.
Cloud misconfiguration deserves special attention because permissions often cross service boundaries. A storage bucket, identity role, and API key may all look harmless separately, but together they can expose sensitive data. If a Security+ question gives you a scenario with public access, excessive permissions, and no recent review, the correct answer usually points back to access governance and least privilege.
Most access control incidents are not caused by one impossible-to-spot flaw. They are caused by a boring combination of weak credentials, excess privilege, and poor monitoring.
Security+ Exam Tips and Real-World Scenarios
Security+ questions on access control and identity management are usually scenario-based. The test wants you to identify the control from the clue, not recite a definition from memory. If you can read the story, extract the risk, and map it to a control, you will answer faster and with more confidence.
Quick memory cues for the exam
- Authentication answers “Who are you?”
- Authorization answers “What can you do?”
- Accounting answers “What did you do?”
- Least privilege means the minimum access needed, nothing more.
- Implicit deny means deny by default unless access is explicitly allowed.
When you see role-based access control, think job function. When you see discretionary access control, think owner-controlled sharing. When you see mandatory access control, think classifications and labels. When you see attribute-based access control, think conditions and context. That comparison is often enough to eliminate wrong answers quickly.
For SSO, federation, and directory services, use a simple scenario test. If one login reaches several apps, think SSO. If two organizations trust each other’s identity system, think federation. If the question is about storing and managing identities centrally, think directory services. That distinction is one of the most common traps in exam wording.
Scenario-based thinking for privileged access and logging
- If the issue is admin access, think separate accounts, PAM, and session logging.
- If the issue is too many users with access, think access review, recertification, and least privilege.
- If the issue is an unknown login, think MFA, anomaly detection, and account lockout monitoring.
- If the issue is a shared admin account, think accountability and audit failure.
One practical study move is to tie every identity decision to risk reduction. Why use MFA? To reduce credential theft impact. Why deprovision on termination? To remove unauthorized access. Why recertify permissions? To find stale privilege. That mindset matches both Security+ exam logic and real operational security.
Key Takeaway
- Access control limits what a user, device, or service can see or change, and identity management keeps those permissions aligned to real-world roles.
- Authentication proves identity, authorization grants actions, and accounting records activity for audit and response.
- Least privilege and implicit deny are the default Security+ answers when a system must stay secure under uncertainty.
- Privileged accounts, shared credentials, and stale access are among the most common causes of real-world compromise.
- Kerberos, SAML, OAuth, and OpenID Connect solve different identity problems and are best identified by the scenario, not just the acronym.
Certified Ethical Hacker (CEH) v13
Learn essential ethical hacking skills to identify vulnerabilities, strengthen security measures, and protect organizations from cyber threats effectively
Get this course on Udemy at the lowest price →Conclusion
Mastering access control and identity management is not optional for Security+ candidates. It is one of the clearest ways to show you understand how cybersecurity basics work in practice. If you can explain authentication, authorization, least privilege, implicit deny, and the major identity protocols, you can handle a large share of exam questions and a lot of real operational issues too.
The best defense is layered control. Use strong authentication, limit permissions, review access regularly, monitor privileged activity, and remove accounts when they are no longer needed. That is how organizations reduce risk without turning access management into a bottleneck.
Study the scenarios, not just the definitions. Memorize the major models, know the difference between SSO and federation, and understand why shared accounts are dangerous. Strong identity controls are a cornerstone of defense in depth, and they are one of the first places a defender should look when something feels off.
For more applied practice, the Certified Ethical Hacker (CEH) v13 course is a useful next step because it reinforces how attackers abuse weak identity controls and how defenders can close those gaps.
CompTIA®, Security+™, Microsoft®, AWS®, Cisco®, ISC2®, ISACA®, and PMI® are trademarks of their respective owners.
