This is the draft preview of version 3.1 for the Federal Identity, Credential, and Access Management architecture.
7. Grant Access
This use case describes the steps to authenticate individuals and authorize access to agency services. Agency services can be anything from applications and files to physical facilities.
In this use case, an Access Control System (ACS) Administrator needs to grant access to an employee or contractor who has an enterprise identity and active credential and needs to access a logical or physical resource. These steps assume the employee or contractor already has credentials to support authentication as well as the access entitlements to support authorization decisions.
- Authentication - I want to verify the claimed unique identity of a given employee or contractor so that the system can verify the right individual is attempting to access an agency service.
- Authorization - I want to allow access for only employees and contractors that meet established requirements, so that only the people who should have access do have access.
|1. Access Attempt
||An employee or contractor attempts to access an agency service.|
|2. Authenticate the employee or contractor
||The employee or contractor presents an authenticator to the ACS that meets the protected resource’s minimum assurance requirements:
|3. Determine the access entitlements and access requirements
||Upon successful authentication, the ACS identifies 1) The employee or contractor's access entitlements associated with the protected resource, and 2) The protected resource's access requirements.|
|4. Process the access information
||The ACS compares the employee or contractor’s access entitlements to the protected resource’s access requirements to decide whether to authorize access.|
|5. Grant access
|| If the employee or contractor meets the protected resource’s access requirements, the ACS grants access to the protected resource.
The ACS logs the access attempt and decision for auditing purposes.
An employee on the financial review team attempts to access a government financial application that is secured by a single sign-on (SSO) solution. The employee clicks a link to the financial application and is redirected to the SSO portal. The employee authenticates using his/her provided credential, which the SSO determines to be valid. The SSO solution or the financial application system finds the employee’s enterprise identity account and compares the roles assigned to those allowed by the financial application. The resulting determination is that the employee has authenticated to the required assurance level and has the appropriate entitlements to access the system and is subsequently logged on.