Authorization or authorisation (see

spelling differences Despite the various English dialects spoken from country to country and within different regions of the same country, there are only slight regional variations in English orthography, the two most notable variations being British and Americ ...

), in

information security Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data ...

computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...

and IAM (Identity and Access Management), is the function of specifying rights/privileges for accessing resources, in most cases through an access policy, and then deciding whether a particular ''subject'' has privilege to access a particular ''resource''. Examples of ''subjects'' include human users, computer

software Software consists of computer programs that instruct the Execution (computing), execution of a computer. Software also includes design documents and specifications. The history of software is closely tied to the development of digital comput ...

and other hardware on the computer. Examples of ''resources'' include individual files or an item's

data Data ( , ) are a collection of discrete or continuous values that convey information, describing the quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted for ...

computer program A computer program is a sequence or set of instructions in a programming language for a computer to Execution (computing), execute. It is one component of software, which also includes software documentation, documentation and other intangibl ...

s, computer devices and functionality provided by

computer application Application software is any computer program that is intended for end-user use not operating, administering or programming the computer. An application (app, application program, software application) is any program that can be categorized as ...

s. For example, user accounts for

human resources Human resources (HR) is the set of people who make up the workforce of an organization, business sector, industry, or economy. A narrower concept is human capital, the knowledge and skills which the individuals command. Similar terms include ' ...

staff are typically configured with authorization for accessing employee records. Authorization is closely related to

access control In physical security and information security, access control (AC) is the action of deciding whether a subject should be granted or denied access to an object (for example, a place or a resource). The act of ''accessing'' may mean consuming ...

, which is what enforces the authorization policy by deciding whether access requests to resources from (

authenticated Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a ...

) consumers shall be approved (granted) or disapproved (rejected). Authorization should not be confused with

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...

, which is the process of verifying someone's identity.

Overview

IAM consists the following two phases: the configuration phase where a user account is created and its corresponding access authorization policy is defined, and the usage phase where user authentication takes place followed by access control to ensure that the user/consumer only gets access to resources for which they are authorized. Hence, access control in

computer A computer is a machine that can be Computer programming, programmed to automatically Execution (computing), carry out sequences of arithmetic or logical operations (''computation''). Modern digital electronic computers can perform generic set ...

systems and

networks Network, networking and networked may refer to: Science and technology * Network theory, the study of graphs as a representation of relations between discrete objects * Network science, an academic field that studies complex networks Mathematics ...

relies on access authorization specified during configuration. Authorization is the responsibility of an

authority Authority is commonly understood as the legitimate power of a person or group of other people. In a civil state, ''authority'' may be practiced by legislative, executive, and judicial branches of government,''The New Fontana Dictionary of M ...

, such as a department manager, within the application domain, but is often delegated to a custodian such as a system administrator. Authorizations are expressed as access policies in some types of "policy definition application", e.g. in the form of an

access control list In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object or facility). An ACL specifies which users or system processes are granted access to resources, as well as what operations are ...

or a capability, or a policy administration point e.g.

XACML __NOTOC__ The eXtensible Access Control Markup Language (XACML) is an XML-based standard markup language for specifying access control policies. The standard, published by OASIS (organization), OASIS, defines a declarative fine-grained, attribute ...

. Broken authorization is often listed as the number one risk in web applications. On the basis of the "

principle of least privilege In information security, computer science, and other fields, the principle of least privilege (PoLP), also known as the principle of minimal privilege (PoMP) or the principle of least authority (PoLA), requires that in a particular abstraction l ...

", consumers should only be authorized to access whatever they need to do their jobs, and nothing more. "Anonymous consumers" or "guests", are consumers that have not been required to authenticate. They often have limited authorization. On a distributed system, it is often desirable to grant access without requiring a unique identity. Familiar examples of access tokens include keys, certificates and tickets: they grant access without proving identity.

Implementation

A widely used framework for authorizing applications is

OAuth 2 OAuth (short for open authorization) is an Open standard , open standard for access Delegation (computer security), delegation, commonly used as a way for internet users to grant websites or applications access to their information on other we ...

. It provides a standardized way for third-party applications to obtain limited access to a user's resources without exposing their credentials. In modern systems, a widely used model for authorization is

role-based access control In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users, and to implementing mandatory access control (MAC) or discretionary access control, discretion ...

(RBAC) where authorization is defined by granting subjects one or more roles, and then checking that the resource being accessed has been assigned at least one of those roles. However, with the rise of social media,

Relationship-based access control In computer systems security, Relationship-based access control (ReBAC) defines an authorization paradigm where a subject's permission to access a resource is defined by the presence of relationships between those subjects and resources. In genera ...

is gaining more prominence. Even when access is controlled through a combination of authentication and

s, the problems of maintaining the authorization data is not trivial, and often represents as much administrative burden as managing authentication credentials. It is often necessary to change or remove a user's authorization: this is done by changing or deleting the corresponding access rules on the system. Using atomic authorization is an alternative to per-system authorization management, where a trusted third party securely distributes authorization information.

Related interpretations

Public policy

public policy Public policy is an institutionalized proposal or a Group decision-making, decided set of elements like laws, regulations, guidelines, and actions to Problem solving, solve or address relevant and problematic social issues, guided by a conceptio ...

, authorization is a feature of trusted systems used for

security Security is protection from, or resilience against, potential harm (or other unwanted coercion). Beneficiaries (technically referents) of security may be persons and social groups, objects and institutions, ecosystems, or any other entity or ...

social control Social control is the regulations, sanctions, mechanisms, and systems that restrict the behaviour of individuals in accordance with social norms and orders. Through both informal and formal means, individuals and groups exercise social con ...

Banking

bank A bank is a financial institution that accepts Deposit account, deposits from the public and creates a demand deposit while simultaneously making loans. Lending activities can be directly performed by the bank or indirectly through capital m ...

ing, an

authorization Authorization or authorisation (see American and British English spelling differences#-ise, -ize (-isation, -ization), spelling differences), in information security, computer security and identity management, IAM (Identity and Access Managemen ...

is a hold placed on a customer's account when a purchase is made using a

debit card A debit card, also known as a check card or bank card, is a payment card that can be used in place of cash to make purchases. The card usually consists of the bank's name, a card number, the cardholder's name, and an expiration date, on either ...

or credit card.

Publishing

publishing Publishing is the activities of making information, literature, music, software, and other content, physical or digital, available to the public for sale or free of charge. Traditionally, the term publishing refers to the creation and distribu ...

, sometimes public lectures and other freely available texts are published without the approval of the

author In legal discourse, an author is the creator of an original work that has been published, whether that work exists in written, graphic, visual, or recorded form. The act of creating such a work is referred to as authorship. Therefore, a sculpt ...

. These are called unauthorized texts. An example is the 2002 '' 'The Theory of Everything: The Origin and Fate of the Universe' '', which was collected from

Stephen Hawking Stephen William Hawking (8January 194214March 2018) was an English theoretical physics, theoretical physicist, cosmologist, and author who was director of research at the Centre for Theoretical Cosmology at the University of Cambridge. Between ...

's lectures and published without his permission as per copyright law.

References

{{Authority control Computer access control Access control Authority