Till Studer's Notes

Recent Notes

2 min read

AAA Framework

0. Identification

The initial claim of identity by a user, device, or system

Identification is the preliminary step in access control where a subject professes an identity. Before a system can verify if a user is who they say they are, the user must first declare who they are trying to be. It answers the fundamental question: “Who do you claim to be?”

This process relies on unique identifiers to link a user to a specific account or profile:

  • The Assertion: It is the act of claiming an identity (e.g., typing in a username) but provides no proof of that identity on its own.
  • Identifiers: These are usually public or semi-public information, such as usernames, email addresses, employee IDs, or smart card numbers.

1. Authentication

Verifies the identity of a user, device, or system

Authentication is the process of confirming that an entity is who they claim to be. It answers the fundamental question: “Who are you?”

This is typically achieved through one or more of the following factors:

  • Something you know (e.g.: a password or PIN).
  • Something you have (e.g.: a smart card or security token).
  • Something you are (e.g.: biometrics like fingerprints or retina scans).

2. Authorization

Determines what an authenticated entity is allowed to do

Once a user’s identity is verified via authentication, authorization determines their privileges. It answers the question: “What are you allowed to do?”

Authorization relies on policies and settings to grant or deny access to specific resources.

  • Permissions: This includes read, write, execution, or deletion rights.
  • Context: It operates closely with the Principle of Least Privilege, ensuring users can only access data necessary for their specific role.

3. Accounting

Tracks and records user activities and resource usage

Accounting measures the resources a user consumes during their access. It answers the question: “What did you do?”

This process is vital for two main reasons:

  • Forensics & Security: It logs session statistics, providing a trail of evidence (logs) to analyze in the event of a security breach.
  • Non-Repudiation: It ensures that a user cannot deny having performed a specific action, as there is an immutable record of the event.

1

Relevant Note(s): CIA Triad

Footnotes

  1. https://www.rfc-editor.org/rfc/rfc2906.html

Graph View

Backlinks