Identity and Access Management (IAM) often gets reduced to authentication technologies—passwords, MFA, biometrics—but access control is where security actually succeeds or fails.
CISSP Domain 5 Part 2 focuses on how access is granted, enforced, reviewed, and revoked. In real environments, most breaches don’t occur because attackers defeat cryptography—they occur because someone had access they should not have had.
For CISSP candidates, this domain tests conceptual understanding. For practitioners, it reflects daily operational challenges: entitlement creep, service accounts, over-permissioned users, and poorly enforced authorization policies.
What Is Access Control?
Access control is the set of mechanisms and policies that determine how subjects interact with objects within a system.
At its core, access control ensures:
- Authorized users get appropriate access
- Unauthorized access is prevented
- All access is logged, auditable, and accountable
Strong access control is preventive, detective, and corrective.
Subjects and Objects: The Foundation of All Access Decisions
Subjects
A subject is any active entity that requests access:
- Users
- Processes
- Services
- Devices
- Applications
In modern environments, non-human identities (NHIs)—service accounts, APIs, workloads—often outnumber human users.
Objects
An object is any passive resource being accessed:
- Files and directories
- Databases
- APIs
- Network ports
- Applications
- Systems
Access control exists to define which subjects can perform which actions on which objects.
AAA: Authentication, Authorization, and Accounting
AAA is a fundamental IAM concept and heavily tested in CISSP.
Authentication: Proving Identity
Authentication verifies that a subject is who they claim to be.
Authentication factors include:
- Something you know (passwords, PINs)
- Something you have (tokens, smart cards)
- Something you are (biometrics)
- Somewhere you are (location)
- Something you do (behavior)
In real-world security, authentication strength must match risk, not convenience.
Authorization: Determining What You Can Do
Authorization defines what an authenticated identity is allowed to do.
Key point for CISSP:
Authentication answers who you are; authorization answers what you’re allowed to do.
Authorization relies on:
- Access control policies
- Entitlement assignments
- Role definitions
- Attributes and conditions
Most access failures stem from poor authorization design, not weak authentication.
Accounting: Accountability and Auditability
Accounting ensures actions are:
- Logged
- Traceable
- Attributable
Logs support:
- Incident investigations
- Compliance audits
- Forensic analysis
- Insider threat detection
If access is not logged, it did not effectively exist from a security perspective.
Access Control Models Explained (With Practical Context)
Role-Based Access Control (RBAC)
RBAC assigns permissions based on organizational roles, not individuals.
Why RBAC Works
- Scales well
- Simplifies access management
- Aligns with job functions
- Supports least privilege when designed correctly
Real-World Challenge
RBAC often degrades into role explosion when organizations create too many granular roles instead of using attributes.
RBAC remains the default enterprise standard, but rarely sufficient alone.
Rule-Based Access Control
Rule-based access uses conditional logic to enforce access:
- Time of day
- Location
- Network
- Device type
This model is common in:
- Network access control (NAC)
- Firewall rules
- Conditional access policies
Rule-based control adds automation and context, reducing manual access changes.
Mandatory Access Control (MAC)
MAC enforces access based on system-enforced security labels.
Characteristics:
- Central authority
- Subjects cannot change permissions
- Common in military and government systems
MAC prioritizes confidentiality over flexibility.
From a CISSP standpoint:
- MAC is rigid
- Highly secure
- Difficult to manage at scale outside regulated environments
Discretionary Access Control (DAC)
DAC allows object owners to control access.
Common in:
- Windows NTFS
- Linux file permissions
- Shared drives
Strengths
- Flexible
- Easy to implement
- Granular
Weaknesses
- Permission sprawl
- Poor visibility
- High risk of misconfiguration
DAC is effective operationally—but dangerous without governance.
Attribute-Based Access Control (ABAC)
ABAC evaluates multiple attributes before granting access:
- User attributes
- Resource attributes
- Environmental conditions
- Risk signals
ABAC enables dynamic, context-aware access decisions.
This model underpins:
- Zero Trust architectures
- Cloud IAM platforms
- Modern identity providers
ABAC is powerful—but complex to design and troubleshoot.
Risk-Based Access Control
Risk-based access adjusts authentication and authorization in real time based on perceived risk.
Signals include:
- Device trust
- Location anomalies
- Network reputation
- Data sensitivity
- User behavior
This model is common in:
- Conditional access
- Adaptive MFA
- Identity threat detection
Risk-based access is not about denial—it’s about proportionate trust.
Data Classification: Aligning Access With Sensitivity
Access control must align with data classification, or it fails by design.
Government and Military Classification
- Top Secret
- Secret
- Confidential
- Unclassified
Higher classification = stricter access controls, logging, and clearance checks.
Private Sector Classification
- Confidential
- Private
- Sensitive
- Public
Classification drives:
- Access requirements
- Encryption standards
- Retention policies
- Monitoring intensity
In practice, misclassification causes overexposure or unnecessary restriction.
Identity Governance: Managing Access Over Time
User Access Reviews
Periodic access reviews validate:
- Role appropriateness
- Privilege necessity
- Separation of duties
Access reviews are tedious—but auditors and attackers love when they’re skipped.
Service and System Account Reviews
Service accounts often:
- Have elevated privileges
- Lack MFA
- Use static credentials
- Persist indefinitely
Best practices include:
- Clear ownership
- Credential rotation
- Least privilege
- Detailed documentation
Service accounts are high-value targets.
Provisioning and Deprovisioning
User lifecycle management ensures:
- Access is granted promptly
- Access is revoked immediately
- No orphaned accounts remain
Automation reduces:
- Human error
- Delays
- Security gaps
In real breaches, unused accounts are frequently exploited.
Expert Perspective: What CISSP Candidates Miss
Many IAM failures are not technical—they’re organizational:
- Poor role design
- Lack of ownership
- Infrequent reviews
- Overreliance on tools without governance
CISSP Domain 5 is ultimately about discipline, not technology.
Final Thoughts
Access control is the operational backbone of security. Authentication gets users in—but authorization determines damage potential.
CISSP Domain 5 Part 2 reinforces a key truth for modern environments:
You cannot secure what you cannot control—and you cannot control what you do not regularly review.
For both exam success and real-world effectiveness, mastering access control models and identity governance is non-negotiable.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.