Phase 5: Domain 5 — Identity & Access Management

Phase 5: Domain 5 — Identity & Access Management (13%)

Timeline: May 3-9 (Week 5, first half)

Another strength domain. ISE, Active Directory, FreeIPA, Keycloak OIDC/SAML, Vault SSH CA, dACL — you implement IAM daily. Focus on CISSP-specific models and formal terminology.

Key Concepts

Access Control Models

Model	How It Works	Your Example
DAC (Discretionary)	Owner sets permissions (chmod, ACLs)	Linux file permissions
MAC (Mandatory)	System-enforced labels (classification levels)	SELinux contexts, AppArmor profiles
RBAC (Role-Based)	Permissions assigned to roles, users assigned to roles	ISE admin roles, Vault policies, AD groups
ABAC (Attribute-Based)	Rules based on attributes (user, resource, environment, action)	ISE posture policies (device type + location + compliance = access level)
Rule-Based	If/then rules on network devices	VyOS firewall rules, ISE authorization policies

Model

How It Works

Your Example

DAC (Discretionary)

Owner sets permissions (chmod, ACLs)

Linux file permissions

MAC (Mandatory)

System-enforced labels (classification levels)

SELinux contexts, AppArmor profiles

RBAC (Role-Based)

Permissions assigned to roles, users assigned to roles

ISE admin roles, Vault policies, AD groups

ABAC (Attribute-Based)

Rules based on attributes (user, resource, environment, action)

ISE posture policies (device type + location + compliance = access level)

Rule-Based

If/then rules on network devices

VyOS firewall rules, ISE authorization policies

Identity Management

Provisioning and deprovisioning (joiner/mover/leaver)
Identity federation: SAML, OIDC, OAuth 2.0 (your Keycloak)
SSO: Kerberos (your AD), SAML assertions, OIDC tokens
Directory services: LDAP (your FreeIPA), X.500, Active Directory
Credential management: Vault SSH CA certificates, gopass, MFA

Authentication Types

Something you know (password)
Something you have (YubiKey — your FIDO2 keys)
Something you are (biometrics)
MFA: Combining 2+ factors from DIFFERENT categories

Session Management

Session tokens, timeout, termination
SSO risks: single point of failure, credential compromise propagation
Federated identity risks: trust establishment, token replay

Physical Access Control

Badges, biometrics, mantraps/vestibules, tailgating prevention
Visitor management, escort requirements

Practice Questions

25 questions/day — target 85%+ accuracy on this domain.

Check	Status
Read Study Guide Chapters 13-14 (IAM)	[ ]
Watch Destination Certification MindMap — Domain 5	[ ]
Access control models memorized (DAC, MAC, RBAC, ABAC)	[ ]
Authentication types and MFA understood	[ ]
Federation protocols mapped (SAML/OIDC to Keycloak)	[ ]
25+ practice questions completed (Domain 5) — target 85%+	[ ]

Check

Status

Read Study Guide Chapters 13-14 (IAM)

[ ]

Watch Destination Certification MindMap — Domain 5

[ ]

Access control models memorized (DAC, MAC, RBAC, ABAC)

[ ]

Authentication types and MFA understood

[ ]

Federation protocols mapped (SAML/OIDC to Keycloak)

[ ]

25+ practice questions completed (Domain 5) — target 85%+

[ ]