SPSecurableObject
SPMember
SPRole
SPPrincipal
SPGroup
SPUser
Class Inheritance Diagram
Sahil Malik has 2 very good courses on PluralSight that, while they cover SharePoint 2010, are still very applicable to SharePoint 2013 as nearly nothing in the Server Objectmodel has changed. The only caution that I would have is that you should go over some of the claims material that he covers as that has changed enough that you will not want to rely on his video alone for this exam.
SharePoint 2010 Security, Sahil Malik [Twitter] [blog]
SharePoint 2010 Security Part 2
One thing to point out, Sahil states that permissions can be logically OR'ed, what does that mean? Here is an explanation and example from MSDN.
MSDN - SPPermission.PermissionMask property
To define a permission mask that consists of multiple rights, use the pipe symbol ("|") in Microsoft Visual C# or Or in Microsoft Visual Basic to delimit the rights.
SPSite oSiteCollection = SPContext.Current.Site;
using(SPWeb oWebsite = oSiteCollection.AllWebs["Site_Name"])
{
SPMember oMember = oWebsite.Roles["Role_Name"];
oWebsite.Permissions[oMember].PermissionMask =
SPRights.ManageLists | SPRights.ManageListPermissions;
}
Implement user authentication.
This objective may include but is not limited to: create a custom claims provider, create a custom sign-in page, create a custom membership provider, package and deploy a custom claims provider, package and deploy a custom membership provider, authenticate a user from a client application
Understanding the Fundamentals of SharePoint Claims-Based Authentication, Georgiana Badea (If you only have time for one video between this and the next, pick this one!)
Claims Based Authentication - Migrating to the new SharePoint 2013 Identity Model, Nathan Miller, Israel Vega
Claims provider in SharePoint 2013
How to: Create a claims provider in SharePoint 2013
How to: Deploy a claims provider in SharePoint 2013
Implement application authentication and authorization.
This objective may include but is not limited to: use the SharePoint App TokenHelper class, specify the App permission request scope manifest and permission request manifest, specify permissions for Office Store Apps, specify permissions for Corporate Catalog Apps, specify permissions for remote apps to access SharePoint data
Plan and implement user authorization.
This objective may include but is not limited to: create custom role definitions, create custom permission levels, maintain permissions, implement impersonation, plan and implement anonymous access, create a custom role manager