Identity & Access Management (IAM) Cheat Sheet
Covers IAM core concepts including authentication protocols, RBAC/ABAC models, and provisioning lifecycle for enterprise access control.
2 PagesIntermediateFeb 12, 2026
Core IAM Concepts
Foundational terms distinguishing identity and access functions.
- Authentication (AuthN)- Verifying who a user or system is (e.g. password, MFA, certificate)
- Authorization (AuthZ)- Determining what an authenticated identity is allowed to do
- Provisioning- Creating and configuring accounts and access when a user joins/changes roles
- De-provisioning- Revoking access promptly when a user leaves or changes roles
- SSO- Single Sign-On; one login session grants access across multiple applications
- Federation- Trust relationship allowing identity from one domain to be used in another
Access Control Models
Different strategies for determining who can access what.
- RBAC- Role-Based Access Control; permissions assigned to roles, users assigned to roles
- ABAC- Attribute-Based Access Control; decisions based on user/resource/environment attributes
- DAC- Discretionary Access Control; resource owner decides who gets access
- MAC- Mandatory Access Control; access governed by fixed system-wide policy (e.g. classification labels)
- PoLP- Principle of Least Privilege; grant only access strictly required for the role
SSO Protocol Basics
Simplified flow comparison of two common federated identity protocols.
text
# SAML (XML-based, common in enterprise SSO)1. User requests app -> App redirects to IdP2. IdP authenticates user, generates signed SAML assertion3. Browser POSTs assertion to app's Assertion Consumer Service (ACS)4. App validates signature, creates session# OpenID Connect (JSON/OAuth2-based, common in modern web/mobile)1. App redirects to IdP's /authorize endpoint2. User authenticates, IdP redirects back with an authorization code3. App exchanges code for an ID token (JWT) at the /token endpoint4. App validates the JWT signature and claims
IAM Best Practices
Habits that reduce identity-related risk in an organization.
- Enforce MFA everywhere- Especially for privileged and remote access accounts
- Just-in-time access- Grant elevated privileges only for the duration needed, then auto-revoke
- Regular access reviews- Periodically recertify that granted access is still required
- Centralize identity- Use a single IdP rather than app-specific credential stores
- Audit logging- Log all authentication and privilege-change events for investigation
Pro Tip
Automate de-provisioning by tying it to your HR system's termination event — manual offboarding is the single most common source of orphaned accounts that attackers find and exploit months later.
Was this cheat sheet helpful?
Explore Topics
#IdentityAccessManagementIAM#IdentityAccessManagementIAMCheatSheet#Cybersecurity#Intermediate#CoreIAMConcepts#AccessControlModels#SSOProtocolBasics#IAMBestPractices#Security#InfrastructureAsCode#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance