CCNA Cissp IAM Questions

60 questions · Cissp IAM topic · All types, answers revealed

1
MCQhard

A developer is implementing OAuth 2.0 for a mobile app (public client) that needs to access a user's data from a third-party API. To mitigate the authorization code interception attack, which OAuth 2.0 extension should be used?

A.Device code grant
B.Client credentials grant
C.Implicit grant
D.PKCE
AnswerD

PKCE provides a secure authorization flow for public clients.

Why this answer

PKCE (Proof Key for Code Exchange) is designed for public clients to prevent interception of the authorization code.

2
MCQeasy

Which access control model assigns permissions based on a user's job function?

A.MAC
B.DAC
C.ABAC
D.RBAC
AnswerD

RBAC assigns permissions based on roles.

Why this answer

Role-Based Access Control (RBAC) uses roles that group permissions according to job functions.

3
MCQmedium

A security policy requires that a user cannot have both the ability to create purchase orders and approve invoices. This is an example of:

A.Separation of duties
B.Need-to-know
C.Least privilege
D.Job rotation
AnswerA

SoD divides critical tasks among multiple people.

Why this answer

Separation of Duties (SoD) is a control that prevents a single individual from performing conflicting duties, reducing the risk of fraud.

4
Multi-Selecthard

A security analyst is performing an access review. Which THREE of the following are best practices for user access recertification? (Choose three.)

Select 3 answers
A.Managers confirm that employees still need their current access
B.Remove all access and re-provision as needed
C.Perform recertification annually or more frequently
D.Review access against job roles and responsibilities
E.Automatically approve access if no response
AnswersA, C, D

Managers should verify business need.

Why this answer

Recertification should confirm business need, review actual access, and be periodic.

5
Multi-Selecteasy

Which TWO of the following are examples of Type 3 authentication factors? (Choose two.)

Select 2 answers
A.Password
B.Fingerprint
C.Smart card
D.One-time password token
E.Retina scan
AnswersB, E

Fingerprint is a biometric (Type 3).

Why this answer

Type 3 factors are biometrics: fingerprint and retina scan.

6
Multi-Selectmedium

A security analyst is reviewing access controls for a financial application. Which TWO of the following are considered best practices for preventing fraud? (Select TWO.)

Select 2 answers
A.Password complexity
B.Single sign-on
C.Least privilege
D.Two-person control
E.Separation of duties
AnswersD, E

Two-person control requires two people to complete a sensitive action.

Why this answer

Two-person control (D) is a best practice for preventing fraud because it requires two authorized individuals to perform a critical action, such as approving a high-value transaction or accessing a sensitive system. This ensures collusion is needed to commit fraud, as no single person can complete the action alone. In a financial application, this might involve dual approval for wire transfers over a threshold, directly mitigating insider threats.

Exam trap

The trap here is that candidates often confuse 'least privilege' (a preventive control for limiting access) with 'separation of duties' (a detective/preventive control for fraud), or they incorrectly think 'password complexity' or 'single sign-on' directly prevent fraud when they only address authentication security.

7
MCQmedium

In SAML 2.0, which component is responsible for authenticating the user and generating an assertion?

A.Identity Provider (IdP)
B.Service Provider (SP)
C.Certificate Authority (CA)
D.Relying Party (RP)
AnswerA

The IdP authenticates and issues assertions.

Why this answer

The Identity Provider (IdP) authenticates users and creates assertions containing authentication/attribute/authorization data.

8
Multi-Selectmedium

Which TWO of the following are OAuth 2.0 grant types? (Choose two.)

Select 2 answers
A.SAML assertion
B.Client credentials
C.LDAP bind
D.Kerberos ticket
E.Authorization code
AnswersB, E

Client credentials grant is for machine-to-machine communication.

Why this answer

Authorization code and client credentials are standard OAuth 2.0 grant types.

9
MCQhard

Which access control model bases decisions on attributes of the user, resource, and environment, and can use Boolean logic to define policies?

A.Role-Based Access Control (RBAC)
B.Discretionary Access Control (DAC)
C.Attribute-Based Access Control (ABAC)
D.Mandatory Access Control (MAC)
AnswerC

ABAC evaluates attributes of subjects, objects, and environment.

Why this answer

Attribute-Based Access Control (ABAC) uses attributes and policies to grant access, offering fine-grained control.

10
MCQeasy

Which statement about SAML 2.0 is correct?

A.SAML relies on browser redirects for SSO flows.
B.SAML supports only IdP-initiated SSO.
C.SAML uses JSON for its assertions.
D.SAML is primarily used for authorization, not authentication.
AnswerA

SAML SSO flows typically involve browser redirects between the IdP and SP.

Why this answer

SAML uses XML-based assertions and can be initiated by the Identity Provider (IdP-initiated) or Service Provider (SP-initiated).

11
MCQmedium

An organization wants to enable single sign-on (SSO) across multiple web applications using an XML-based protocol that supports browser redirect flows. Which technology is most appropriate?

A.Kerberos
B.OAuth 2.0
C.OpenID Connect (OIDC)
D.SAML 2.0
AnswerD

SAML 2.0 is XML-based and supports browser SSO flows.

Why this answer

SAML 2.0 is XML-based and uses browser redirects for SSO between IdP and SPs.

12
MCQeasy

Which authentication factor type is a smart card?

A.Somewhere you are
B.Type 2 (something you have)
C.Type 3 (something you are)
D.Type 1 (something you know)
AnswerB

A smart card is a physical token, so it is something you have.

Why this answer

A smart card is a Type 2 authentication factor because it falls under the 'something you have' category. The card itself is a physical device that stores a digital certificate or cryptographic key, which the user must possess to authenticate. Unlike knowledge-based or biometric factors, possession of the smart card is the core authentication mechanism, often combined with a PIN (Type 1) for two-factor authentication.

Exam trap

The trap here is that candidates confuse 'something you have' (Type 2) with 'something you are' (Type 3) because smart cards are often used with biometric readers, but the card itself is a possession factor, not a biometric.

How to eliminate wrong answers

Option A is wrong because 'Somewhere you are' is not a standard authentication factor type in the CISSP framework; it is a location-based attribute, not a factor category. Option C is wrong because Type 3 (something you are) refers to biometric characteristics such as fingerprints or iris scans, not a physical token like a smart card. Option D is wrong because Type 1 (something you know) includes passwords, PINs, or passphrases, whereas a smart card is a tangible object, not knowledge.

13
MCQmedium

OpenID Connect (OIDC) extends OAuth 2.0 primarily by adding which capability?

A.Client credential management
B.Authorization delegation
C.Token introspection
D.User authentication
AnswerD

OIDC standardizes authentication, while OAuth 2.0 only provides authorization.

Why this answer

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that primarily adds user authentication. While OAuth 2.0 provides authorization delegation (access tokens for resources), OIDC introduces an ID token (a JSON Web Token, JWT) that contains claims about the authenticated user, enabling the client to verify the user's identity. This is defined in the OIDC specification (OpenID Foundation) and is the key differentiator from plain OAuth 2.0.

Exam trap

The trap here is that candidates often confuse OAuth 2.0's authorization delegation (access tokens for resources) with OIDC's authentication (ID tokens for user identity), leading them to incorrectly select 'Authorization delegation' as the primary addition.

How to eliminate wrong answers

Option A is wrong because client credential management is a feature of OAuth 2.0 itself (e.g., client_id, client_secret, client credentials grant type), not something OIDC adds. Option B is wrong because authorization delegation is the core purpose of OAuth 2.0, not an extension provided by OIDC; OIDC adds authentication on top of that delegation. Option C is wrong because token introspection is an OAuth 2.0 extension (RFC 7662) for validating token status, not a feature introduced by OIDC; OIDC uses the UserInfo endpoint for identity claims.

14
MCQmedium

In an OAuth 2.0 authorization code flow with PKCE, what is the primary purpose of the code verifier and code challenge?

A.To encrypt the authorization code
B.To authenticate the end user
C.To ensure the client that requested the code is the same one redeeming it
D.To generate the ID token
AnswerC

The code verifier proves the client identity, preventing interception attacks.

Why this answer

PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks, especially for public clients like mobile apps.

15
MCQeasy

Which of the following is an example of a Type 2 authentication factor?

A.Security question
B.Password
C.Smart card
D.Fingerprint
AnswerC

A smart card is a physical device (something you have).

Why this answer

A Type 2 factor is something you have, such as a smart card or OTP token.

16
MCQmedium

A security administrator is configuring a system that requires users to provide a password and a one-time code from a hardware token. Which authentication method is being implemented?

A.Biometric authentication
B.Step-up authentication
C.Single-factor authentication
AnswerD

Two different factor types are used: Type 1 and Type 2.

Why this answer

Using two different factor types (password and hardware token) constitutes multi-factor authentication (MFA).

17
MCQhard

An attacker has obtained a Kerberos TGT and uses it to request service tickets for any resource in the domain. Which type of attack is this?

A.Replay attack
B.Pass-the-ticket attack
C.Golden ticket attack
D.Kerberos cracking
AnswerB

Pass-the-ticket uses a captured TGT to authenticate as the user.

Why this answer

A golden ticket attack involves forging a TGT, but pass-the-ticket uses a legitimate TGT obtained illegally.

18
MCQmedium

A company implements a policy requiring two different employees to approve a payment transaction. This is an example of:

A.Dual control
B.Need-to-know
C.Least privilege
D.Two-person control
AnswerD

Two-person control requires two individuals to complete a task, a form of SoD.

Why this answer

Separation of duties (SoD) ensures that no single individual has control over all parts of a critical process, reducing fraud risk.

19
MCQhard

During a Kerberos authentication process, the client receives a Ticket Granting Ticket (TGT) from the Authentication Server (AS). Later, the client presents the TGT to the Ticket Granting Server (TGS) to request a service ticket. Which of the following best describes the purpose of the TGT?

A.It verifies the client's IP address to prevent replay attacks.
B.It allows the client to request additional service tickets without re-authentication.
C.It encrypts the session key between the client and the target service.
D.It authenticates the user to the target service directly.
AnswerB

The TGT is used to obtain service tickets from the TGS.

Why this answer

The TGT is a credential that proves the user has been authenticated by the AS and is allowed to request service tickets without re-entering credentials.

20
MCQhard

An organization discovers that a former employee's account is still active and has been used to access sensitive data. This is an example of which type of risk?

A.Orphaned account
B.Privilege escalation
C.Social engineering
D.Insider threat
AnswerA

Orphaned accounts are accounts not properly deprovisioned.

Why this answer

An orphaned account is one that remains active after an employee has left, posing a security risk.

21
MCQeasy

Which of the following access control models allows the data owner to decide who can access their resources?

A.Attribute-Based Access Control (ABAC)
B.Mandatory Access Control (MAC)
C.Role-Based Access Control (RBAC)
D.Discretionary Access Control (DAC)
AnswerD

DAC allows owners to grant access.

Why this answer

Discretionary Access Control (DAC) is the correct answer because it allows the data owner (the creator or custodian of the resource) to decide who can access their resources and at what privilege level. In DAC, access rights are assigned based on the owner's discretion, typically using Access Control Lists (ACLs) or owner-based permissions, as seen in file systems like NTFS or UNIX chmod.

Exam trap

Cisco often tests the misconception that DAC is the same as 'user decides' but candidates confuse it with RBAC because both involve user roles, whereas DAC specifically ties control to the resource owner, not a role-based policy.

How to eliminate wrong answers

Option A is wrong because Attribute-Based Access Control (ABAC) uses policies based on attributes (user, resource, environment) evaluated at runtime, not owner discretion. Option B is wrong because Mandatory Access Control (MAC) enforces system-wide policies (e.g., labels like Top Secret) that neither users nor owners can override. Option C is wrong because Role-Based Access Control (RBAC) assigns permissions based on predefined roles, not on the data owner's individual decisions.

22
Multi-Selectmedium

A security administrator is reviewing potential risks associated with orphaned accounts. Which TWO of the following are risks of orphaned accounts?

Select 2 answers
A.Compliance with password policies is weakened
B.Performance degradation of authentication servers
C.Increased logging overhead
D.Attackers can use orphaned accounts to gain unauthorized access
E.Former employees can still access systems
AnswersD, E

Orphaned accounts are attractive targets for attackers.

Why this answer

Orphaned accounts are active accounts of former employees or unused accounts, which can be exploited to gain unauthorized access or persist undetected.

23
MCQeasy

Which of the following is an example of a Type 1 authentication factor?

A.OTP token
B.Fingerprint
C.Password
D.Smart card
AnswerC

A password is something you know, hence Type 1.

Why this answer

A Type 1 factor is something you know, such as a password, PIN, or security question.

24
MCQhard

An attacker who has compromised the Kerberos Key Distribution Center (KDC) could forge a Ticket Granting Ticket (TGT) to impersonate any user. This type of attack is known as:

A.Golden ticket attack
B.Silver ticket attack
C.Pass-the-ticket attack
D.Kerberos poisoning attack
AnswerA

A golden ticket forges a TGT, granting domain-wide access.

Why this answer

A golden ticket attack involves forging a TGT using the KRBTGT account hash, granting access to any resource in the domain.

25
MCQhard

In OAuth 2.0, which grant type is recommended for a native mobile application that cannot securely store a client secret, and uses PKCE?

A.Client Credentials grant
B.Implicit grant
C.Device Code grant
D.Authorization Code grant with PKCE
AnswerD

PKCE provides proof key for code exchange, securing public clients.

Why this answer

The Authorization Code grant with PKCE is designed for public clients like mobile apps to prevent interception of the authorization code.

26
MCQmedium

In a Privileged Access Management (PAM) solution, which feature provides temporary elevation of privileges for specific tasks, reducing the risk of standing privileges?

A.Password vaulting
B.Just-in-time (JIT) access
C.Break-glass account
D.Session recording
AnswerB

JIT access provides time-limited privileges.

Why this answer

Just-in-time (JIT) access grants privileges only when needed, reducing the attack surface from permanent privileged accounts.

27
Multi-Selectmedium

Which TWO of the following are characteristics of a Privileged Access Management (PAM) solution? (Choose two.)

Select 2 answers
A.Self-service password reset
B.Session recording
C.Single sign-on for all users
D.Password vaulting
E.OpenID Connect authentication
AnswersB, D

Session recording monitors privileged user activity.

Why this answer

PAM includes password vaulting and session recording; just-in-time access is also a characteristic, but note: the question asks for TWO, so select the correct two.

28
Multi-Selecthard

An organization is implementing a Privileged Access Management (PAM) solution. Which THREE of the following are common features of PAM? (Select THREE.)

Select 3 answers
A.Single sign-on
B.Password vaulting
C.Session recording
D.Just-in-time access
E.Role-based access control
AnswersB, C, D

Passwords are stored securely and rotated.

Why this answer

PAM typically includes password vaulting, session recording, and just-in-time access. Break-glass accounts are also a feature, but the question asks for three of the most common.

29
Multi-Selectmedium

Which THREE of the following are components of a Privileged Access Management (PAM) solution?

Select 3 answers
A.User self-service password reset
B.Single sign-on for web applications
C.Session recording
D.Just-in-time access
E.Password vaulting
AnswersC, D, E

Session recording captures and monitors privileged access activity.

Why this answer

PAM typically includes password vaulting (secure credential storage), session recording (monitoring privileged sessions), and just-in-time access (elevated privileges on demand).

30
MCQmedium

In Kerberos, which component issues ticket-granting tickets (TGTs) after verifying the user's credentials?

A.Authentication Server (AS)
B.Domain Controller
C.Ticket Granting Server (TGS)
D.Key Distribution Center (KDC)
AnswerA

The AS authenticates the user and issues the TGT.

Why this answer

The Authentication Server (AS) is responsible for issuing TGTs after verifying the user's password or other credentials.

31
MCQeasy

Which of the following is an example of a Type 2 authentication factor?

A.Smart card
B.PIN
C.Password
D.Fingerprint
AnswerA

A smart card is something you have (Type 2).

Why this answer

A smart card is a Type 2 authentication factor because it falls under the category of 'something you have.' Type 2 factors are possession-based, meaning the user must physically possess the token to authenticate. Smart cards store cryptographic keys or certificates and require a card reader to present the credential, making them a classic example of a possession factor.

Exam trap

The trap here is that candidates often confuse a smart card with a PIN or password because both are used together in practice, but the question specifically asks for the factor type of the smart card itself, not the combined authentication method.

How to eliminate wrong answers

Option B is wrong because a PIN (Personal Identification Number) is a Type 1 factor ('something you know'), not a Type 2 factor; it relies on knowledge rather than possession. Option C is wrong because a password is also a Type 1 factor, based on secret knowledge, not on a physical object. Option D is wrong because a fingerprint is a Type 3 factor ('something you are'), using biometric characteristics, not a possession-based factor.

