Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 4.6 (Given a scenario, implement and maintain identity and access management.) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam.
Results
#1. A security administrator at a SaaS company needs to ensure that terminated employee accounts are automatically disabled within minutes of HR processing the offboarding. Which solution BEST meets this requirement?
#2. An IT administrator wants to assign access based on job functions such as “HR Staff” or “Finance Analyst.” Which access control model is MOST appropriate?
#3. A developer only needs access to production servers during work hours and from the corporate network. Which model BEST supports this requirement?
#4. A bank wants to ensure employees with privileged accounts are verified through official identity documents before access is granted. Which is the BEST approach?
#5. A healthcare provider wants patients to use their existing Google accounts to access a secure portal. Which solution is required?
#6. A company requires employees to log in with both a password and a fingerprint scan. Which authentication factors are in use?
#7. A system administrator occasionally needs elevated privileges to modify firewall rules. The company wants to minimize the risk of misuse while allowing necessary access. Which solution BEST meets this requirement?
#8. An internal auditor discovered that many employees have administrator rights but only require standard user permissions. Which principle is being violated?
#9. An administrator needs to enforce a policy requiring 14-character minimum passwords with complexity and a 90-day expiration. Which technology MOST effectively enforces this?
#10. After adopting SSO, a company fears a single stolen password could compromise all systems. Which control MOST effectively mitigates this risk?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.To view answers and explanations for today’s questions, expand the Answers accordion below.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | C | A security administrator at a SaaS company needs to ensure that terminated employee accounts are automatically disabled within minutes of HR processing the offboarding. Which solution BEST meets this requirement? A. Role-based access control (RBAC): RBAC is a method of restricting system access to authorized users based on their roles. While essential for managing permissions while an employee is active, it doesn’t automate the disabling of accounts upon termination. B. Identity federation: Identity federation allows users to access multiple applications with a single set of credentials (Single Sign-On). It’s about simplifying access and authentication, not automating account deprovisioning upon termination. C. HR-Identity Management System (IdM) integration This solution directly addresses the need for automation and speed. By integrating the HR system (which processes offboarding) with an Identity Management (IdM) or Identity Governance and Administration (IGA) system, the termination event in HR can trigger an automated workflow in the IdM to disable or deprovision the employee’s accounts across various applications, including the SaaS platform, within minutes. D. Multi-factor authentication (MFA): MFA adds an extra layer of security to the login process (e.g., password + code from phone). While crucial for preventing unauthorized access, it does not automate the disabling of accounts for terminated employees. An attacker could still potentially use the MFA if the account isn’t disabled. |
| 2 | B | An IT administrator wants to assign access based on job functions such as “HR Staff” or “Finance Analyst.” Which access control model is MOST appropriate? A. Attribute-based access control (ABAC): ABAC grants access based on a combination of attributes (e.g., user’s department, project, security clearance, resource’s sensitivity, time of day). While powerful and more granular, it’s typically more complex to implement than RBAC and isn’t the most appropriate for simply assigning access based on broad job functions as described. B. Role-based access control (RBAC) RBAC is an access control model where permissions are associated with specific roles (like “HR Staff,” “Finance Analyst,” “System Administrator”). Users are then assigned to these roles, and they inherit all the permissions associated with that role. This is ideal for managing access based on job functions because it simplifies administration: instead of assigning individual permissions to each user, you assign users to predefined roles. C. Rule-based access control: This is a broader category where access is granted or denied based on a set of rules. RBAC is a type of rule-based access control, but “Rule-based access control” itself is less specific to “job functions” than RBAC. D. Discretionary access control (DAC): DAC allows the owner of a resource to determine who has access to it and what permissions they have. This model can lead to inconsistent security policies and is difficult to manage in large organizations because individual users control access, not a centralized authority based on roles. It’s not suitable for assigning access based on standardized job functions across a company. |
