Scenario
A company is moving to a Zero Trust access model. Employees use a cloud identity provider for SaaS apps, developers need temporary admin access, and HR reports that a former contractor still appears in several groups.
Your task: Select the best IAM or Zero Trust control for each requirement.
| Need | Security Goal |
|---|---|
| Cloud app login | Federated identity |
| API authorization | Delegated access |
| Admin elevation | Least privilege |
Access Decisions
Instructor Answer
- SAML is commonly used for federated browser-based SSO.
- OAuth supports delegated authorization for APIs.
- Role-based access control maps permissions to job roles.
- Attribute-based access control can evaluate role, location, device posture, and time.
- A phone authenticator token is something you have.
- Just-in-time permissions reduce standing privilege.
- The policy enforcement point applies Zero Trust policy decisions.
- Former workers should be de-provisioned promptly.