Test your understanding of authentication (AuthN), authorization (AuthZ), access tokens, roles, permissions, least privilege principles, and OAuth2 basics. This quiz is designed for anyone seeking to strengthen their foundational knowledge of secure access and user permission management.
Which concept is primarily concerned with verifying a user’s identity before allowing access to a system?
Explanation: Authentication is the process of proving who someone is, often through passwords or biometric checks. Authorization, on the other hand, decides what an authenticated user can do. Accountization is not a technical term in this context, and augmentation generally refers to enhancement, not identity verification.
What process determines which resources an authenticated user is allowed to access or actions they can perform within a system?
Explanation: Authorization deals with granting permissions once the user’s identity is confirmed. Authentication occurs before this step, while automation and audition do not relate to permissions for specific actions or resources in access control.
In access control, what is a token typically used for?
Explanation: Tokens are digital objects that represent the identity of a user or describe the permissions they have. They are not designed to reduce network traffic or compress data, nor are they translation tools.
Which statement best describes the difference between a role and a permission in access control?
Explanation: Roles group together multiple permissions for easier management. Conversely, a permission defines a particular action or resource access. The other options are incorrect as they misrepresent the relationship or interchangeability between roles and permissions.
What does the principle of least privilege recommend in the context of user permissions?
Explanation: The principle aims to limit unnecessary access, reducing risk and potential misuse. Assigning all permissions by default, ignoring permissions, or sharing them conflicts with security best practices.
Entering your username and password to log into a website is an example of which process?
Explanation: This action proves your identity to the system, matching the definition of authentication. Authorization would determine what you can do after login, while automation and allocation do not fit this scenario.
After logging in, being allowed to view your emails but not others’ is an example of which process?
Explanation: Authorization defines which data or actions are permitted for a user. Authentication only verifies your identity, and alignment and aviation are unrelated concepts in this context.
With OAuth2, what is an access token primarily used for?
Explanation: An access token allows access to resources according to the permissions granted. It does not handle password resets, local encryption, or network checks, which are separate from OAuth2 token purposes.
Which data is typically checked during authorization to determine a user's allowed actions?
Explanation: A user's roles or permissions are central to authorization decisions. IP address might sometimes be used for additional security but is not standard for authorization. Device manufacturer and browser color theme hold no relevance.
If a user tries to access a restricted page and is prompted to log in again, which process is occurring?
Explanation: Being asked to log in is a classic example of authentication. Authorization is about what you can access after logging in. Application and allocation carry different meanings unrelated to access verification.
If a group of employees can all edit documents because they share the 'Editor' role, what access control model does this illustrate?
Explanation: This scenario reflects role-based access by granting permissions via group roles. Discretionary or mandatory models follow other logic, and token-based encryption concerns secure data transmission rather than access assignment.
When using OAuth2, what typical step must a user complete to grant a third-party application access to their resources?
Explanation: OAuth2 workflows require users to approve or deny permission requests. Hardware installation, username changes, or account deactivation are not part of standard OAuth2 authorization.
Why do access tokens typically have an expiration time in secure systems?
Explanation: Tokens expire to reduce the security risk if they are compromised. Slowing logins, saving space, or increasing internet speed are not the purposes of token expiry.
Why is it risky to assign users more permissions than they need in a system?
Explanation: Excessive permissions can be exploited unintentionally or intentionally, violating least privilege. It does not affect performance, bandwidth, or automatically provide encryption.
Which process is responsible for verifying that a username belongs to a real user before checking their access rights?
Explanation: Authentication establishes user identity before rights can be checked. Authorization follows authentication, while autographication is a typo and augmentation is unrelated.