| 3 | A | A developer only needs access to production servers during work hours and from the corporate network. Which model BEST supports this requirement? A. ABAC (Attribute-Based Access Control) ABAC is the best fit because it allows access decisions to be made based on a combination of various attributes (or characteristics) of the user, the resource, the environment, and the action being requested. In this scenario: User attributes: (e.g., “developer” role) Environmental attributes: “during work hours” (time-based), “from the corporate network” (network location-based) Resource attributes: “production servers” ABAC provides the granular flexibility to combine these conditions into a single access policy. A. RBAC (Role-Based Access Control): RBAC grants permissions based on predefined roles (e.g., “Developer”). While a developer role could be created, RBAC alone typically doesn’t easily incorporate environmental factors like “during work hours” or “from the corporate network” as core components of its access decision logic without significant custom extensions or layering another control on top. It’s more about what a role can do, not when or from where. C. DAC (Discretionary Access Control): DAC allows resource owners to set permissions. This is highly decentralized, difficult to manage at scale, and doesn’t inherently support complex, multi-factor conditions like time and location. D. MAC (Mandatory Access Control): MAC is a highly restrictive model where access is determined by system-wide security labels (e.g., “top secret,” “secret”) assigned to both subjects and objects. It’s common in high-security environments but is overly rigid and complex for dynamic, condition-based access like this. It doesn’t natively handle time-of-day or network location conditions. |
| 4 | C | A bank wants to ensure employees with privileged accounts are verified through official identity documents before access is granted. Which is the BEST approach? A. Require hardware tokens: Hardware tokens provide strong multi-factor authentication (MFA). While excellent for authenticating a user during login, they do not inherently verify the initial identity of the person to whom the token was issued. An unverified individual could theoretically obtain a token. B. Use OAuth for application access: OAuth is an authorization framework that allows a user to grant a third-party application limited access to their resources on another service without exposing their credentials. It’s about delegated authorization, not initial identity verification of a user before account creation or access to privileged accounts. C. Require identity proofing with government-issued ID Identity proofing is the process of verifying that an individual is who they claim to be, typically by cross-referencing information against trusted sources like government databases and requiring official documents such as government-issued IDs. For privileged accounts, especially in a financial institution, this is the BEST approach to ensure the highest level of assurance about the individual’s identity before granting access. D. Apply time-of-day restrictions: Time-of-day restrictions limit when an account can be used. This is a good access control measure for privileged accounts (e.g., only during business hours), but it does not verify the identity of the individual using the account. |
| 5 | A | A healthcare provider wants patients to use their existing Google accounts to access a secure portal. Which solution is required? A. Implement OAuth or SAML federation OAuth (Open Authorization) and SAML (Security Assertion Markup Language) are widely used identity federation protocols. They allow a user’s identity from one system (like Google) to be trusted by another system (the healthcare provider’s secure portal). This enables patients to use their existing Google accounts (or other identity providers) to log in to the portal without needing to create new credentials specifically for the healthcare system. B. Apply password expiration every 30 days: This is a password policy for traditional authentication, not a method for integrating existing third-party accounts. It would increase user friction and doesn’t solve the core requirement. C. Deploy password vaulting: Password vaulting solutions securely store and manage passwords, often for privileged accounts. It’s for credential management, not for enabling access via external identity providers. D. Use biometric-only authentication: While biometrics offer strong authentication, requiring “biometric-only” would necessitate the healthcare provider implementing and managing a biometric system and would force patients to enroll, which goes against the goal of using their existing Google accounts. Google accounts themselves might use biometrics as part of their authentication, but that’s managed by Google. |
| 6 | A | A company requires employees to log in with both a password and a fingerprint scan. Which authentication factors are in use? A. Something you know & Something you are Password: This falls under “Something you know” (a secret piece of information only the user should know). Fingerprint scan: This falls under “Something you are” (a unique biological characteristic of the user). B. Something you have & Something you know: “Something you have” would be a physical token, smart card, or phone. C. Something you are & Somewhere you are: “Somewhere you are” would be a geographical location or network segment. D. Something you have & Somewhere you are: As above, these do not match the given authentication factors. |