32
MCQmedium

A security architect is designing an authentication system for a healthcare application that requires strong security. The system will use a password and a one-time passcode sent via SMS. How many authentication factor types are being used?

A.Three
B.Four
C.One
D.Two
AnswerD

Password (Type 1) and SMS OTP (Type 2) constitute two-factor authentication.

Why this answer

Password is Type 1 (something you know), SMS OTP is Type 2 (something you have, as the phone is possessed). Only two factor types are used.

33
MCQhard

Which access control model allows the owner of a resource to determine who can access it and what permissions they have?

A.Discretionary Access Control (DAC)
B.Role-Based Access Control (RBAC)
C.Mandatory Access Control (MAC)
D.Attribute-Based Access Control (ABAC)
AnswerA

DAC allows the owner to grant or deny access.

Why this answer

Discretionary Access Control (DAC) allows the resource owner to control access at their discretion.

34
MCQmedium

In Kerberos authentication, what is the purpose of the Ticket Granting Ticket (TGT)?

A.To prove the user's identity to the Ticket Granting Service (TGS)
B.To store the user's password hash
C.To encrypt all communication between client and server
D.To authenticate the user to the resource server directly
AnswerA

The TGT is presented to the TGS to obtain service tickets.

Why this answer

The TGT is obtained from the AS and used to request service tickets from the TGS without re-entering credentials.

35
MCQmedium

An LDAP distinguished name (DN) includes the attribute 'CN=John Doe,OU=Sales,DC=company,DC=com'. What does 'CN' stand for?

A.Country Name
B.Common Name
C.Certificate Name
D.Container Name
AnswerB

CN is Common Name.

Why this answer

CN stands for Common Name, which typically represents the user's name or the hostname of a device.

36
Multi-Selecthard

Which TWO of the following are differences between OAuth 2.0 and OpenID Connect (OIDC)?

Select 2 answers
A.OAuth 2.0 supports device code grant, OIDC does not
B.OAuth 2.0 is for authorization, while OIDC is for authentication
C.OIDC is XML-based, while OAuth 2.0 is JSON-based
D.OIDC uses JSON Web Tokens (JWT) for ID tokens, while OAuth 2.0 does not define a token format
E.OAuth 2.0 requires a client secret, OIDC does not
AnswersB, D

OAuth 2.0 grants access, OIDC authenticates users.

Why this answer

Option B is correct because OAuth 2.0 is fundamentally an authorization framework (RFC 6749) that grants delegated access to resources, while OpenID Connect (OIDC) is an authentication layer built on top of OAuth 2.0 (specified in OpenID Connect Core 1.0) that verifies the end-user's identity. OIDC extends OAuth 2.0 by adding an ID token (a JWT) that contains claims about the authenticated user, whereas OAuth 2.0 alone does not provide identity information.

Exam trap

Cisco often tests the misconception that OAuth 2.0 is for authentication and OIDC is for authorization, or that they are interchangeable, when in fact OAuth 2.0 is strictly authorization and OIDC is authentication built on top of it.

37
MCQhard

An organization uses Active Directory and needs to enforce password complexity settings for all users in a specific department. What is the most efficient way to achieve this?

A.Configure password settings in the user's individual properties
B.Use a script to set passwords for each user
C.Apply a Group Policy Object (GPO) to the OU containing the department's users
D.Create a password policy in the Default Domain Policy
AnswerC

GPOs linked to OUs allow targeted policy application.

Why this answer

Group Policy Objects (GPOs) can be linked to an Organizational Unit (OU) containing the department's user accounts to enforce password settings.

38
MCQmedium

An organization implements Single Sign-On (SSO) using SAML 2.0. A user attempts to access a cloud application (Service Provider) but is not authenticated. The Service Provider redirects the user to the Identity Provider (IdP) for authentication. Which type of SAML flow is this?

A.AuthN-initiated SSO
B.SP-initiated SSO
C.Assertion-initiated SSO
D.IdP-initiated SSO
AnswerB

The SP redirects the user to the IdP.

Why this answer

In SP-initiated SSO, the user first tries to access the SP, which then redirects to the IdP.

39
MCQhard

An organization wants to implement single sign-on across multiple web applications using an XML-based protocol that supports identity provider (IdP) and service provider (SP) initiated flows. Which technology should they choose?

