LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the four sequential steps of access control, and what does each one answer?

Identifizierung → Authentifizierung → Autorisierung → Verantwortlichkeit. "Who claims to be there?" → "Are they really that person?" → "Are they allowed to do this?" → "What did they actually do?"

Step Question Example
Identifizierung (Identification) Welcher Benutzer? — Who is claiming to be here? Username, account ID, email
Authentifizierung (Authentication) Ist der Benutzer wirklich der richtige? — Are they really that user? Password, certificate, fingerprint
Autorisierung (Authorisation) Was darf der Benutzer? — What may they do? ACL check, RBAC role lookup
Verantwortlichkeit (Accountability) Was hat der Benutzer getan? — What did they actually do? Audit log, SIEM trail

Why the order matters:

  • You can't authenticate without identification (you need to know who you're verifying).
  • You can't authorise without authentication (an unauthenticated user can't be granted rights).
  • Accountability only exists if the first three worked — otherwise the log can't tell who did what.

Governing principle: Least privilege ('need-to-know'). A user should get the minimum rights required to do their job, no more. This caps the blast radius of any compromise: a stolen low-privilege account can't do high-privilege damage.

From Quiz: ISF / Access Control | Updated: Jul 14, 2026