Domain 5 - Index

# Domain 5 - Index Domain 5 covers establishing and managing identities, authenticating and authorizing subjects to access resources, applying least privilege and governance, and federating trust across systems. ## Concepts 1. [[IAM Core Concepts (Identification AuthN AuthZ Accounting)]] 2. [[Least Privilege and Separation of Duties]] 3. [[Access Control Models (DAC MAC RBAC ABAC PBAC)]] 4. [[Role Engineering and RBAC Design]] 5. [[Attribute-Based Access Control (ABAC)]] 6. [[Policy Languages and PDP PEP (XACML)]] 7. [[Identity Lifecycle (Joiner Mover Leaver)]] 8. [[Identity Proofing and Enrollment]] 9. [[Authentication Factors and MFA]] 10. [[Password Policy and Management]] 11. [[Passwordless and FIDO2 WebAuthn]] 12. [[Biometrics (FAR FRR CER)]] 13. [[Risk-Based and Adaptive Authentication]] 14. [[Single Sign-On (SSO) Patterns]] 15. [[Federation with SAML 2.0]] 16. [[OAuth 2.0 (Roles Scopes Grants)]] 17. [[OpenID Connect (OIDC) and JWT]] 18. [[Token Security (JWT JWE JWS) and Pitfalls]] 19. [[Session Management (Timeouts Fixation Hijacking)]] 20. [[Directory Services (LDAP and Active Directory)]] 21. [[Kerberos in Enterprise SSO]] 22. [[Privileged Access Management (PAM) and JIT JEA]] 23. [[Service Accounts and Secrets Management]] 24. [[Access Reviews and Certification (IGA)]] 25. [[Provisioning Deprovisioning and SCIM]] 26. [[Entitlement Management and SoD Conflicts]] 27. [[Authorization in APIs (Scopes Claims Policy)]] 28. [[Credential Attacks and Defenses]] 29. [[Account Recovery and Break-Glass Procedures]] 30. [[Conditional Access Policies (Risk Device Location)]] 31. [[Device Identity and MDM MAM (Compliance)]] 32. [[IdP Hardening and High Availability]] 33. [[Social Login and External Identities (Risks Governance)]] 34. [[Guest Access and B2B Federation (Cross-Tenant)]] 35. [[Cross-Domain Trusts and Federation Risks]] 36. [[Just-in-Time Elevation Beyond PAM (App Roles)]] 37. [[Just-Enough-Access (JEA) Patterns]] 38. [[Identity Threat Detection and Response (ITDR)]] 39. [[Password Spraying Defenses in Directories]] 40. [[Kerberos Attacks and Mitigations (PTT PTH Golden Silver)]] 41. [[NTLM vs Kerberos and Decommission Strategy]] 42. [[Account Lockout and Rate Limiting Strategy]] 43. [[Delegated Administration Models (Scoped Admin Units)]] 44. [[SCIM Security and Provisioning Pitfalls]] 45. [[Identity Data Privacy and Minimization]] 46. [[OAuth Consent and Admin Consent Governance]] 47. [[Service-to-Service Auth (API Keys OAuth mTLS DPoP)]] 48. [[Secrets Rotation Strategies (Short-Lived Credentials)]] 49. [[Cloud IAM Fundamentals (Principals Roles Policies)]] 50. [[Cloud IAM Role Assumption and Temporary Credentials]] 51. [[Least Privilege in Cloud (Guardrails and Boundaries)]] 52. [[Multi-Account Strategy and Isolation (Landing Zones)]] 53. [[Workload Identity Federation (Cloud to Cloud OIDC)]] 54. [[Directory Synchronization (Hybrid Identity) and Risks]] 55. [[Identity Resilience and DR]] 56. [[Identity Governance Metrics and KPIs]] 57. [[Entitlement Discovery and Access Graphs]] 58. [[User and Entity Behavior Analytics (UEBA) for IAM]] 59. [[Privileged Session Recording and Command Control]] > Also see: [[MOC - CISSP]]