411.2 AAA Model

Overview

The AAA model—Authentication, Authorisation, and Accountability—defines how software systems manage user access and responsibility. Together, these concepts help prevent unauthorised use, ensure that users only perform permitted actions, and provide traceability for all significant events. AAA principles are central to designing secure login systems, access-controlled APIs, and audit-ready enterprise applications.

Targets

In this topic, students learn to:

• Explain the purpose and role of authentication, authorisation, and accountability

• Identify common techniques used to implement each component

• Describe how AAA principles contribute to secure and ethical software systems

Syllabus reference

Authentication

Authentication is the process of verifying the identity of a user or system before granting access. It answers the question: Who are you?

Common methods include:

• Passwords and PINs

• Multi-factor authentication (MFA)

• Biometrics (e.g. fingerprints, facial recognition)

• Cryptographic tokens (e.g. OAuth, JWT)

Secure systems must ensure that authentication is reliable and resistant to guessing, reuse, or bypass.

Authorisation

Authorisation determines what an authenticated user is allowed to do. It answers the question: What can you access or modify?

Typical models:

• Role-based access control (RBAC): Users are assigned roles that map to permissions

• Attribute-based access control (ABAC): Access is granted based on user attributes and context

Good authorisation design prevents privilege escalation and enforces the principle of least privilege.

Accountability

Accountability ensures that all actions performed by users or systems can be traced. It answers the question: Who did what and when?

Implementation examples:

• Event and error logging

• Session tracking

• Audit trails for sensitive actions (e.g. deleting data, changing configurations)

Accountability supports debugging, security investigations, and legal compliance.

Why AAA matters

Together, AAA principles form the backbone of access control in secure software. They support regulatory compliance, user trust, and system resilience by ensuring that access is intentional, appropriate, and traceable.