This is the draft preview of version 3.1 for the Federal Identity, Credential, and Access Management architecture.

Edit this page

7. Grant Access

This use case corresponds to the Authentication and Authorization service areas of Access Management.

This use case describes the steps to authenticate individuals and authorize access to agency services. Agency services can be anything from applications and files to physical facilities.


Use Case

In this use case, an Access Control System (ACS) Administrator needs to grant access to an employee or contractor who has an enterprise identity and active credential and needs to access a logical or physical resource. These steps assume the employee or contractor already has credentials to support authentication as well as the access entitlements to support authorization decisions.

  • Authentication - I want to verify the claimed unique identity of a given employee or contractor so that the system can verify the right individual is attempting to access an agency service.
  • Authorization - I want to allow access for only employees and contractors that meet established requirements, so that only the people who should have access do have access.

Icon Key for the diagrams that follow.

1. Access Attempt
A diagram showing an employee or contractor attempting to access a agency service through an access control system.
An employee or contractor attempts to access an agency service.
2. Authenticate the employee or contractor
A diagram showing an employee or contractor presenting either an IAL2 or IAL3 authenticator to an access control system.
The employee or contractor presents an authenticator to the ACS that meets the protected resource’s minimum assurance requirements:
  • AAL2 (two-factor) - Something you know + something you have, like a one-time passcode.
  • AAL3 (two-factor + hardware) - Something you know + something you have, like a one-time passcode generated by a hardware-based authenticator; or a PIV credential. For more information about AAL values, see NIST SP 800-63B Section 5: Authenticator and Verifier Requirements.
3. Determine the access entitlements and access requirements
A diagram showing an access control system determining the access entitlements and access requirements.
Upon successful authentication, the ACS identifies 1) The employee or contractor's access entitlements associated with the protected resource, and 2) The protected resource's access requirements.
4. Process the access information
A diagram showing an access control system processing the employee or contractor access entitlements to the protected resources's access requirements.
The ACS compares the employee or contractor’s access entitlements to the protected resource’s access requirements to decide whether to authorize access.
5. Grant access
A diagram showing an access control system granting access to an employee or contractor.
If the employee or contractor meets the protected resource’s access requirements, the ACS grants access to the protected resource.

The ACS logs the access attempt and decision for auditing purposes.

Example

An employee on the financial review team attempts to access a government financial application that is secured by a single sign-on (SSO) solution. The employee clicks a link to the financial application and is redirected to the SSO portal. The employee authenticates using his/her provided credential, which the SSO determines to be valid. The SSO solution or the financial application system finds the employee’s enterprise identity account and compares the roles assigned to those allowed by the financial application. The resulting determination is that the employee has authenticated to the required assurance level and has the appropriate entitlements to access the system and is subsequently logged on.

Next Steps

Maintain the employee or contractor’s access entitlements as needed.