Quiz Entry - updated: 2026.07.14
What are the four sequential steps of access control, and what does each one answer?
Identifizierung → Authentifizierung → Autorisierung → Verantwortlichkeit. "Who claims to be there?" → "Are they really that person?" → "Are they allowed to do this?" → "What did they actually do?"
| Step | Question | Example |
|---|---|---|
| Identifizierung (Identification) | Welcher Benutzer? — Who is claiming to be here? | Username, account ID, email |
| Authentifizierung (Authentication) | Ist der Benutzer wirklich der richtige? — Are they really that user? | Password, certificate, fingerprint |
| Autorisierung (Authorisation) | Was darf der Benutzer? — What may they do? | ACL check, RBAC role lookup |
| Verantwortlichkeit (Accountability) | Was hat der Benutzer getan? — What did they actually do? | Audit log, SIEM trail |
Why the order matters:
- You can't authenticate without identification (you need to know who you're verifying).
- You can't authorise without authentication (an unauthenticated user can't be granted rights).
- Accountability only exists if the first three worked — otherwise the log can't tell who did what.
Governing principle: Least privilege ('need-to-know'). A user should get the minimum rights required to do their job, no more. This caps the blast radius of any compromise: a stolen low-privilege account can't do high-privilege damage.