Authorization is a process where a system or application
makes a run-time decision about whether to allow a user to perform
some function or access some data.
Authorization decisions generally depend on the identity
of the user wishing to perform the action, the action which he wishes to perform,
the security entitlements which the user
has been assigned and the data on which he wishes to perform the action. In
some cases, the decision may also depend on contextual information such as
the user's location, the time or date or the type of device using which the
user connected to the application.
Authorization decisions may be made by application logic, by access
controls inside a database that supports an application or by a stand-alone
access control engine. They are made by evaluating a security model,
with the most popular models being:
- Security groups -- where users
are attached to groups and groups are granted rights to perform
actions. On some systems, groups may be nested, meaning that
they can contain other groups as members.
- Role-based access control
-- where users are assigned roles and roles are assigned collections
of entitlements. On some systems, roles may be nested, meaning
that parent roles may contain child roles. This implies that users
who are granted a parent role also get the child role's entitlements.
- The difference between roles and groups is somewhat subjective,
where nesting is not a factor. Roles are generally considered to
be more representative of "everything a user performing a given job
function needs" while groups tend to be more representative of "a
set of entitlements that are normally assigned together, but which
are typically not a comprehensive list of what a user requires."
Where nesting is at play, the difference is more concrete -- with
groups, it is the set of users who are nested, while with roles,
it is the set of entitlements which are nested.
- Attribute-based access control
(ABAC), replaces the explicit assignment
of entitlements to individual users or groups of users with
an implicit model. Whether a user gets a given entitlement
depends on some characteristics of the user -- his name, location,
department code, job code, etc. The idea is that as identity
attributes are adjusted, correct entitlements are automatically
Authorization should not be confused with
which is the process used to define and manage identities and
to assign entitlements to users. The former is a run-time enforcement
while the latter refers to updating directories
with business-appropriate identity and privilege data.
Return to Identity Management Concepts