Authorization

Updated Sept 28, 2020 · 8 min read

What is authorization?

Authorization refers to the policies that dictate what users can access when they use a system or application. Authorization is used as a way to ensure that the right users can view or modify the appropriate information for the appropriate amount of time.

For example, when you share a Google doc with a classmate or colleague, you can restrict what they can see and do when they access the link to the document. As the owner of the document, you can grant them permission to view or edit the document, or you can deny them access to the document all together.

In more complex systems and applications, system administrators and IT managers are responsible for defining the policies that grant or deny access. As a best practice, administrators should adhere to the principle of least privilege (POLP) to help ensure that their system or application is secure.

Permissions and privileges

In information security, permissions and privileges are often used interchangeably. However, they represent different concepts. Permissions are the actions that one can perform on an application or system. Creating a user profile and deleting a profile description are examples of different permissions that administrators can assign. Privileges are the permissions granted to specific users. You can grant someone a privilege that permits them to delete their own profile description.

Identity and Access Management (IAM)

Identity and Access Management (IAM), sometimes referred to as Identity Management (IdM), is used by IT departments to ensure that users have the right level of access to a system. The solutions provided by IAM systems enable administrators to manage identities and their access, connecting authorization with authentication.

A comprehensive IAM system provides ways to manage user identities, provision and deprovision users, authenticate and authorize users, and report on user behavior.

Role-based authorization

Role-based authorization allows administrators to associate permissions with roles instead of associating them with individual users or their attributes. Users inherit permissions based on their assigned roles.

Through role-based authorization, employees have access rights only to the information they need to do their job. It prevents employees from accessing information that's irrelevant to their job functions. When an employee's role changes, they lose the access rights from the old role and inherit the ones associated with the new role.

For example, as the system administrator, you create an Employee role with the ability to view their own compensation information. If a user with the Employee role becomes a Manager, they can take on the new role with responsibilities such as viewing compensation information for other employees.

Authorization vs. authentication

Authentication is the process of verifying that a user is who they say they are to determine whether they can enter a system. For example, you host a party for only a few friends and give them a password. When they come to your party, you ask for the password to verify that it's your friend and not a party crasher. Authentication would be the process of verifying that your friend is who they say they are.

Authorization is the process of verifying what a user can access once they've entered the system. For example, once your friend enters your party, you can decide what rooms your friends can go in and what food they can eat. Your friends aren't allowed to enter your parents bedroom, but they can enter the living room. In this example, authorization refers to what your friends can do in your house.


Related Terms

Security
Authentication

Authentication is the process of verifying the identity of a user. A common form of authentication is username password authentication...