Browse IAM Basics and Permission Models

IAM Diagrams and Concept Maps

March 26, 2026

Visual reference for IAM flows, trust relationships, lifecycle paths, and control maps.

On this page

This appendix is a visual study guide for the main IAM ideas in the book. Instead of repeating long explanations, it collects the diagram patterns that help readers see how identities, tokens, roles, lifecycle events, reviews, and zero-trust decisions actually move through a system.

Use this appendix in three ways:

  • revisit a diagram type after reading a chapter if the flow still feels abstract
  • compare similar concepts such as lifecycle flow, token flow, and decision flow side by side
  • use the chapter crosswalk near the end to jump back into the part of the guide where a diagram family matters most

How to Read the Diagram Types

Different diagram types answer different kinds of questions:

Diagram TypeWhat It Helps You SeeCommon IAM Topics
flowchartcontrol paths, architecture boundaries, and decision brancheslifecycle, access reviews, zero-trust decisions, privilege workflows
sequenceDiagramwho talks to whom and in what orderSSO, federation, token exchange, API delegation
stateDiagram-v2how something changes state over timeaccount state, session state, approval status
erDiagramrelationship-heavy structurestenant, role, resource, and membership structure

Reading rule: If you are trying to understand a decision path, read a flowchart. If you are trying to understand a trust exchange over time, read a sequenceDiagram. If you are trying to understand how relationships are modeled, look for erDiagram-style thinking even when the guide uses a table instead.

Concept Map for the Guide

This high-level map shows how the appendix topics connect to the main guide themes.

    flowchart TD
	    A["Identity lifecycle"] --> B["Federation and SSO"]
	    B --> C["Token and API trust"]
	    A --> D["Access review and governance"]
	    C --> E["Privilege and workload identity"]
	    D --> F["Zero-trust decisioning"]

What to notice:

  • identity lifecycle is upstream of most other IAM flows
  • federation and token diagrams explain how trust moves between systems
  • governance and zero trust build on earlier identity and authorization structure

Identity Lifecycle Flow

This diagram helps you see the backbone of joiner, mover, leaver, and review workflows.

What to focus on:

  • where the authoritative event starts
  • when baseline access is assigned
  • where review or approval checkpoints exist
  • how access is disabled or removed
    flowchart LR
	    A["Authoritative source event"] --> B["Create or update identity"]
	    B --> C["Assign baseline access"]
	    C --> D["Enroll strong authentication"]
	    D --> E["Review access on change"]
	    E --> F["Disable and deprovision"]

Federation and SSO Flow

This diagram helps you see how a relying application depends on an external identity provider and how user sign-in becomes application session state.

What to focus on:

  • who authenticates the user
  • what comes back to the application
  • where the application session begins
    sequenceDiagram
	    participant User
	    participant App
	    participant IdP
	    User->>App: Request access
	    App->>IdP: Redirect for authentication
	    IdP-->>App: Assertion or token
	    App-->>User: Session and authorized experience

Token Exchange and Service-to-Service Trust

This diagram helps you see why one valid token should not automatically travel everywhere inside a system.

What to focus on:

  • whether the original token is forwarded or exchanged
  • which issuer or trust service is involved
  • how the downstream service verifies purpose and scope
    sequenceDiagram
	    participant Client
	    participant APIA as API A
	    participant Issuer
	    participant APIB as API B
	
	    Client->>APIA: Call with token
	    APIA->>Issuer: Exchange for API B token
	    Issuer-->>APIA: Narrower token
	    APIA->>APIB: Call with exchanged token

Authorization Model Comparison

Use this comparison to separate the most common authorization models and to see what kind of complexity each one tends to create.

ModelBest FitMain StrengthCommon Failure Mode
RBACStable business rolesEasy to understand and reviewRole sprawl and vague role meaning
ABACDynamic, context-rich policyFlexible and preciseWeak or inconsistent attributes
Resource-based accessSharing and ownership patternsNatural for object-level delegationHidden inheritance and poor ownership
Central policy engineCross-system rulesConsistent enforcement logicOpaque rules and hard-to-debug exceptions

What to focus on:

  • when a model is likely to stay understandable
  • what kind of failure tends to appear first

Access Review and Recertification Process Map

This diagram helps you see why access review is not only about clicking approve. It is a workflow that should lead either to recertification or to actual removal.

What to focus on:

  • who reviews what
  • where removal or escalation happens
  • how findings become remediation
    flowchart TD
	    A["Generate access review set"] --> B["Manager or owner review"]
	    B --> C{"Access still justified?"}
	    C -->|Yes| D["Recertify"]
	    C -->|No| E["Remove or narrow access"]
	    D --> F["Record review outcome"]
	    E --> F

Privileged Access and Break-Glass Control Path

This diagram helps you see the difference between ordinary baseline identity and exceptional elevated access.

What to focus on:

  • baseline versus elevated state
  • who approves
  • where logging and expiry happen
    flowchart LR
	    A["Baseline identity"] --> B["Request privileged access"]
	    B --> C["Approval or emergency trigger"]
	    C --> D["Time-bound elevated session"]
	    D --> E["Audit and automatic expiry"]

Zero-Trust Decision Flow

This diagram helps you see how identity and context combine during access evaluation, and why zero trust is a decision model rather than one isolated control.

What to focus on:

  • identity is necessary but not the only input
  • context signals influence the decision
  • step-up and deny paths are first-class outcomes
    flowchart TD
	    A["Identity"] --> D{"Evaluate access"}
	    B["Device posture"] --> D
	    C["Session and risk signals"] --> D
	    D -->|Low risk and allowed| E["Grant scoped access"]
	    D -->|Needs stronger proof| F["Step-up authentication"]
	    D -->|High risk or not allowed| G["Deny or isolate"]

Where These Visuals Reappear in the Guide

Use this quick map when you want to revisit the chapter where a visual pattern matters most:

  • Chapters 1, 2, and 7: identity lifecycle, roles, and review flowcharts
  • Chapters 4 and 6: SSO and federation sequence diagrams
  • Chapters 5 and 13: authorization comparison, token exchange, and tenant-boundary diagrams
  • Chapters 9 and 10: privileged-access flow and workload-identity exchange diagrams
  • Chapters 11 and 14: review loops, policy decision flows, and zero-trust decision diagrams
  • Chapter 16: scenario diagrams that force a concrete decision path rather than only describing architecture

How to Study with These Visuals

  • Read the boxes and arrows as claims about trust or control, not as decoration.
  • If two boxes are connected, ask what trust or state is moving between them.
  • When a diagram shows branches, ask what evidence or policy causes the path to split.
  • Compare the visual here with the fuller lesson where it appears so the diagram reinforces, rather than replaces, the explanation.
Revised on Thursday, April 23, 2026
Appendix B
Appendix D