Authorization orauthorisation (seespelling differences), ininformation security,computer security andIAM (Identity and Access Management),[1] is the function of specifying rights/privileges for accessing resources, in most cases through an access policy, and then deciding whether a particularsubject has privilege to access a particularresource. Examples ofsubjects include human users, computersoftware and otherhardware on the computer. Examples ofresources include individual files or an item'sdata,computer programs, computerdevices and functionality provided bycomputer applications. For example, user accounts forhuman resources staff are typically configured with authorization for accessing employee records.
Authorization is closely related toaccess control, which is what enforces the authorization policy by deciding whether access requests to resources from (authenticated) consumers shall be approved (granted) or disapproved (rejected).[2]
Authorization should not be confused withauthentication, which is the process of verifying someone's identity.
IAM consists the following two phases: the configuration phase where a user account is created and its corresponding access authorization policy is defined, and the usage phase where user authentication takes place followed by access control to ensure that the user/consumer only gets access to resources for which they are authorized. Hence, access control incomputer systems andnetworks relies on access authorization specified during configuration.
Authorization is the responsibility of anauthority, such as a department manager, within the application domain, but is often delegated to a custodian such as a system administrator. Authorizations are expressed as access policies in some types of "policy definition application", e.g. in the form of anaccess control list or acapability, or a policy administration point e.g.XACML.
Broken authorization is often listed as the number one risk in web applications.[3] On the basis of the "principle of least privilege", consumers should only be authorized to access whatever they need to do their jobs, and nothing more.[4]
"Anonymous consumers" or "guests", are consumers that have not been required to authenticate. They often have limited authorization. On a distributed system, it is often desirable to grant access without requiring a unique identity. Familiar examples ofaccess tokens include keys, certificates and tickets: they grant access without proving identity.
A widely used framework for authorizing applications isOAuth 2. It provides a standardized way for third-party applications to obtain limited access to a user's resources without exposing their credentials.[5]
In modern systems, a widely used model for authorization isrole-based access control (RBAC) where authorization is defined by granting subjects one or more roles, and then checking that the resource being accessed has been assigned at least one of those roles.[5] However, with the rise of social media,Relationship-based access control is gaining more prominence.[6]
Even when access is controlled through a combination of authentication andaccess control lists, the problems of maintaining the authorization data is not trivial, and often represents as much administrative burden as managing authentication credentials. It is often necessary to change or remove a user's authorization: this is done by changing or deleting the corresponding access rules on the system. Usingatomic authorization is an alternative to per-system authorization management, where atrusted third party securely distributes authorization information.
Inpublic policy, authorization is a feature of trusted systems used forsecurity orsocial control.
Inbanking, anauthorization is a hold placed on a customer's account when a purchase is made using adebit card orcredit card.
Inpublishing, sometimes public lectures and other freely available texts are published without the approval of theauthor. These are called unauthorized texts. An example is the 2002 'The Theory of Everything: The Origin and Fate of the Universe', which was collected fromStephen Hawking's lectures and published without his permission as per copyright law.[citation needed]
| International | |
|---|---|
| National | |
