Module 1: The Core Pillars (The 4 A's)

Jeff Crume explains that every IAM system is built on four functional pillars:

1. Administration

The "Manager" role. This involves creating user accounts, updating phone numbers, and deleting accounts when people leave.

2. Authentication (AuthN)

The "Is it really you?" check. This is your login screen, password prompt, or FaceID scan.

3. Authorization (AuthZ)

The "Permissions" check. Just because you are allowed in the building doesn't mean you are allowed in the CEO's office. AuthZ decides which files you can open.

4. Audit

The "Security Camera." This keeps a record of who logged in and what they touched, so we can check it later if something goes wrong.

Module 2: User Groups & Roles

In large companies, you can't manage permissions for 10,000 people individually. You use Roles.

User Categories

  • Employees: Need internal access to HR and Payroll.
  • Suppliers: Need access to inventory systems.
  • Customers: Need to see their own orders only.

RBAC (Role-Based Access Control)

Instead of saying "Bob gets email access," the architect says "Everyone in the 'Teller' role gets access to the Bank App, Email, and HR." This makes security much easier to manage and scale.

Module 3: Where IDs are Stored

User IDs are stored in a Directory. Jeff notes that most companies have many different directories (one for Email, one for Finance, etc.).

Lightweight Directory Access Protocol (LDAP)

This is the standard language computers use to look up user information. If a system "speaks LDAP," it can work with most user directories.

Synchronization

  • Meta Directory: A central hub that physically copies data from all other folders into one giant "Master List."
  • Virtual Directory: Like an "Index" in a book. It doesn't copy the data, it just knows where to find it when you ask.

Module 4: The Identity Lifecycle

Security happens through the entire "life" of an employee at a company.

Provisioning (The Joiner)

Automatically creating all the accounts a person needs the second they are hired in the HR system.

De-provisioning (The Leaver)

The most important security step. When someone is fired or leaves, the system must instantly kill all their access rights. If this is forgotten, a "ghost account" remains that hackers can use.

Module 5: Advanced Defenses

Single Sign-On (SSO)

This allows you to log in once (e.g., your company portal) and gain access to 50 different apps without typing your password again. It keeps users happy and secure.

PAM (Privileged Access Management)

Some users (IT Admins) have "Keys to the Kingdom." They can delete the whole database. PAM tools record their screen and require them to "check out" passwords like a library book for extra safety.

Passwordless

The future! Using biometrics (fingerprints) or hardware keys (USB sticks) so users never have to remember a password that can be stolen or guessed.

Architect's Dictionary

AuthNAuthentication. Proving who you are.
AuthZAuthorization. Proving what you're allowed to do.
DirectoryA database designed specifically for storing user names, passwords, and roles.
FederationConnecting your company's login system to an outside app (like Salesforce or Microsoft 365).
MFAMulti-Factor Authentication. Using two or more items (Password + Phone code) to log in.
Privilege CreepWhen an employee changes jobs but keeps all their old permissions, eventually having too much power.
UBAUser Behavior Analytics. Using AI to spot if a user is doing something weird or dangerous.

Knowledge Verification