AAA and IAM Concepts
Key Takeaways
- AAA separates Authentication, Authorization, and Accounting; SY0-701 items punish you for blending the three.
- IAM controls the full identity lifecycle: proofing, provisioning, maintenance, recertification, and deprovisioning.
- Federation lets a Service Provider trust signed identity assertions from a separate Identity Provider (SAML/OIDC).
- SSO improves usability but concentrates risk in the IdP, so session theft and IdP compromise become high-impact events.
- Accounting is only useful with synchronized clocks (NTP), defined retention, log integrity, and active review.
The Four Words Behind Identity Questions
AAA stands for Authentication, Authorization, and Accounting, and most Security+ identity items test whether you can keep the three apart. Before authentication there is also identification, the unproven claim. The order of operations matters: a user claims an identity, proves it, receives access, and the system later records what happened. If a question asks how you would prove an admin changed a firewall rule, the answer lives in accounting, not authentication.
| Term | Question it answers | Example clue on the exam |
|---|---|---|
| Identification | Who do you claim to be? | Username, employee ID, certificate subject |
| Authentication | Can you prove that claim? | Password, FIDO2 key, smart card, biometric |
| Authorization | What may you do once proven? | Group membership, role, policy decision |
| Accounting | What did you actually do? | Login record, sudo log, audit trail |
The SY0-701 exam delivers a maximum of 90 questions (multiple-choice plus performance-based simulations) in 90 minutes, and you pass at 750 on a 100-900 scale. The exam fee is about $425 USD, and the credential is valid for three years (renewable through continuing education). Identity, governance, and the supporting concepts here sit in Domain 5 (Security Program Management) and Domain 4 (Operations), so expect them everywhere, not just one block.
A useful mnemonic for the AAA flow is claim, prove, permit, record: the username is the claim, the credential proves it, the policy permits the action, and the log records the outcome.
The IAM Lifecycle: Joiner, Mover, Leaver
Identity and Access Management (IAM) governs an account from creation to deletion. Examiners frame this as JML: Joiner, Mover, Leaver. A leaked credential is an authentication failure; access that lingers after a job change is a lifecycle failure.
| Phase | Security goal | Common control |
|---|---|---|
| Identity proofing | Bind the account to the real person or workload | HR record, ID document check, device attestation |
| Provisioning (Joiner) | Create the right account with least access | Default-deny, SCIM push, role assignment |
| Maintenance (Mover) | Keep entitlements current as duties change | Access review, recertification, role swap |
| Deprovisioning (Leaver) | Remove access promptly and completely | Disable account first, revoke tokens, strip groups |
| Monitoring | Detect drift or abuse | SIEM alerts, UEBA, privileged session recording |
Provisioning should be automated through SCIM (System for Cross-domain Identity Management) so HR events drive account changes. A subtle exam point: on termination you disable before you delete, preserving the account for legal hold and forensics while immediately killing access. Service and machine accounts need the same lifecycle, and they are the ones teams forget.
Federation, SSO, and Directory Services
Single Sign-On (SSO) means one authentication event grants access to many services. Federation extends trust across security or organizational boundaries: a Service Provider (SP) trusts a signed assertion from an external Identity Provider (IdP). The SP never stores the user's password; it validates a token.
| Concept | Exam-useful description | Watch for |
|---|---|---|
| Directory service | Central store of users, groups, devices, attributes | LDAP, Active Directory |
| SSO | One login event unlocks multiple apps | Higher impact if the session cookie is stolen |
| Federation | Trust across orgs or domains | IdP, SP, SAML, OIDC |
| SAML | XML assertion standard, common for enterprise web SSO | Signed assertion, relying party |
| OIDC | Identity layer on OAuth 2.0, common for modern apps | ID token (JWT), authorization server |
A common trap: OAuth 2.0 alone is authorization (delegated access to an API), while OpenID Connect (OIDC) adds the authentication identity layer on top. Kerberos provides SSO inside a single Windows domain using tickets; SAML/OIDC federate between domains.
Trap Callout: SSO Is Not the Same Password Everywhere
If each app simply uses an identical, manually-entered password, that is password reuse, not SSO. True SSO relies on the IdP to issue a token, assertion, or session result the app validates without ever holding the credential.
Accounting Done Right and a Scenario
Accounting (the third A, sometimes called auditing) is worthless without four supports: clock synchronization via NTP so events across systems line up, defined retention so logs exist when needed, log integrity (write-once or forwarding to a protected SIEM) so attackers cannot rewrite history, and active review so alerts get seen.
Scenario Walkthrough
A sales rep transfers to finance. The CRM role stays active, the finance role is added, and no one reviews the combined access. Login still succeeds, so authentication is fine. The defect is authorization drift during the Mover phase. Correct response: a mover workflow that removes the stale CRM role, applies least privilege, triggers recertification, and logs the change.
Quick Drill
| Need | Best answer |
|---|---|
| Prove an admin changed a firewall rule | Accounting / audit log |
| One login for many cloud apps | SSO through the IdP |
| Make a SaaS app trust corporate login | Federation (SAML/OIDC) |
| Automatically remove access at termination | Deprovisioning (Leaver) |
| Stop stale permissions after a transfer | Recertification / mover workflow |
| Push HR-driven account changes to apps | SCIM provisioning |
| Validate identity across organizations | SAML or OIDC assertion |
| Disable but retain an account for forensics | Disable-before-delete on the Leaver |
One last distinction the exam rewards: a directory service (LDAP, Active Directory) is the store of identities, while an identity provider is the service that authenticates against that store and issues tokens. They are often the same product but are tested as separate roles, especially when a question contrasts internal directory authentication with external federation.
A terminated contractor can still open a project-management SaaS app because the account was never disabled. Which IAM lifecycle control failed?
An enterprise lets employees sign in to an external SaaS vendor using the company's own identity provider, and the vendor never stores the employee password. Which concept is most directly shown?
Which items belong to accounting in AAA? Choose two.