A.OpenID Connect
B.OAuth 2.0
C.SAML 2.0
D.Kerberos
AnswerC

SAML 2.0 is XML-based and supports IdP and SP initiated SSO.

Why this answer

SAML 2.0 is an XML-based protocol for SSO that supports both IdP and SP initiated flows and uses assertions.

40
MCQeasy

Which protocol is specifically designed for authorization and not authentication, often using grant types like authorization code and client credentials?

A.SAML 2.0
B.OpenID Connect
C.Kerberos
D.OAuth 2.0
AnswerD

OAuth 2.0 is an authorization framework, not authentication.

Why this answer

OAuth 2.0 is an authorization framework that provides delegated access; it does not authenticate the user.

41
MCQmedium

In Kerberos authentication, which component issues a Ticket Granting Ticket (TGT) after verifying the user's credentials?

A.Domain Controller
B.Ticket Granting Server (TGS)
C.Key Distribution Center (KDC)
D.Authentication Server (AS)
AnswerD

The AS authenticates the user and issues a TGT.

Why this answer

The Authentication Server (AS) verifies the user's credentials and issues a TGT, which the user can then use to request service tickets from the TGS.

42
MCQeasy

In LDAP, what does the Distinguished Name (DN) uniquely identify?

A.An entry in the directory
B.The root of the directory
C.The schema of the directory
D.A group within the directory
AnswerA

The DN uniquely identifies each entry in the LDAP tree.

Why this answer

The DN is the unique identifier for an entry in the LDAP directory, consisting of a sequence of Relative Distinguished Names (RDNs).

43
MCQeasy

Which principle ensures that a user is granted only the permissions necessary to perform their job functions?

A.Need-to-know
B.Least privilege
C.Separation of duties
D.Zero standing privileges
AnswerB

Least privilege grants minimum necessary permissions.

Why this answer

The principle of least privilege states that users should have the minimum level of access required.

44
MCQmedium

An organization requires users to authenticate with a password and a one-time code sent to their mobile phone. This is an example of which authentication method?

A.Two-step verification
B.Single-factor authentication
C.Step-up authentication
AnswerD

MFA requires two or more different factor types.

Why this answer

Using two different types of factors (password - Type 1, OTP - Type 2) constitutes multi-factor authentication.

45
MCQhard

A security analyst discovers that an attacker has gained domain admin privileges by forging a Kerberos TGT using the KRBTGT account hash. Which attack has occurred?

A.Golden ticket attack
B.Pass-the-ticket attack
C.Silver ticket attack
D.Kerberos brute force attack
AnswerA

Forging TGT with KRBTGT hash is a Golden Ticket attack.

Why this answer

A Golden Ticket attack involves forging a TGT with the KRBTGT hash, granting unrestricted access.

46
MCQhard

An organization implements Privileged Access Management (PAM) and wants to reduce the risk of standing privileges. Which approach grants temporary elevated access only when needed?

A.Session recording
B.Password vaulting
C.Break-glass accounts
D.Just-in-time access
AnswerD

JIT access provides temporary privileges as needed.

Why this answer

Just-in-time (JIT) access provides time-limited privileges that are granted on demand, reducing the attack surface.

47
MCQeasy

Which of the following is a lightweight directory access protocol used for accessing and maintaining distributed directory information?

A.OAuth
B.LDAP
C.Kerberos
D.SAML
AnswerB

LDAP is the correct protocol for directory access.

Why this answer

LDAP (Lightweight Directory Access Protocol) is used for directory services.

48
MCQmedium

A financial application requires two employees to authorize a wire transfer. Which principle does this implement?

A.Least privilege
B.Separation of duties
C.Need-to-know
D.Zero standing privileges
AnswerB

Requiring two people to authorize a transfer is SoD.

Why this answer

Separation of duties (SoD) is the principle that requires two or more individuals to complete a sensitive transaction, such as a wire transfer, to prevent fraud or error. By mandating two employees to authorize the transfer, the application ensures no single person has unchecked control over the entire process, enforcing a dual-control mechanism. This directly implements the SoD principle, which is a core access control concept in identity and access management.

Exam trap

The trap here is that candidates confuse separation of duties with least privilege, thinking that limiting permissions alone achieves the same goal, but least privilege does not prevent a single user from performing all steps of a critical process.

