15. Grant Access to a Protected Resource
This use case provides a high level overview of how an individual accesses a protected resource. It describes the process for accessing both logical resources, like systems and files, and physical resources, like facilities. In practice, the implementation of logical and physical access may differ. For more information about:
- Authentication - please see Authenticate a User.
- Static and dynamic authorization - please see Authorize Access (Static) and Authorize Access (Dynamic).
- Access policy administration and entitlements management - please see Administer Digital Access Policies and Manage Entitlements.
Pre-condition: Individual has a digital identity record and credential, and the individual has been associated with access entitlements.
|Individual attempts to access a protected resource.|
|Individual presents a credential that meets the minimum required level of assurance.|
|The Access Control System (ACS) authenticates the individual using necessary authentication factors.
LOAs 1/2 - one factor required; LOAs 3/4 – at least two factors required.
|If authentication is successful, the ACS checks the individual against the resource’s access parameters.
This check might include gathering additional attributes about the individual to make an access decision.
|If the individual matches the resource’s access parameters, the ACS grants access to the protected resource.|
|The ACS creates a log of the access attempt, the user, and the decision for auditing and review purposes.|
Post-condition: Individual is granted or denied access to the resource.
Click here for a consolidated image of this use case.