IAM architecture- deep dive
I promised you the Four A's of IAM.
Let's start with the architecture underneath it all.
IAM High-Level Architecture
Think of IAM like a building.
Before anyone gets a keycard, someone has to build the doors, the locks, and the security desk.
That's what this layer breakdown is about.
1/ Foundation — Where Identities Live
Directories (LDAP-based) store who you are and your attributes.
Most enterprises have dozens of them, legacy systems, acquired companies, different departments.
Synchronization stitches them into one ecosystem.
Without it, your left hand doesn't know what your right hand is doing.
2/ The Core — Where Access Gets Decided Admin
Provisions accounts when you join, kills them when you leave.
Skipping de-provisioning is how ex-employees still have DB access six months later.
Role Management defines a role once, map access automatically.
New hire, same role, instant access. Clean.
Access Management controls Authentication (who are you?) + Authorization (what can you touch?). Risk-based algorithms decide in real time.
PAM controls the Vault for Dangerous Accounts Sysadmins and DBAs don't get permanent passwords. They check out credentials, use them, system rotates after.
Every session recorded. No exceptions.
3/ Audit — The Layer That Watches Everything Spans every layer.
Uses UBA + ML to catch what humans miss, an account that creates itself, dumps a database, and self-deletes in ten minutes isn't a user.
That's an attack.
4/ Federation
Where IAM Meets the Outside World Standard protocols extend your IAM to SaaS tools, cloud providers, and partners, without handing over your keys.
That's the full architecture in one frame.
Four layers. One goal.
Making sure the right people get to the right things,
and everyone else doesn't.
Administration
Someone joins your company.
Someone leaves.
Someone needs more access.
Three workflows.
This is IAM Administration.
Here, we generally have 3 different workflows depending on the use case
1/ New Hire
The Full Journey HR adds them → system generates a request → Role Management translates their job into IT roles → accounts get created → approval workflow signs off → directories provision access.
One new bank teller. Automatically gets exactly what a bank teller needs.
Nothing more.
2/ Existing User Needs More Access.
Here, no HR is involved.
They raise a request directly → skip role mapping → request specific account → approval → granted.
Same guardrails. Faster path.
3/ Someone Leaves
This One's Critical HR updates their status → de-provisioning triggers instantly → system knows every access right they ever had → deletes all of it.
Notice what's missing?
The approval step.
Completely bypassed.
Because when someone leaves, you don't wait for three managers to approve removing their database access. You kill it.
Now.
The scary stat?
Most breaches involving ex-employees happen because someone forgot to pull this trigger.
Authentication and Authorization
You've made it past Administration. Now the system has one question.
"...but who are you, though?"
1/ Authentication — Prove It
Three ways a system verifies you're actually you:
KNOW — something you know. Password, PIN. HAVE — something you have. Your phone, a hardware key. ARE — something you are. Face, fingerprint, biometrics.
Combine two or more? That's MFA. Harder to steal all three than just one. A world where passwords don't exist at all. Passwordless is already here. Most orgs just haven't moved yet.
😤 → 😊 SSO — Login Once, Touch Everything Without SSO: one user, three systems, three passwords, one very frustrated person. With SSO: login once, system passes credentials downstream securely. Same security. Zero friction.
2/ Authorization — Okay You're In.
Now What? This isn't a yes/no gate anymore.
Modern Risk-Based Authorization asks:
Where are you logging in from?
What are you trying to do?
How much are you moving?
How often are you doing this?
Checking your balance from your usual laptop? Green light.
Transferring $50k from a new device at 3am? Hold on. 🚨
Same user. Completely different risk. The system adapts in real time.
In an ideal world, we go with PAM.
The PAM way: Every admin logs into a central PAM vault individually with MFA → PAM generates a unique complex password and logs them into the target server → admin never sees the actual password → session ends → password automatically rotates → every keystroke recorded.
Audit
We've covered Administration, Authentication, and Authorization.
But here's the thing, none of that matters if nobody's watching.
Audit. The last layer of IAM stack.
Every action. Every login. Every access request. Logged. Audit doesn't sit in one corner of your IAM stack, it spans everything. The directories, the admin layer, the access systems.
It's the overarching monitor that quietly watches all three A's and asks one question continuously: "Did everything happen the way it was supposed to?"
Raw logs are just noise at scale. Nobody's reading millions of entries manually. That's where User Behavior Analytics (UBA/UEBA) comes in
It's ML layered on top of your logs to detect patterns humans would miss.
Here's the classic example:
A stolen credential logs in.
Creates an account.
Dumps a database.
Deletes the account. All in under ten minutes.
Creating accounts? Normal.
Copying databases? Normal.
Deleting accounts? Normal.
All three in rapid succession at 2am?
That's an attack.
UBA catches it. Flags it. Before your DBA even wakes up.
Why It Completes the Architecture Audit cross-checks everything that came before it:
Were the right access rights granted? (Administration)
Was that actually the right person? (Authentication)
Did they stay within their permissions? (Authorization)
Without Audit, the other three A's are just trust with no verification.
With it, you don't just have access control. You have a fully realized Enterprise IAM architecture.
And that's a wrap on the Four A's. 🎉
Administration → Authentication → Authorization → Audit
