Browse ISC2 Certification Guides

ISC2 CISSP Authorization and PAM Guide

April 13, 2026

Study ISC2 CISSP Authorization and PAM: key concepts, common traps, and exam decision cues.

On this page

After someone is authenticated, CISSP shifts to the harder operational question: what should they be allowed to do, for how long, and with what level of traceability? The best answer usually minimizes standing privilege while keeping responsibilities clear.

Authorization-choice map

Requirement Better first instinct
give users access based on job function role-based access design
reduce privileged standing access PAM or just-in-time elevation
remove access when staff change jobs or leave disciplined joiner-mover-leaver provisioning
make actions attributable during investigations unique identities and auditable privileged sessions

What the exam is really testing

If the stem says… Strong reading
“shared admin account” accountability is broken even if the work gets done
“too much access after job change” the real failure is lifecycle and authorization review
“privileged task is rare but high impact” time-bound elevation is usually stronger than permanent rights

Decision order that usually wins

  1. Confirm the subject is authenticated, then ask what access is actually justified.
  2. Match permissions to job function, task, and time window.
  3. Remove unnecessary standing privilege before adding more control layers.
  4. Preserve unique accountability for all sensitive actions.
  5. Use PAM and review processes where privilege is powerful, rare, or hard to monitor.

These questions reward least privilege plus traceability. CISSP prefers access that is scoped, reviewable, and revocable over access that is merely convenient.

Scenario triage

Scenario Better first move
users need access by function use role-based authorization
powerful admin rights are needed only occasionally use time-bound elevation or PAM
staff keep old permissions after role changes improve joiner-mover-leaver controls and recertification
multiple admins use one account replace shared credentials with unique identities
investigation must attribute actions precisely ensure privileged session logging and accountability

Common traps

Trap Better rule
treating authentication success as permission to do anything authentication and authorization are separate decisions
leaving dormant or legacy accounts in place “just in case” unused access increases risk without operational value
using shared administrator credentials for convenience accountability requires individual attribution

Quiz

Loading quiz…
Revised on Sunday, May 10, 2026
5.1 Authentication & MFA