Implement and maintain identity and access management

Provisioning/deprovisioning, permission assignments, identity proofing, federation (SSO, SAML, OAuth, OIDC), access control models (MAC, DAC, RBAC, ABAC), MFA (TOTP, HOTP, FIDO2), password concepts (passwordless, managers), and privileged access management (JIT, vaulting, ephemeral credentials).

Exam approach: “Given a scenario” — expect to configure access controls for a described org, select the right federation protocol, and troubleshoot IAM misconfigurations. Understanding the tradeoffs between access control models is critical.

Offensive context: Understanding how attackers intercept and manipulate JWTs and OIDC claims at the proxy level makes this objective’s defensive configuration more meaningful. Identity-Aware Proxy and Workload Identity concepts extend port-level validation to enterprise-scale zero-trust — and knowing how token replay and claim manipulation attacks work is what makes your IAM configuration airtight.