Authentication, Authorization, and Accounting: the AAA Framework

Authentication, authorization, and accounting comprise the AAA framework of protocols used in access control systems.

  • Through authentication, the system verifies that a user is who they claim to be.
  • Through authorization, it determines whether they’re allowed to perform a particular action, such as entering a building or editing a file.
  • Through accounting, the system keeps track of the user’s actions. If a user deletes a particular file, for instance, the system would record that event.

Alongside identification, authentication and authorization comprise the core access control process. Accounting isn’t strictly necessary to access control, and many protocols, such as RADIUS, allow administrators to implement authentication and authorization without utilizing accounting.

Let’s talk about each part in turn.


Through authentication, the system determines whether a given user is who they claim to be. In the access control process, authentication goes hand in hand with identification: the user states their identity (identification) and then offers proof so that the system can verify it (authentication).

This proof can come in many forms, but usually falls into three broad categories of authentication factors:

  • Something you know authentication factors, such as passwords and PINs, involve a secret tidbit of information. These factors are essential to most logical access controls.
  • Something you have authentication factors, such as keys or ID badges, involve something tangible you carry with you. Something you have factors abound when it comes to physical security – especially the lock and key, which is probably the most pervasive access control method.
  • Something you are authentication factors, also known as biometrics, include fingerprint scanners, facial recognition, and any other authentication that relies on your body itself.

Many access control systems use multi-factor authentication, which requires two or more factors in tandem to provide enhanced security. A system that requires both a password (something you know) and your cell phone (something you have) is much, much stronger than a system that relies on a password alone.

The above categories aren’t all-encompassing. Many access control systems might also check things like location and device data. Usually, these are used as a secondary form of authentication. If you log onto a bank account from a trusted device, for instance, you might not need to input a one-time code sent via SMS. But you would still need to enter your password to log in.


Once a user has been authenticated, the system proceeds to authorization. Here, it’s a question of what resources they’re allowed to access, and what they’re allowed to do with those resources. That might include the permission to enter a location, view a file, or edit a database.

Logical access control systems, which govern access on computer systems, rely heavily on access control lists. On Windows, for instance, each file or folder includes a list of individual users and what permissions they have pertaining to a particular file. One user might have the permission to read, write, and modify a particular file, where another user might only be able to read the file and another user might have no rights at all.

Each file under Windows also has an owner – typically the person that created the file. This user can modify permissions at will, determining who has what level of access to the file. This system is called discretionary access control, because the file’s owner can allocate access at their discretion.

Discretionary access control is one of many access control models, each of which structure access in different ways. Mandatory access control is much stricter than discretionary access control. And role-based access control tends to authorize users based on groups rather than allocating individual permissions.

Different organizations and resources demand different levels of authorization. A small company might be able to safely get by with a much simpler system of authorization than a massive enterprise. But even at a small business, certain resources require stricter authorization – not everyone should have access to a company’s bank account or personnel records.

For more information, see our article comparing authentication and authorization.


Through accounting, an AAA protocol tracks users and their actions in a system. This can include what resources were accessed, what was done with those resources, and when a user started and stopped accessing those resources.

For example, let’s say a user named Greg enters a system at 12:30 PM on November 23rd. He accesses a folder of sensitive documents, deletes many of them, and copies several more and takes those files with him.

With the right accounting in place, the system could track exactly how long Greg accessed the records, which files were destroyed, and which were copied. Many systems aren’t so fine-grained – depending on the setup, it might not track which particular files were copied or destroyed. It all depends on how thoroughly the administrators want to track users in the system.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.