Privileged access management (PAM) — SY0-701
CompTIA Security+ SY0-701: Learn what Privileged Access Management (PAM) is, how it differs from standard access control, and how it appears on the exam.
WHAT IT IS
Privileged access management (PAM) is the discipline of controlling, monitoring, and auditing the accounts that hold elevated authorizations — the accounts a NIST glossary defines as having "the authorizations of a privileged user," where a privileged user is "a user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform" (NIST SP 800-53 Rev. 5).
PAM applies the principle of least privilege — "each entity is granted the minimum system resources and authorizations that the entity needs to perform its function" (NIST SP 800-53 Rev. 5) — specifically to the high-risk tier of accounts that can alter system configuration, manage security functions, or execute privileged commands.
Mental model
Think of PAM as a vault within a vault. Standard access control governs who can enter the building. PAM governs who can open the safe inside — and records every moment the safe door is open. A privileged account is one whose authorizations extend to "control, monitoring, or administration of the system, including security functions and associated security-relevant information" (NIST SP 800-53 Rev. 5, defining privileged command). PAM wraps additional controls around exactly those accounts.
When to use it
| Concern | Standard access control | PAM |
|---|---|---|
| Who can read a shared file? | Handled — "granting or denying specific requests to obtain and use information" (FIPS 201-3) | Out of scope |
| Who can change system security settings? | Covered at the policy level | PAM governs and audits this directly |
| How do we know what an admin did during a session? | General audit logs record activities (CNSSI 4009-2015) | PAM enforces session recording tied to the privileged account |
| Who can authorize a new user account? | Authorization grants "the right or permission to access a system resource" (NIST SP 800-82r3) | PAM restricts which accounts hold that authorization and monitors its use |
| How is the scope of an elevated permission limited? | Least privilege applies generally | PAM enforces least privilege for privileged accounts, including scope-limiting elevated sessions |
Use PAM when the account in question can "perform security-relevant functions that ordinary users are not authorized to perform" (NIST SP 800-53 Rev. 5). Use standard access control when the account operates within normal user permissions.
COMMON MISCONCEPTION
The exam exploits the conflation of authentication with access control with PAM. These are distinct layers:
- Authentication is "verifying the identity of a user, process, or device, often as a prerequisite to allowing access" (FIPS 200). It establishes who is asking.
- Authorization is "the right or a permission that is granted to a system entity to access a system resource" (NIST SP 800-82r3). It establishes what is permitted.
- PAM is neither of these alone. It is a governance discipline that wraps the full lifecycle — before, during, and after a privileged session — around a specific class of account.
A second trap: candidates assume that granting a regular user a one-time elevated task is the same as giving them a standing privileged account. Least privilege specifically requires restricting authorizations "to the minimum necessary" (NIST SP 800-12 Rev. 1). Standing privileged accounts that persist beyond their need violate this principle and are exactly what PAM controls are designed to remediate.
How it shows up on the exam
The cognitive target here is application: given a scenario, identify whether a PAM control addresses the situation, or whether a different access control mechanism does.
Signal phrases in scenario stems that point toward PAM:
- References to "administrator accounts," "root," "superuser," or "service accounts" — these are the privileged accounts PAM governs.
- Requests to "monitor" or "record" what an administrator did during a session — this maps to PAM's audit and session-recording functions, grounded in the definition of an audit log as "a chronological record of system activities, including records of system accesses and operations performed in a given period" (NIST SP 800-171r3).
- Scenarios where an account's permissions are broader than necessary — least privilege as enforced by PAM is the corrective.
Candidates often confuse PAM with multi-factor authentication (MFA). MFA addresses the authentication step — proving identity before a session begins. PAM addresses what happens to the privileged session itself: scope, duration, monitoring, and accountability. A scenario framing the problem as "we don't know what the admin changed" is pointing at PAM's monitoring and audit role, not at stronger authentication.
Related concepts
- Identity lifecycle — PAM sits within the broader lifecycle of how accounts are provisioned, maintained, and deprovisioned; privileged accounts require tighter lifecycle controls than standard accounts.
- Federation and SSO — federated identity and single sign-on govern how authenticated identities cross trust boundaries; PAM intersects here when privileged access spans systems or organizations.
- Access control models — PAM applies and enforces access control principles (least privilege, separation of duties) at the privileged-account tier specifically.
Sources
Every claim on this page traces to the public exam blueprint and official documentation: