<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en-GB">
	<id>https://knowledgebase.pirho.net/index.php?action=history&amp;feed=atom&amp;title=Identity_%26_Access_Management_%28IAM%29</id>
	<title>Identity &amp; Access Management (IAM) - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://knowledgebase.pirho.net/index.php?action=history&amp;feed=atom&amp;title=Identity_%26_Access_Management_%28IAM%29"/>
	<link rel="alternate" type="text/html" href="https://knowledgebase.pirho.net/index.php?title=Identity_%26_Access_Management_(IAM)&amp;action=history"/>
	<updated>2026-07-11T14:06:51Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.43.0</generator>
	<entry>
		<id>https://knowledgebase.pirho.net/index.php?title=Identity_%26_Access_Management_(IAM)&amp;diff=424&amp;oldid=prev</id>
		<title>Dex: Created page with &quot;&#039;&#039;&#039;Summary:&#039;&#039;&#039; Identity &amp; Access Management (IAM) is the collection of policies, processes, technologies, and controls used to manage digital identities and regulate access to systems, applications, data, and services. Effective IAM ensures that the right people have the right access to the right resources at the right time, while reducing security risks and supporting compliance requirements.  == Context ==  Modern organisations depend upon hundreds, sometimes thousands...&quot;</title>
		<link rel="alternate" type="text/html" href="https://knowledgebase.pirho.net/index.php?title=Identity_%26_Access_Management_(IAM)&amp;diff=424&amp;oldid=prev"/>
		<updated>2026-07-06T06:37:36Z</updated>

		<summary type="html">&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; Identity &amp;amp; Access Management (IAM) is the collection of policies, processes, technologies, and controls used to manage digital identities and regulate access to systems, applications, data, and services. Effective IAM ensures that the right people have the right access to the right resources at the right time, while reducing security risks and supporting compliance requirements.  == Context ==  Modern organisations depend upon hundreds, sometimes thousands...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
Identity &amp;amp; Access Management (IAM) is the collection of policies, processes, technologies, and controls used to manage digital identities and regulate access to systems, applications, data, and services. Effective IAM ensures that the right people have the right access to the right resources at the right time, while reducing security risks and supporting compliance requirements.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Modern organisations depend upon hundreds, sometimes thousands, of interconnected systems. Employees, contractors, customers, partners, applications, services, and devices all require some form of digital identity.&lt;br /&gt;
&lt;br /&gt;
Without a structured approach to managing identities and access permissions, organisations quickly face security challenges, operational inefficiencies, and compliance risks.&lt;br /&gt;
&lt;br /&gt;
IAM provides a framework for:&lt;br /&gt;
&lt;br /&gt;
* Identifying users and systems&lt;br /&gt;
* Authenticating identities&lt;br /&gt;
* Authorising access&lt;br /&gt;
* Managing permissions&lt;br /&gt;
* Auditing activity&lt;br /&gt;
* Enforcing security policies&lt;br /&gt;
&lt;br /&gt;
While IAM is often associated with user logins, it extends far beyond authentication and forms a critical component of modern cybersecurity architecture.&lt;br /&gt;
&lt;br /&gt;
=== Common Misconceptions ===&lt;br /&gt;
&lt;br /&gt;
* IAM is not simply Active Directory.&lt;br /&gt;
* IAM is not just password management.&lt;br /&gt;
* IAM is not solely a security concern.&lt;br /&gt;
* IAM is both a business process and a technical implementation.&lt;br /&gt;
&lt;br /&gt;
Many access-related incidents result from poor governance rather than technical failures.&lt;br /&gt;
&lt;br /&gt;
== Core Concepts ==&lt;br /&gt;
&lt;br /&gt;
=== Identity ===&lt;br /&gt;
&lt;br /&gt;
An identity represents a person, service, application, device, or process within a system.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Employee accounts&lt;br /&gt;
