AAA Pipeline: Authentication, Authorization, Accounting
flowchart LR
Principal["Principal
Claims an identity
e.g. user at example.com"]:::principalNode AuthN["Authentication
Is the claim genuine?
password, MFA, certificate"]:::authnNode AuthZ["Authorization
Allowed this action
on this resource?"]:::authzNode Acct["Accounting
Record what happened
logs, audit trail"]:::acctNode Resource["Resource
Protected asset"]:::resourceNode Principal --> AuthN --> AuthZ --> Acct --> Resource subgraph nr ["Non-Repudiation"] NonRep["Cryptographic evidence
actor cannot deny the action"]:::nrNode end AuthN -. evidence .-> NonRep Acct -. evidence .-> NonRep classDef principalNode fill:#fff8e1,stroke:#455a64,stroke-width:2px,color:#212529,font-size:15px classDef authnNode fill:#1565c0,stroke:#0d47a1,stroke-width:2px,color:#fff,font-size:15px classDef authzNode fill:#2e7d32,stroke:#1b5e20,stroke-width:2px,color:#fff,font-size:15px classDef acctNode fill:#455a64,stroke:#263238,stroke-width:2px,color:#fff,font-size:15px classDef resourceNode fill:#ffffff,stroke:#455a64,stroke-width:2px,color:#212529,font-size:15px classDef nrNode fill:#ffa000,stroke:#e65100,stroke-width:2px,color:#212529,font-size:15px linkStyle default stroke:#90a4ae,stroke-width:2px,font-size:14px
Claims an identity
e.g. user at example.com"]:::principalNode AuthN["Authentication
Is the claim genuine?
password, MFA, certificate"]:::authnNode AuthZ["Authorization
Allowed this action
on this resource?"]:::authzNode Acct["Accounting
Record what happened
logs, audit trail"]:::acctNode Resource["Resource
Protected asset"]:::resourceNode Principal --> AuthN --> AuthZ --> Acct --> Resource subgraph nr ["Non-Repudiation"] NonRep["Cryptographic evidence
actor cannot deny the action"]:::nrNode end AuthN -. evidence .-> NonRep Acct -. evidence .-> NonRep classDef principalNode fill:#fff8e1,stroke:#455a64,stroke-width:2px,color:#212529,font-size:15px classDef authnNode fill:#1565c0,stroke:#0d47a1,stroke-width:2px,color:#fff,font-size:15px classDef authzNode fill:#2e7d32,stroke:#1b5e20,stroke-width:2px,color:#fff,font-size:15px classDef acctNode fill:#455a64,stroke:#263238,stroke-width:2px,color:#fff,font-size:15px classDef resourceNode fill:#ffffff,stroke:#455a64,stroke-width:2px,color:#212529,font-size:15px classDef nrNode fill:#ffa000,stroke:#e65100,stroke-width:2px,color:#212529,font-size:15px linkStyle default stroke:#90a4ae,stroke-width:2px,font-size:14px
Color Key
Authentication
Authorization
Accounting
Non-Repudiation
Step Details
Hover or tap a box to see what each stage of the AAA pipeline does.