About
After a user has been authenticated, the next critical aspect of security is ensuring that the user can do and see what they are authorized to do and see.
Authorization is the process of validating what an authenticated user can access.
Authorization is abbreviated as AuthZ for authentication versus AuthN for authentication.
Authorization is the process of granting a user (authenticated or not) access to a resource in accordance with their assigned privileges.
Authorization is a broad term for controlling access to resources based on user privileges.
Type
An authorization is a string or a set of strings that represent:
- a permission (for example printer for the authorization to access printers)
- a role (ie: admin, manager, etc.)
You can assign a user to:
- a group of users (role) that has some permissions
- permissions directly
Implementation
The way authorization is done, is an implementation decision.
Example:
- Role-based authorization (with wildcard match or not)
- Permission-based authorization.
- Logical authorization (If And Or Not then)
- Time-based authorization (ie: allow access the last 5 days of the month, from 8am till 10am, etc.)
- Context-based authorization (ie: allow access if the ip address is 'xxx.xxx.xxx.xxx')
- Custom-based authorization (ie: based on a script or hard-coded code specific to an application)
User Account Control (UAC)
UAC limits application software to standard user privileges until an administrator authorizes an increase or elevation. See also wiki/User space