Authorization is a process where a system or application makes a run-time decision about whether to allow a user to perform some function or access some data.

Authorization decisions generally depend on the identity of the user wishing to perform the action, the action which he wishes to perform, the security entitlements which the user has been assigned and the data on which he wishes to perform the action. In some cases, the decision may also depend on contextual information such as the user's location, the time or date or the type of device using which the user connected to the application.

Authorization decisions may be made by application logic, by access controls inside a database that supports an application or by a stand-alone access control engine. They are made by evaluating a security model, with the most popular models being:

  • Security groups -- where users are attached to groups and groups are granted rights to perform actions. On some systems, groups may be nested, meaning that they can contain other groups as members.
  • Role-based access control -- where users are assigned roles and roles are assigned collections of entitlements. On some systems, roles may be nested, meaning that parent roles may contain child roles. This implies that users who are granted a parent role also get the child role's entitlements.
  • The difference between roles and groups is somewhat subjective, where nesting is not a factor. Roles are generally considered to be more representative of "everything a user performing a given job function needs" while groups tend to be more representative of "a set of entitlements that are normally assigned together, but which are typically not a comprehensive list of what a user requires." Where nesting is at play, the difference is more concrete -- with groups, it is the set of users who are nested, while with roles, it is the set of entitlements which are nested.
  • Attribute-based access control (ABAC), replaces the explicit assignment of entitlements to individual users or groups of users with an implicit model. Whether a user gets a given entitlement depends on some characteristics of the user -- his name, location, department code, job code, etc. The idea is that as identity attributes are adjusted, correct entitlements are automatically granted.

Authorization should not be confused with identity administration which is the process used to define and manage identities and to assign entitlements to users. The former is a run-time enforcement while the latter refers to updating directories with business-appropriate identity and privilege data.

Return to Identity Management Concepts