Identity lifecycle management — SY0-701
Learn identity lifecycle management for CompTIA Security+ SY0-701: provisioning, deprovisioning, account states, and the exam traps around offboarding timing.
WHAT IT IS
Identity lifecycle management is the set of processes that govern a digital identity from initial establishment through to its termination. According to NIST SP 800-63A-4, the lifecycle begins with identity proofing — "the process of providing sufficient information (e.g., identity history, credentials, documents) to establish an identity" — and continues through enrollment, active use, and eventual account removal. Each stage has defined security controls that ensure only the right person holds the right access at the right time.
Mental model
Think of a digital identity the same way you think of a physical access badge at a secure facility. A new employee must prove who they are before receiving the badge (proofing). The badge is then issued and encoded with the correct door permissions (provisioning). If the employee changes roles, those permissions are updated (modification). When the employee leaves, the badge is collected and deactivated immediately (deprovisioning). Leaving the badge active after someone leaves is the single most dangerous failure mode — and the exam tests whether you recognize it.
When to use it
Stage-by-stage decision guide:
| Stage | What happens | Security control to know |
|---|---|---|
| Identity proofing | Evidence collected, validated, and verified | Three sub-steps: resolution, validation, verification |
| Enrollment | CSP creates subscriber account; notification of proofing sent to validated address | Account tied to proven identity, not just a username |
| Authenticator binding | Authenticator registered to the subscriber account | Binding uses approved cryptography over authenticated protected channel |
| Active use | Subscriber maintains control of authenticator | Subscriber responsible for protecting against theft or disclosure |
| Modification | Permissions adjusted to reflect role change | Least privilege: "minimum system authorizations and resources needed to perform its function" (NIST SP 800-53 Rev. 5) |
| Invalidation | Authenticator immediately disabled on loss/theft report | CSP "SHALL provide a mechanism to invalidate the authenticator immediately upon notification" (NIST SP 800-63B-4) |
| Termination | Account and access removed | Deprovisioning must be timely; CSPs must document policy for incapacitation/death scenarios |
COMMON MISCONCEPTION
The most dangerous misconception is treating deprovisioning as a low-priority, post-offboarding cleanup task. Candidates often assume that revoking access can wait until after an employee's last day — for example, until HR completes paperwork. The identity lifecycle model treats immediate revocation on separation as a hard requirement, not a courtesy. An active account belonging to a former employee is an open attack surface: the individual retains the ability to authenticate and may no longer have any obligation to protect that credential.
A second misconception conflates provisioning (granting access) with enrollment (establishing identity). Enrollment happens once, when the identity is proofed and the subscriber account is created. Provisioning of access rights can happen many times over the account's life, every time the person's role changes. Getting this order wrong undermines the whole model: you cannot securely provision access to an identity that has not been properly enrolled.
How it shows up on the exam
The cognitive target for identity lifecycle questions is application: given a scenario, identify what stage of the lifecycle applies and which control failure is described.
Signal phrases to watch for:
- "Former employee still has access" → deprovisioning failure; the scenario is testing whether candidates recognize that termination should trigger immediate account removal.
- "User changed departments" → modification/re-provisioning; tests whether candidates apply least privilege when roles change, not just at initial provisioning.
- "Lost token / stolen authenticator" → candidates who understand the lifecycle know the CSP must provide an immediate invalidation mechanism; the correct response is not simply "issue a new authenticator" without also invalidating the compromised one.
- "Identity assurance level needs to be elevated" → account elevation is a defined lifecycle event; NIST SP 800-63A-4 notes CSPs should allow subscribers to elevate assurance levels to support higher-assurance transactions.
A common misconception exploited in exam scenarios is that separation of duties and least privilege only apply at provisioning time. Both principles must be re-evaluated throughout the lifecycle — especially on role change, which is when over-provisioned access most often accumulates.
Related concepts
- Federation and SSO — In federated models, the Credential Service Provider maintains the subscriber account and status; lifecycle events in the home CSP cascade to all relying parties.
- Access control models — Role-based access control (access control based on user roles, per NIST SP 800-95) is the mechanism that makes lifecycle modification meaningful; changing a role re-scopes all inherited permissions.
- Multifactor authentication — Authenticator binding and invalidation are lifecycle events specific to MFA credentials; loss or theft of an authenticator triggers an immediate invalidation requirement under NIST SP 800-63B-4.
Sources
Every claim on this page traces to the public exam blueprint and official documentation: