If you’re preparing for the ISC2 SSCP exam, SSCP Domain 2: Access Controls is one area you cannot afford to gloss over. Weighted at 15% of the exam, this domain tests your ability to implement and evaluate real-world access control mechanisms — not just define them. The SSCP is a Computerized Adaptive Testing (CAT) exam with 125 questions (100 scored, 25 unscored pretest items), a 180-minute time limit, and a passing score of 700 out of 1000. That means every domain counts, and Domain 2 will absolutely show up in your question set. Let’s break down exactly what the exam expects you to know.
What Is SSCP Domain 2 Testing?
Domain 2 covers the mechanisms and models that control who gets access to what — and under what conditions. At the SSCP level, this goes well beyond understanding that passwords exist. The exam tests your ability to evaluate the appropriateness of different authentication methods, distinguish between authorization models, and understand how federated identity systems work across organizational boundaries. Here’s the core breakdown:
- Authentication methods: Multi-factor authentication (MFA), biometrics, single sign-on (SSO)
- Authorization models: RBAC, DAC, MAC, ABAC
- Identity management: Federated identity, directory services, provisioning/deprovisioning
- Privileged access management (PAM): Controlling and auditing elevated permissions
- Modern protocols: SAML, OAuth 2.0, OpenID Connect
Authentication vs. Authorization: Know the Difference
A surprisingly common exam trap is confusing authentication with authorization. Authentication is the process of verifying identity — proving you are who you claim to be. Authorization determines what you’re permitted to do once your identity is confirmed. The SSCP exam will present scenarios where you must identify which process is failing or which control is appropriate. Get this distinction locked in early.
Multi-Factor Authentication (MFA)
MFA requires two or more factors from different categories: something you know (password, PIN), something you have (smart card, hardware token), and something you are (fingerprint, retina scan). The exam may ask you to identify which combination qualifies as true MFA — remember, two passwords do not count because they both fall into the same category.
Biometrics
Biometric authentication introduces two key error rates you need to understand: the False Acceptance Rate (FAR) — how often the system lets in the wrong person — and the False Rejection Rate (FRR) — how often it locks out a legitimate user. The Crossover Error Rate (CER) is the point where FAR and FRR are equal, and it’s used to compare the overall accuracy of biometric systems. Lower CER means better accuracy.
Authorization Models: RBAC, DAC, MAC, and ABAC
The four major access control models are a staple of Domain 2. The exam expects you to identify which model applies in a given scenario — not just recite definitions.
Mandatory Access Control (MAC)
MAC is the most restrictive model. It uses security labels assigned to objects (files, data) and clearance levels assigned to subjects (users). The operating system enforces access decisions by comparing labels — users have no ability to override these decisions. This model is common in government and military environments. Think: top secret, secret, confidential classifications.
Discretionary Access Control (DAC)
In DAC, the owner of a resource decides who can access it. A classic example is a file system where individual users can set read/write permissions on their own files. It’s flexible but harder to manage at scale, and it’s considered less secure than MAC because users control the policy.
Role-Based Access Control (RBAC)
RBAC assigns permissions based on job roles rather than individual identities. A nurse gets access to patient records; an accountant gets access to billing systems. This model is widely used in enterprise environments because it simplifies administration — when someone changes roles, you update their role assignment, not dozens of individual permissions.
Attribute-Based Access Control (ABAC)
ABAC is the most flexible model. Access decisions are based on a combination of attributes — user attributes (department, clearance), resource attributes (sensitivity level, type), and environmental attributes (time of day, location). ABAC is increasingly relevant in cloud and zero-trust environments.
Federated Identity and Modern Protocols
Modern enterprise environments rarely exist within a single organization’s walls. Federated identity management allows users to authenticate once and access resources across multiple organizations or cloud services. This is where SAML and OAuth 2.0 come in — and the SSCP exam definitely tests both.
SAML and Single Sign-On
Security Assertion Markup Language (SAML) is an XML-based protocol that enables federated SSO. When a user authenticates with an Identity Provider (IdP), SAML generates an assertion (a signed XML token) that is passed to a Service Provider (SP). The SP trusts the IdP’s assertion and grants access without requiring the user to re-authenticate. This is the backbone of cross-organizational SSO.
OAuth 2.0 and Delegated Authorization
OAuth 2.0 is frequently misunderstood as an authentication protocol — it is not. It is an authorization framework designed to allow third-party applications to access a user’s resources without exposing their credentials. When you click
Ready to Pass Your Certification?
Practice with 310+ expert-written questions across CompTIA A+, ISC2 CC, and SSCP.
Free to start — no credit card required.