* Service accounts&lt;br /&gt;
* Application identities&lt;br /&gt;
* Customer identities&lt;br /&gt;
* Managed devices&lt;br /&gt;
&lt;br /&gt;
An identity should uniquely represent a single entity.&lt;br /&gt;
&lt;br /&gt;
=== Authentication ===&lt;br /&gt;
&lt;br /&gt;
Authentication answers the question:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;quot;Who are you?&amp;quot;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Common authentication methods include:&lt;br /&gt;
&lt;br /&gt;
* Username and password&lt;br /&gt;
* Multi-Factor Authentication (MFA)&lt;br /&gt;
* Smart cards&lt;br /&gt;
* Certificates&lt;br /&gt;
* Biometrics&lt;br /&gt;
* Security keys&lt;br /&gt;
&lt;br /&gt;
Authentication establishes confidence in an identity claim.&lt;br /&gt;
&lt;br /&gt;
=== Authorisation ===&lt;br /&gt;
&lt;br /&gt;
Authorisation answers the question:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;quot;What are you allowed to do?&amp;quot;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
After authentication succeeds, systems evaluate permissions, roles, policies, and access rules before granting access to resources.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Read access&lt;br /&gt;
* Modify access&lt;br /&gt;
* Administrative privileges&lt;br /&gt;
* Application-specific permissions&lt;br /&gt;
&lt;br /&gt;
=== Accounting and Auditing ===&lt;br /&gt;
&lt;br /&gt;
Authentication and authorisation are only part of the picture.&lt;br /&gt;
&lt;br /&gt;
Organisations must also record:&lt;br /&gt;
&lt;br /&gt;
* Login activity&lt;br /&gt;
* Permission changes&lt;br /&gt;
* Administrative actions&lt;br /&gt;
* Resource access events&lt;br /&gt;
&lt;br /&gt;
These records support security investigations, compliance audits, and operational troubleshooting.&lt;br /&gt;
&lt;br /&gt;
== Identity Lifecycle Management ==&lt;br /&gt;
&lt;br /&gt;
IAM is fundamentally about managing identities throughout their lifecycle.&lt;br /&gt;
&lt;br /&gt;
=== Joiner ===&lt;br /&gt;
&lt;br /&gt;
When a new employee joins:&lt;br /&gt;
&lt;br /&gt;
* Identity is created&lt;br /&gt;
* Accounts are provisioned&lt;br /&gt;
* Access is assigned&lt;br /&gt;
* Security policies are applied&lt;br /&gt;
&lt;br /&gt;
=== Mover ===&lt;br /&gt;
&lt;br /&gt;
When responsibilities change:&lt;br /&gt;
&lt;br /&gt;
* Permissions are reviewed&lt;br /&gt;
* New roles are assigned&lt;br /&gt;
* Old permissions are removed&lt;br /&gt;
&lt;br /&gt;
=== Leaver ===&lt;br /&gt;
&lt;br /&gt;
When an individual leaves:&lt;br /&gt;
&lt;br /&gt;
* Accounts are disabled&lt;br /&gt;
* Authentication methods are revoked&lt;br /&gt;
* Access permissions are removed&lt;br /&gt;
* Audit records are retained&lt;br /&gt;
&lt;br /&gt;
Failure to properly manage the Joiner-Mover-Leaver process is one of the most common causes of excessive permissions and unauthorised access.&lt;br /&gt;
&lt;br /&gt;
== Access Control Models ==&lt;br /&gt;
&lt;br /&gt;
=== Role Based Access Control (RBAC) ===&lt;br /&gt;
&lt;br /&gt;
Users are assigned roles.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
* Helpdesk Operator&lt;br /&gt;
* HR Manager&lt;br /&gt;
* Finance Administrator&lt;br /&gt;
&lt;br /&gt;
Permissions are granted to roles rather than individual users.&lt;br /&gt;
&lt;br /&gt;
Benefits include:&lt;br /&gt;
&lt;br /&gt;
* Simplified administration&lt;br /&gt;
* Consistency&lt;br /&gt;
* Easier auditing&lt;br /&gt;
&lt;br /&gt;
=== Attribute Based Access Control (ABAC) ===&lt;br /&gt;
&lt;br /&gt;
Access decisions are based upon attributes.&lt;br /&gt;
&lt;br /&gt;
Examples:&lt;br /&gt;
&lt;br /&gt;
* Department&lt;br /&gt;
* Location&lt;br /&gt;
* Device compliance state&lt;br /&gt;
* Time of day&lt;br /&gt;
* Security clearance&lt;br /&gt;
&lt;br /&gt;
ABAC enables highly flexible policy-driven access decisions.&lt;br /&gt;
&lt;br /&gt;
=== Policy-Based Access Control ===&lt;br /&gt;
&lt;br /&gt;
Modern cloud platforms frequently use policy engines to evaluate access requests dynamically.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Conditional Access&lt;br /&gt;