How to eliminate wrong answers

Option A is wrong because least privilege grants users only the minimum permissions needed to perform their job, but it does not require multiple people to authorize a single action; that is a separate control. Option C is wrong because need-to-know restricts access to information based on necessity for a specific task, not the collaborative authorization of a transaction. Option D is wrong because zero standing privileges (ZSP) removes persistent access rights and grants them just-in-time, but it does not inherently enforce dual authorization for a single operation.

49
Multi-Selectmedium

A security architect is designing a Single Sign-On (SSO) solution for a web application that needs to support authentication and authorization. Which TWO of the following protocols are best suited for this purpose? (Select TWO)

Select 2 answers
A.Kerberos
B.LDAP
C.OpenID Connect (OIDC)
D.SAML 2.0
E.OAuth 2.0
AnswersC, D

OIDC adds authentication to OAuth 2.0.

Why this answer

SAML 2.0 and OpenID Connect (OIDC) are both SSO protocols that provide authentication and authorization. OAuth 2.0 alone provides only authorization.

50
Multi-Selecthard

An organization is implementing OpenID Connect (OIDC) for authentication. Which THREE of the following are components of OIDC? (Choose three.)

Select 3 answers
A.Authorization code flow
B.Kerberos ticket granting ticket
C.UserInfo endpoint
D.SAML assertion
E.ID token
AnswersA, C, E

OIDC uses OAuth 2.0 flows, including authorization code.

Why this answer

OIDC uses ID token, UserInfo endpoint, and OAuth 2.0 authorization framework.

51
MCQmedium

An employee leaves the company, and their user account is not disabled. This creates a security risk known as:

A.Orphaned account
B.Insider threat
C.Privilege creep
D.Separation of duties violation
AnswerA

An account without a valid user is an orphaned account.

Why this answer

An orphaned account is a user account that remains active in the identity management system after the employee has left the organization. This creates a security risk because the account can be exploited by attackers or former employees to gain unauthorized access to systems, data, or network resources, bypassing access controls that rely on account deactivation.

Exam trap

The trap here is that candidates may confuse 'orphaned account' with 'insider threat' because both involve a former employee, but the question specifically asks for the name of the security risk created by the account itself, not the general threat category.

How to eliminate wrong answers

Option B is wrong because an insider threat is a broader category of risk posed by individuals within the organization (current or former) who misuse their access, but the specific risk of an account not being disabled after departure is defined as an orphaned account. Option C is wrong because privilege creep refers to the gradual accumulation of excessive permissions over time for a user who remains employed, not to an account left active after termination. Option D is wrong because a separation of duties violation occurs when a single user is allowed to perform conflicting tasks (e.g., both creating and approving a purchase order), which is unrelated to the failure to disable a departed user's account.

52
MCQmedium

Which OAuth 2.0 grant type is recommended for a public client (e.g., single-page application) that cannot securely store a client secret?

A.Resource owner password credentials grant
B.Authorization code grant with PKCE
C.Implicit grant
D.Client credentials grant
AnswerB

PKCE adds a code verifier/challenge to secure the authorization code exchange.

Why this answer

The authorization code grant with PKCE (Proof Key for Code Exchange) is designed for public clients to prevent interception of the authorization code.

53
MCQhard

An organization is implementing identity management and wants to ensure that when an employee leaves, all access is promptly revoked. Which process is most directly responsible for removing accounts and access rights for a leaver?

A.Privileged access management
B.Access recertification
C.Deprovisioning
D.Separation of duties
AnswerC

Deprovisioning specifically handles removal of accounts and access.

Why this answer

Deprovisioning is the process of removing user accounts and access rights when an employee leaves the organization. It directly addresses the requirement to promptly revoke all access, ensuring that the former employee cannot authenticate or authorize any actions within the system. This process typically involves disabling or deleting the user object in the directory service (e.g., Active Directory) and removing associated permissions from all resources.

Exam trap

The trap here is that candidates may confuse 'Access Recertification' (a periodic review) with the immediate revocation action required for a leaver, or think 'Privileged Access Management' covers all account removal, when it only addresses high-privilege accounts.

