Authentication, authorization, and accounting (AAA) — SY0-701
Learn the AAA framework — Authentication, Authorization, and Accounting — as tested on CompTIA Security+ SY0-701, with NIST-grounded definitions.
What it is
AAA is a security framework composed of three distinct, sequentially dependent functions:
- Authentication — verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system (NIST CSRC Glossary).
- Authorization — the process of verifying that a requested action or service is approved for a specific entity (NIST CSRC Glossary); that is, granting or denying the rights to access a resource after identity has been established.
- Accounting — ensuring that "the actions of an entity may be traced uniquely to that entity" (NIST CSRC Glossary, accountability); in practice, this is implemented through audit logs — chronological records of system activities, including records of system accesses and operations performed in a given period (NIST CSRC Glossary, audit log).
Mental model
Think of AAA as a three-gate sequence at a secured facility:
- Gate 1 — Authentication: "Who are you? Prove it." You present a credential; the system verifies it.
- Gate 2 — Authorization: "What are you allowed to do here?" Granted access maps to permitted resources, not all resources.
- Gate 3 — Accounting: "We're recording what you did and when." Every action is traced back to the verified identity.
Each gate depends on the one before it: you cannot meaningfully authorize an unverified identity, and you cannot meaningfully hold an entity accountable without first knowing who they were and what they were permitted to do.
When to use it
| Scenario presented in a question | Which AAA component is in play |
|---|---|
| A user supplies a password, smart card, or fingerprint to log in | Authentication |
| A system checks whether a logged-in user may read a file or run a command | Authorization |
| System logs capture a timestamped record of which user accessed which resource | Accounting |
| A user claims they never sent a particular message; logs disprove it | Accounting (supports non-repudiation) |
| A user is verified but cannot open a restricted folder | Authentication succeeded; Authorization denied |
Common misconception
The most common trap: conflating authentication with authorization.
Authentication establishes who an entity is. Authorization establishes what that entity is permitted to do. These are separate decisions made at separate points. A user can be fully authenticated — their identity is confirmed — and still be denied access to a specific resource because they lack the required authorization.
The NIST CSRC Glossary defines authorization as "the process of verifying that a requested action or service is approved for a specific entity." The word "approved" signals a policy decision about permissions, not an identity decision about credentials. When a question describes a verified user being blocked from a resource, the answer involves authorization, not a failure of authentication.
A second trap: treating accounting as purely financial. In the AAA framework, accounting means traceability — the NIST CSRC Glossary states accountability "generates the requirement for actions of an entity to be traced uniquely to that entity." It supports non-repudiation, deterrence, fault isolation, and legal proceedings. It is not about billing or cost tracking.
How it shows up on the exam
Questions targeting this concept typically present a brief scenario and ask candidates to identify which AAA component is illustrated or which has failed. The cognitive target is discrimination — correctly separating three concepts that are easy to conflate because they always occur together.
Signal phrases to watch:
- "Verify identity" / "prove who they are" / "credentials" → Authentication
- "Allowed to access" / "permissions" / "rights" / "policy" / "denied despite being logged in" → Authorization
- "Logs" / "audit trail" / "record of actions" / "trace back to the user" → Accounting
Candidates who conflate authentication with authorization will misread scenarios where a successfully logged-in user is denied a specific action — interpreting it as an authentication problem when the question is actually about authorization policy.
The three authentication factor categories described in NIST SP 800-63B-4 are also testable in the authentication sub-context:
- Something you know — a secret value such as a password intended to be memorized by the subscriber.
- Something you have — proof of possession of a physical or cryptographic authenticator.
- Something you are — automated recognition based on biological and behavioral characteristics such as fingerprints or facial features; NIST SP 800-63B-4 notes biometrics alone cannot serve as authenticators and must be combined with a possession-based factor in multi-factor scenarios.
Related concepts
- CIA Triad — Authentication and authorization are primary controls for confidentiality; accounting supports the integrity and availability pillars.
- Non-repudiation — The accounting component of AAA generates the audit evidence that makes non-repudiation possible: traced, unique records of entity actions.
- Zero Trust — Zero Trust architectures continuously re-evaluate both authentication and authorization rather than granting persistent trust after a single login event.
Sources
Every claim on this page traces to the public exam blueprint and official documentation: