Authorization is a fundamental concept in computer security and software development. It determines what actions a user or system can perform after verifying their identity. It is a core part of access control and is essential for protecting sensitive data and resources in any application or system.
What Is Authorization?
Authorization is the process of granting or denying specific permissions to users, programs, or processes to access resources within a system. While authentication answers the question, “Who are you?”, authorization answers, “What are you allowed to do?”
For example, after logging into a web application (authentication), the system checks what pages or data you can access (authorization). If you try to view an admin dashboard without the right permissions, the system will deny access.
How Authorization Works
Authorization typically follows authentication. Once a user’s identity is confirmed, the system evaluates their permissions based on predefined policies or rules. These permissions can be assigned in various ways:
- Roles: Users are grouped into roles (e.g., admin, editor, viewer), each with specific permissions.
- Attributes: Permissions are granted based on user attributes, such as department, location, or job title.
- Access Control Lists (ACLs): Lists that specify which users or groups can access particular resources.
Common Authorization Models
| Model | Description | Example Use Case |
|---|---|---|
| RBAC | Role-Based Access Control: Permissions are assigned to roles, not individuals | Admins can edit, users can view |
| ABAC | Attribute-Based Access Control: Access based on user/resource attributes | Only users in HR can view payroll |
| DAC | Discretionary Access Control: Resource owners set permissions | File sharing in cloud storage |
| MAC | Mandatory Access Control: Access based on security levels | Classified government systems |
- RBAC (Role-Based Access Control): Most common in business applications, where roles like “admin” or “user” determine access.
- ABAC (Attribute-Based Access Control): More flexible, using attributes such as time, location, or device.
- DAC (Discretionary Access Control): Resource owners decide who can access their resources.
- MAC (Mandatory Access Control): This type of access is used in high-security environments, and it is based on strict policies and security levels.
Authorization vs. Authentication
It’s important not to confuse authorization with authentication:
| Authentication | Authorization |
|---|---|
| Verifies who the user is | Determines what the user can access |
| Performed first | Performed after authentication |
| Example: Logging in with a password | Example: Accessing admin dashboard |
Authentication is about identity; authorization is about permissions.
Real-World Examples
- Web Applications: After logging in, users may have access to their own profile but not to admin settings.
- Cloud Services: Employees in different departments have access to different files and tools.
- APIs: An API key may allow read-only access, while another key allows full control.
Why Authorization Matters
- Security: Prevents unauthorized access to sensitive data.
- Compliance: Helps meet regulatory requirements by restricting access.
- User Experience: Ensures users see only what’s relevant to them.
Broken or misconfigured authorization is a leading cause of security breaches in web applications. Following the principle of least privilege—granting users only the access they need—helps minimize risks.
Conclusion
Authorization is a critical layer of security in any system, ensuring that users and applications can only access resources and perform actions they are permitted to. Understanding and implementing robust authorization mechanisms is essential for building secure, reliable, and compliant software.
« Back to Glossary Index