Authorization, Least Privilege, RBAC, Geofencing, and Time-Based Access
Key Takeaways
- Authorization decides what an authenticated identity may access; a valid login can still be denied by policy.
- Least privilege grants only the access a role needs, for only as long as needed, and includes network reachability not just app permissions.
- RBAC assigns permissions to named roles and users to roles, making access reviewable and auditable.
- Conditional access weighs context: user group, device posture, location, risk score, time, and source network.
- Geofencing and time-based access are guardrails that fail closed; they supplement, never replace, strong authentication and logging.
Authorization and Conditional Access
Authentication proves an identity; authorization decides what that identity may do. A user can authenticate successfully and still be denied because they are not in the right role, are on an unapproved device, are connecting from a blocked location, or are outside an approved time window. On the N10-009 exam, watch for stems where the user logs in fine but cannot reach a resource - that almost always points to an authorization concept.
Least Privilege
Least privilege means an account receives only the permissions needed for the task, no broader and no longer than necessary. It covers user accounts, service accounts, administrators, network devices, wireless clients, VPN groups, and cloud identities.
| Poor pattern | Better pattern |
|---|---|
| All IT staff are permanent domain admins | Admins request time-limited elevation (just-in-time) for specific systems |
| Every VPN user can reach every subnet | VPN groups map to only the approved apps and networks |
| A service account can read/write all databases | The service account touches only the objects it needs |
| Guest Wi-Fi routes to internal systems | Guest Wi-Fi reaches the Internet only |
Privilege creep happens when users keep old access after job changes. A mover/joiner/leaver workflow plus recurring access reviews (recertification) strip permissions that no longer match the role. On the exam, a stem describing someone who "transferred departments three times and still has every old permission" is describing privilege creep, and the correct remedy is an access review tied to least privilege, not adding yet another rule.
Least privilege is also temporal: access should last only as long as the task. Just-in-time (JIT) elevation grants an administrator rights for a short window and revokes them automatically, which is stronger than leaving standing admin accounts active all year. This is why permanent domain-admin membership for every IT staffer is the textbook wrong answer.
RBAC
Role-based access control (RBAC) assigns permissions to roles and users to roles, which is far easier to review than granting unique permissions to each person.
| Role | Typical access | Denied |
|---|---|---|
| Help desk | Password reset, asset inventory, ticket notes | Firewall rule changes |
| Network operator | Read monitoring, run approved diagnostics | Identity provider administration |
| Network engineer | Configure assigned switches/routers | Payroll application data |
| Guest user | Internet only | Internal application subnets |
RBAC works best when role names are self-explanatory, a business owner approves membership, and access is reviewed on a schedule. A group named NetOps-Switch-ReadOnly is far easier to audit than a vague Access-7. Contrast RBAC with assigning permissions to individuals one at a time: when a new engineer joins, you simply add them to the role and they inherit the exact, reviewed permission set, instead of someone hand-copying access from a similar coworker (which silently spreads excess rights). The exam favors RBAC as the scalable, auditable answer over per-user assignment.
Conditional Access
Conditional access uses context to allow, deny, or challenge a request (for example, force a step-up MFA prompt).
| Condition | Example decision |
|---|---|
| User group | Engineers may open network management tools |
| Device posture | Only managed, encrypted laptops get full VPN |
| Location | Block logins from countries where the firm has no operations |
| Risk score | Demand stronger MFA on impossible travel or a new device |
| Time | Allow contractor access only during approved support hours |
| Source network | Permit admin portals only from a privileged-access-workstation subnet |
Geofencing is a location-based policy that allows or blocks access by physical or network location, for example denying logins from countries where the company has no users. It shrinks exposure but is not proof of identity, because attackers can route through proxies, VPNs, or compromised hosts inside an approved region. Treat geofencing as one signal feeding a risk decision, never as a standalone authentication method.
Time-based access cuts standing exposure for temporary work, but emergency access and logging still need planning - and the policy should fail closed when the window ends, meaning access is denied by default if the time check cannot be evaluated.
Conditional access engines combine these signals additively. A login from a managed device, in an expected country, during business hours might pass with a single factor, while the same account from a new device after impossible travel is challenged for step-up MFA or blocked outright. The Network+ takeaway is that authorization is increasingly contextual rather than a static yes/no tied only to group membership.
Network Authorization Examples
| Scenario | Strong authorization design |
|---|---|
| Remote finance users need one accounting app | VPN group permits only the accounting subnet and port |
| Contractors support a plant network weekly | Time-limited access with MFA and logging during the window |
| Wireless IoT sensors send cloud telemetry | ACL permits only DNS, NTP, and the vendor endpoint |
| Admins manage firewalls | TACACS+ maps named admins to specific command sets and records activity |
The finance example is the canonical Network+ least-privilege scenario: the user authenticates, then is authorized only to the subnet and port the role requires - everything else is implicitly denied.
Common Traps
- A successful login does not imply broad authorization.
- Assigning permissions directly to individuals makes review harder than using RBAC groups.
- Geofencing is a useful signal, not proof a user is legitimate.
- Time-based access must fail closed when the window expires, not stay open.
- Least privilege must include network reachability (ACLs, VPN scope), not just file or app rights.
A VPN user authenticates successfully but can reach only the accounting application subnet and nothing else. Which concept is being enforced?
A contractor account is automatically disabled outside a Saturday 08:00-12:00 maintenance window and re-enabled when it begins. What control is this?
Which design choice best demonstrates the principle of least privilege?