Authorization

Authorization is the process of determining what an authenticated user is allowed to do within a system. While authentication answers the question “Who are you?”, authorization answers “What can you access or perform?”. It defines the scope of actions, data, and resources available to each user, ensuring that even verified identities only operate within approved boundaries.

How it works

Authorization typically relies on policies, permissions, and access control models:

• Role-Based Access Control (RBAC): assigns permissions based on roles (e.g., admin, editor, viewer).
• Attribute-Based Access Control (ABAC): decisions are made based on attributes like department, device type, or time of day.
• Discretionary Access Control (DAC): resource owners decide who gets access.
• Mandatory Access Control (MAC): a strict, centrally enforced model often used in government and military systems.

Why it matters

Even if a system knows who the user is, unrestricted access can be disastrous. Authorization prevents:

• Employees accessing confidential data they don’t need for their job
• Malicious insiders escalating privileges
• Attackers exploiting weak permission settings after compromising an account

Examples in practice

• A customer service representative in a CRM system can view customer records but cannot modify billing settings
• A visitor to a corporate intranet may only see public company news, while HR staff have access to employee records
• A database admin can create and delete tables, but a data analyst only has read access

Best practices

• Apply the Principle of Least Privilege (PoLP): grant users the minimum rights necessary to perform their job
• Regularly review and update access permissions
• Use identity and access management (IAM) tools to centralize and automate authorization