| 7 | A | A system administrator occasionally needs elevated privileges to modify firewall rules. The company wants to minimize the risk of misuse while allowing necessary access. Which solution BEST meets this requirement? A. Implement just-in-time (JIT) privileged access Just-in-time (JIT) privileged access is designed specifically for this scenario. It grants elevated privileges only for a limited, specific period when they are genuinely needed for a task (e.g., to modify firewall rules). Once the task is completed or the time expires, the privileges are automatically revoked. This significantly minimizes the window of opportunity for misuse or compromise compared to always-on privileged accounts. B. Enforce password expiration every 45 days: Password expiration is a general security practice but does not directly address the misuse of privileged access during the time it is held. An attacker could still compromise the password and use the privileges within that 45-day window. C. Apply time-of-day access restrictions: Time-of-day restrictions limit when an account can be used. While helpful, it’s less granular and flexible than JIT. The administrator might need access outside “normal” hours for an urgent task, and JIT ensures access only for the specific duration of that task, regardless of the time. D. Use passwordless authentication: Passwordless authentication improves the user experience and can enhance security by eliminating password-related risks (e.g., phishing, brute-force). However, it focuses on the authentication method itself, not on limiting the duration or scope of privileged access once authenticated. A passwordless privileged account could still be misused if it has persistent elevated rights. |
| 8 | B | An internal auditor discovered that many employees have administrator rights but only require standard user permissions. Which principle is being violated? A. Federation: Identity federation is about enabling users to access multiple systems with a single set of credentials (Single Sign-On). It’s unrelated to the amount of access granted once authenticated. B. Least privilege The principle of least privilege dictates that users and processes should be granted only the minimum necessary permissions to perform their authorized tasks, and no more. If employees have administrator rights when they only need standard user permissions, they have more privileges than required, directly violating this principle. C. Mandatory Access Control (MAC): MAC is a strict access control model where access decisions are made based on security labels assigned to subjects and objects, enforced by the operating system. While MAC enforces strict rules, the violation described (too many permissions) is a general concept of over-privilege, not specific to MAC as a model itself. DAC (Discretionary Access Control) is more commonly associated with users granting themselves too many rights, but the core issue is the excessive privilege, which is a violation of the least privilege principle regardless of the access control model. D. Password complexity policy: A password complexity policy defines rules for creating strong passwords (e.g., minimum length, character types). While important for security, it is unrelated to the type or amount of permissions a user account has once authenticated |
| 9 | D | An administrator needs to enforce a policy requiring 14-character minimum passwords with complexity and a 90-day expiration. Which technology MOST effectively enforces this? A. Federation with third-party IdPs (Identity Providers): While federation allows users to authenticate through an external provider, the password policies for those external accounts are managed by the third-party IdP, not by your organization’s internal system. If you’re managing the passwords within your organization, federation to external IdPs doesn’t directly enforce your internal password policies. B. Just-in-time privilege management: This technology grants elevated privileges only for a limited time when needed. It’s focused on managing permissions, not on defining the characteristics of a user’s password itself. C. Passwordless authentication: Passwordless authentication eliminates the need for passwords altogether (e.g., using biometrics, FIDO keys). Therefore, it cannot enforce password policies because there are no passwords to manage. D. Identity and Access Management (IAM) system An Identity and Access Management (IAM) system (or a directory service like Active Directory, LDAP, or a cloud IAM like AWS IAM) is the central component responsible for managing user identities and their associated attributes, including password policies. These systems are specifically designed to define and enforce rules for password complexity (e.g., character types), minimum length, and expiration periods. |
| 10 | A | After adopting SSO, a company fears a single stolen password could compromise all systems. Which control MOST effectively mitigates this risk? A. Implement MFA for all SSO logins MFA (Multi-Factor Authentication) requires users to provide two or more distinct verification factors to gain access. Even if a single password (the “something you know” factor in SSO) is stolen, the attacker would still need the second factor (e.g., a code from a phone, a fingerprint – “something you have” or “something you are”) to access the systems. This dramatically mitigates the risk of a single stolen password compromising all systems under SSO. B. Disable SSO integration: Disabling SSO would solve the “single point of failure” problem but at the cost of significantly increased user friction, more passwords for users to manage (and forget), and a less centralized security posture. It’s a drastic measure that eliminates the benefits of SSO. C. Increase password length to 20 characters: While longer passwords are more secure against brute-force attacks, they still represent a single factor. If this single factor is stolen (e.g., via phishing or keylogger), the increased length won’t prevent compromise. D. Require quarterly password changes: Frequent password changes can sometimes lead to users choosing simpler, easier-to-remember (and guess) passwords. More importantly, like increased length, it’s still a single factor. If the password is stolen immediately after a change, the systems are still vulnerable. |