* Zero Trust Policies&lt;br /&gt;
* Risk-Based Access Controls&lt;br /&gt;
&lt;br /&gt;
== Authentication Technologies ==&lt;br /&gt;
&lt;br /&gt;
=== Multi-Factor Authentication (MFA) ===&lt;br /&gt;
&lt;br /&gt;
MFA combines multiple forms of verification.&lt;br /&gt;
&lt;br /&gt;
Typical factors include:&lt;br /&gt;
&lt;br /&gt;
* Something you know (password)&lt;br /&gt;
* Something you have (token)&lt;br /&gt;
* Something you are (biometric)&lt;br /&gt;
&lt;br /&gt;
Compromised credentials remain one of the most common attack vectors, making MFA a foundational security control.&lt;br /&gt;
&lt;br /&gt;
=== Single Sign-On (SSO) ===&lt;br /&gt;
&lt;br /&gt;
SSO allows users to authenticate once and access multiple systems.&lt;br /&gt;
&lt;br /&gt;
Benefits include:&lt;br /&gt;
&lt;br /&gt;
* Improved user experience&lt;br /&gt;
* Reduced password fatigue&lt;br /&gt;
* Centralised security control&lt;br /&gt;
&lt;br /&gt;
=== Federation ===&lt;br /&gt;
&lt;br /&gt;
Federation enables organisations to trust external identity providers.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Microsoft Entra ID&lt;br /&gt;
* Active Directory Federation Services (ADFS)&lt;br /&gt;
* OAuth Providers&lt;br /&gt;
* OpenID Connect Providers&lt;br /&gt;
&lt;br /&gt;
Users authenticate with their home identity provider rather than maintaining separate credentials in every application.&lt;br /&gt;
&lt;br /&gt;
== Practical Application ==&lt;br /&gt;
&lt;br /&gt;
A typical modern enterprise IAM platform may provide:&lt;br /&gt;
&lt;br /&gt;
* Directory services&lt;br /&gt;
* Single Sign-On&lt;br /&gt;
* Multi-Factor Authentication&lt;br /&gt;
* Self-Service Password Reset&lt;br /&gt;
* Conditional Access&lt;br /&gt;
* Identity Governance&lt;br /&gt;
* Privileged Access Management&lt;br /&gt;
* Audit Reporting&lt;br /&gt;
&lt;br /&gt;
A common architecture might look like:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
                    +------------------+&lt;br /&gt;
                    | Identity Source  |&lt;br /&gt;
                    |  HR System       |&lt;br /&gt;
                    +---------+--------+&lt;br /&gt;
                              |&lt;br /&gt;
                              v&lt;br /&gt;
                    +------------------+&lt;br /&gt;
                    | IAM Platform     |&lt;br /&gt;
                    | Identity Store   |&lt;br /&gt;
                    +---------+--------+&lt;br /&gt;
                              |&lt;br /&gt;
          +-------------------+-------------------+&lt;br /&gt;
          |                   |                   |&lt;br /&gt;
          v                   v                   v&lt;br /&gt;
&lt;br /&gt;
   +-------------+    +-------------+    +-------------+&lt;br /&gt;
   | Microsoft   |    | SaaS Apps   |    | On-Premise  |&lt;br /&gt;
   | 365         |    | CRM, ERP    |    | Systems     |&lt;br /&gt;
   +-------------+    +-------------+    +-------------+&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Identity Governance ==&lt;br /&gt;
&lt;br /&gt;
Identity Governance focuses on ensuring access remains appropriate over time.&lt;br /&gt;
&lt;br /&gt;
Typical controls include:&lt;br /&gt;
&lt;br /&gt;
* Access reviews&lt;br /&gt;
* Segregation of duties&lt;br /&gt;
* Approval workflows&lt;br /&gt;
* Periodic recertification&lt;br /&gt;
* Exception management&lt;br /&gt;
&lt;br /&gt;
Governance prevents permission accumulation and reduces insider risk.&lt;br /&gt;
&lt;br /&gt;
== Privileged Access Management (PAM) ==&lt;br /&gt;
&lt;br /&gt;
Administrative accounts represent high-value targets.&lt;br /&gt;
&lt;br /&gt;
PAM solutions help organisations:&lt;br /&gt;
&lt;br /&gt;
* Separate administrative and user accounts&lt;br /&gt;
* Implement just-in-time access&lt;br /&gt;
* Record privileged sessions&lt;br /&gt;
* Protect sensitive credentials&lt;br /&gt;
* Reduce standing privilege&lt;br /&gt;
&lt;br /&gt;
Modern security strategies increasingly assume that privileged access should be temporary rather than permanent.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Permission Creep ===&lt;br /&gt;