How to eliminate wrong answers

Option A is wrong because Privileged Access Management (PAM) focuses on controlling and monitoring access for privileged accounts (e.g., administrators), not on the general removal of all accounts for a leaver. Option B is wrong because Access Recertification is a periodic review process to validate that existing access rights are still appropriate, not an immediate action to remove access upon termination. Option D is wrong because Separation of Duties is a control principle that prevents conflicts of interest by dividing critical tasks among multiple people, not a process for revoking accounts.

54
Multi-Selecthard

An organization is implementing Privileged Access Management (PAM). Which THREE of the following are common features of a PAM solution? (Select THREE)

Select 3 answers
A.Password vaulting
B.Self-service password reset
C.Just-in-time (JIT) access
D.Session recording and monitoring
E.Break-glass access
AnswersA, C, D

Vaulting stores privileged credentials securely.

Why this answer

Common PAM features include just-in-time access, session recording/monitoring, and password vaulting. Break-glass accounts are emergency access, not a standard feature.

55
Multi-Selectmedium

In the context of identity management, which TWO of the following are risks associated with orphaned accounts? (Choose two.)

Select 2 answers
A.Compliance violations
B.Reduced system performance
C.Unauthorized access by former employees
D.Enhanced audit logging
E.Increased help desk calls
AnswersA, C

Regulations require proper account management.

Why this answer

Orphaned accounts can be used by former employees or attackers, and may violate compliance.

56
MCQhard

An organization wants to provide just-in-time administrative access to servers, with session recording and password vaulting. Which solution is best suited?

A.Privileged Access Management (PAM)
B.Identity as a Service (IDaaS)
C.Single Sign-On (SSO)
D.Role-Based Access Control (RBAC)
AnswerA

PAM manages and monitors privileged accounts with features like just-in-time access.

Why this answer

Privileged Access Management (PAM) provides just-in-time access, session recording, password vaulting, and break-glass accounts.

57
MCQeasy

Which of the following is a process that ensures users periodically confirm they still need access to systems and data?

A.Deprovisioning
B.Separation of duties
C.Recertification
D.Provisioning
AnswerC

Recertification is the periodic review of access rights.

Why this answer

Access recertification (or access review) requires users or managers to verify the continued need for access rights.

58
MCQmedium

In LDAP, which attribute uniquely identifies an entry within the directory information tree?

A.Distinguished Name (DN)
B.Relative Distinguished Name (RDN)
C.Organizational Unit (OU)
D.Common Name (CN)
AnswerA

The DN uniquely identifies every entry.

Why this answer

The Distinguished Name (DN) uniquely identifies each entry in the LDAP directory tree.

59
MCQmedium

A financial institution requires that no single employee can approve a transaction and also reconcile the account. This is an example of which security principle?

A.Separation of duties
B.Least privilege
C.Defense in depth
D.Need to know
AnswerA

Separation of duties prevents any single person from having conflicting responsibilities.

Why this answer

Separation of duties (SoD) is the security principle that prevents a single individual from having conflicting responsibilities, such as both approving a transaction and reconciling the account. This reduces the risk of fraud or error by requiring collusion between two or more people to subvert a process. In a financial system, SoD is enforced through access control mechanisms that assign distinct roles (e.g., 'Transaction Approver' and 'Account Reconciler') with mutually exclusive permissions, often implemented via Role-Based Access Control (RBAC) or attribute-based policies.

Exam trap

The trap here is that candidates confuse 'separation of duties' with 'least privilege' because both involve limiting access, but separation of duties specifically addresses conflicting tasks to prevent fraud, not just minimizing permissions.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on granting only the minimum permissions necessary to perform a job function, not on preventing conflicts of interest or fraud through role separation. Option C (Defense in depth) is wrong because it describes a layered security strategy using multiple controls (e.g., firewalls, IDS, encryption), not a principle that divides critical tasks among different individuals. Option D (Need to know) is wrong because it restricts access to data based on whether it is required for a specific task, but does not address the segregation of conflicting duties like approval and reconciliation.

60
MCQmedium

A security analyst is reviewing access rights and discovers an active account belonging to a former employee who left six months ago. This is an example of:

A.Orphaned account
B.Separation of duties violation
C.Account lockout
D.Privilege escalation
AnswerA

An account without an owner is orphaned.

Why this answer

An orphaned account is one that remains active after the user has left the organization, posing a security risk.

Ready to test yourself?

Try a timed practice session using only Cissp IAM questions.