Back to the full dot-point answer
NSWSoftware EngineeringQuick questions
Module 1: Secure Software Architecture
Quick questions on Authentication and authorisation explained: HSC Software Engineering Module 1
8short Q&A pairs drawn directly from our worked dot-point answer. For full context and worked exam questions, read the parent dot-point page.
What is authentication?Show answer
Authentication confirms a user's identity. It relies on one or more factors:
What is authorisation?Show answer
Once a user is authenticated, authorisation governs which actions they can perform and which resources they can access. The two dominant models:
What is least privilege?Show answer
Whichever model is used, the principle of least privilege says give each user only the permissions strictly needed for their role. A junior support agent does not need access to billing data. A read-only auditor never needs write permissions.
What is implementation in Python (Flask)?Show answer
ROLES = { "alice": "admin", "bob": "auditor", "carol": "support", }
What is owner?Show answer
can delete the workspace, change billing, invite users. Editor: can create documents, edit any document, comment. Viewer: can read documents, comment, but cannot create or edit.
What is equating authentication with login?Show answer
Login is the user-facing flow. Authentication is the verification step inside the system, which can also happen via API keys, session tokens, or JWTs.
What is mixing up RBAC and ABAC?Show answer
RBAC assigns permissions to roles. ABAC computes permissions from attributes. Most HSC examples are RBAC.
What is forgetting to log authentication events?Show answer
Failed login attempts, password changes, and role changes should all be logged for incident response. Markers reward including audit logging in any authentication design answer. :::