&lt;br /&gt;
Users gradually accumulate permissions over time.&lt;br /&gt;
&lt;br /&gt;
This often occurs when role changes are not accompanied by access reviews.&lt;br /&gt;
&lt;br /&gt;
=== Shared Accounts ===&lt;br /&gt;
&lt;br /&gt;
Shared accounts reduce accountability and complicate auditing.&lt;br /&gt;
&lt;br /&gt;
Where possible, every action should be traceable to a unique identity.&lt;br /&gt;
&lt;br /&gt;
=== Service Account Neglect ===&lt;br /&gt;
&lt;br /&gt;
Service accounts frequently:&lt;br /&gt;
&lt;br /&gt;
* Use static passwords&lt;br /&gt;
* Avoid MFA&lt;br /&gt;
* Remain undocumented&lt;br /&gt;
&lt;br /&gt;
These accounts often become overlooked security risks.&lt;br /&gt;
&lt;br /&gt;
=== Excessive Administrator Access ===&lt;br /&gt;
&lt;br /&gt;
Granting broad administrative permissions for convenience frequently increases the impact of compromise.&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
When designing an IAM solution, consider:&lt;br /&gt;
&lt;br /&gt;
=== Scalability ===&lt;br /&gt;
&lt;br /&gt;
Can the solution support organisational growth?&lt;br /&gt;
&lt;br /&gt;
=== Security ===&lt;br /&gt;
&lt;br /&gt;
Does it support:&lt;br /&gt;
&lt;br /&gt;
* MFA&lt;br /&gt;
* Conditional Access&lt;br /&gt;
* Strong authentication&lt;br /&gt;
* Risk-based controls&lt;br /&gt;
&lt;br /&gt;
=== Maintainability ===&lt;br /&gt;
&lt;br /&gt;
Can administrators easily:&lt;br /&gt;
&lt;br /&gt;
* Onboard users&lt;br /&gt;
* Remove access&lt;br /&gt;
* Audit permissions&lt;br /&gt;
* Automate processes&lt;br /&gt;
&lt;br /&gt;
=== Integration ===&lt;br /&gt;
&lt;br /&gt;
Can identities be integrated across:&lt;br /&gt;
&lt;br /&gt;
* Cloud platforms&lt;br /&gt;
* On-premise systems&lt;br /&gt;
* Third-party applications&lt;br /&gt;
* APIs and services&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
When access issues occur, investigate:&lt;br /&gt;
&lt;br /&gt;
=== Identity Issues ===&lt;br /&gt;
&lt;br /&gt;
* Does the account exist?&lt;br /&gt;
* Is it enabled?&lt;br /&gt;
* Is it synchronised correctly?&lt;br /&gt;
&lt;br /&gt;
=== Authentication Issues ===&lt;br /&gt;
&lt;br /&gt;
* Password problems&lt;br /&gt;
* MFA failures&lt;br /&gt;
* Certificate errors&lt;br /&gt;
* Token expiration&lt;br /&gt;
&lt;br /&gt;
=== Authorisation Issues ===&lt;br /&gt;
&lt;br /&gt;
* Missing role assignments&lt;br /&gt;
* Group membership problems&lt;br /&gt;
* Conditional access restrictions&lt;br /&gt;
* Policy conflicts&lt;br /&gt;
&lt;br /&gt;
=== Audit Logs ===&lt;br /&gt;
&lt;br /&gt;
Review:&lt;br /&gt;
&lt;br /&gt;
* Authentication logs&lt;br /&gt;
* Access logs&lt;br /&gt;
* Security alerts&lt;br /&gt;
* Provisioning events&lt;br /&gt;
&lt;br /&gt;
Audit trails often reveal the root cause faster than troubleshooting individual systems.&lt;br /&gt;
&lt;br /&gt;
== Design Philosophy ==&lt;br /&gt;
&lt;br /&gt;
Strong IAM systems should follow a simple principle:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;Trust identities only after verification, grant access only when required, and continuously validate that access remains appropriate.&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
This philosophy aligns closely with modern Zero Trust security models, where no user, device, application, or network location is automatically trusted.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Authentication]]&lt;br /&gt;
* [[Authorisation]]&lt;br /&gt;
* [[Active Directory]]&lt;br /&gt;
* [[Microsoft Entra ID]]&lt;br /&gt;
* [[Multi-Factor Authentication]]&lt;br /&gt;
* [[Single Sign-On]]&lt;br /&gt;
* [[Conditional Access]]&lt;br /&gt;
* [[Privileged Access Management]]&lt;br /&gt;
* [[Zero Trust Architecture]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* NIST Digital Identity Guidelines&lt;br /&gt;
* NIST Zero Trust Architecture&lt;br /&gt;
* Microsoft Entra Documentation&lt;br /&gt;
* OAuth 2.0 Specifications&lt;br /&gt;
* OpenID Connect Specifications&lt;br /&gt;
* ISO 27001&lt;br /&gt;
* CIS Controls&lt;/div&gt;</summary>
		<author><name>Dex</name></author>
	</entry>
</feed>