5 exercises on identity and access management (IAM) English — the precise verbs and named principles that appear in onboarding tickets, security policies, and compliance audits.
Key patterns in this set
grant access ↔ revoke access — the canonical antonym pair
least privilege — only the permissions strictly needed
role-based access control (RBAC) — permissions attach to roles
multi-factor authentication (MFA) — two or more independent factors
rotate credentials / keys — replace secrets and invalidate the old ones
0 / 5 completed
1 / 5
An onboarding ticket reads:
"Please ___ the new engineer read access to the staging database and the deployment dashboard — but nothing in production yet."
Which verb is the standard collocation for giving someone a permission?
Grant access.
"Grant access" is the formal, technical collocation used throughout IAM systems, cloud consoles, and security policy. Its paired antonym is "revoke access".
grant / revoke access — the canonical pair
grant a permission / a role / a scope
request access → approve / deny → grant
"Give access" is acceptable in casual speech but weaker in documentation. "Allow access" describes a firewall/ACL rule ("allow inbound on 443") rather than assigning a user permission. "Open access" is not idiomatic. Usage in AWS/GCP/Okta UIs is consistently "grant" and "revoke", so learn that pair first.
2 / 5
A security architecture principle states:
"Every service account should run with ___ — only the exact permissions it needs to do its job, and nothing more."
Which is the established name for this principle?
Least privilege.
The "principle of least privilege (PoLP)" states that any user, process, or account should have only the minimum permissions necessary to perform its function. It is foundational to zero-trust design.
principle of least privilege — the named principle
privilege creep — gradual accumulation of unneeded rights
just-in-time (JIT) access — grant elevated rights only when needed, then revoke
"Minimum rights", "lowest access", and "reduced permission" all paraphrase the idea but are not the recognised term — in interviews, audits, and docs the exact phrase is least privilege. Usage: "the IAM role violated least privilege by granting s3:* on all buckets."
3 / 5
A compliance document describes the permission model:
"Access is assigned through ___ — users are placed in roles such as billing-reader or deploy-operator, and permissions attach to the role, not the individual."
Which term names this model (abbreviated RBAC)?
Role-based access control (RBAC).
"Role-based access control" assigns permissions to roles, and users inherit permissions by being members of those roles — simplifying management and audits.
RBAC — role-based access control
ABAC — attribute-based (decisions from user/resource attributes)
role assignment / role binding — linking a user to a role (Kubernetes uses RoleBinding)
Beware the distractor "rule-based access control" — it shares the acronym confusion but RBAC specifically means role-based. "Rank-based" and "region-based" are not standard models. Usage: "we moved from per-user grants to RBAC so offboarding just removes the role membership."
4 / 5
A login security policy reads:
"All administrative accounts must use ___ — a password plus a second factor such as a hardware key or an authenticator app — so a stolen password alone is not enough to log in."
Which term (abbreviated MFA) describes this?
Multi-factor authentication (MFA).
"Multi-factor authentication" requires two or more independent factors: something you know (password), have (hardware key, phone), or are (biometric). Two-factor (2FA) is the most common subset.
enable / enforce MFA — turn it on / make it mandatory
Critical distinction: authentication (proving who you are) is not authorisation (what you may do) — so "multi-form/multi-phase authorisation" are wrong on two counts. "Multi-field authentication" is not a term. Usage: "we enforce MFA on every account with production access."
5 / 5
A secrets-hygiene runbook states:
"After the contractor leaves, ___ all the API keys and service-account passwords they could have seen, and confirm the old values no longer work."
Which verb best describes replacing credentials with fresh ones?
Rotate credentials.
"Rotate credentials" (or rotate keys / secrets) means to replace existing secrets with new ones on a schedule or after a risk event, then invalidate the old values. It is the standard secrets-management verb.
single sign-on (SSO) — one identity across many apps; escalate privileges — gain higher rights
"Reset" applies to a single forgotten password; "renew" suits certificates/licences nearing expiry; "refresh" is for tokens (OAuth refresh token). Only "rotate" captures the deliberate, security-driven cycling of many secrets. Usage: "we rotate all credentials automatically via the secrets manager and on every offboarding."