Authorization orauthorisation (seespelling differences) is the function of specifying rights/privileges for accessing resources, which is related to generalinformation security andcomputer security, and toIAM (Identity and Access Management) in particular.[1] More formally, "to authorize" is to define an access policy during the configuration of systems and user accounts. For example, user accounts forhuman resources staff are typically configured with authorization for accessing employee records, and this policy gets formalized as access control rules in a computer system. Authorization must not be confused with access control. During usage, access control enforces the authorization policy by deciding whether access requests to resources from (authenticated) consumers shall be approved (granted) or disapproved (rejected).[2] Resources include individual files or an item'sdata,computer programs, computerdevices and functionality provided bycomputer applications. Examples of consumers are computer users, computersoftware and otherhardware on the computer.
IAM consists the following two phases: the configuration phase where a user account is created and its corresponding access authorization policy is defined, and the usage phase where user authentication takes place followed by access control to ensure that the user/consumer only gets access to resources for which they are authorized. Hence, access control incomputer systems andnetworks relies on access authorization specified during configuration.
Most modern, multi-user operating systems includerole-based access control (RBAC) where authorization is implicitly defined by the roles.User authentication is the process of verifying theidentity of consumers. When an authenticated consumer tries to access a resource, the access control process checks that the consumer has been authorized to use that resource. Authorization is the responsibility of anauthority, such as a department manager, within the application domain, but is often delegated to a custodian such as a system administrator. Authorizations are expressed as access policies in some types of "policy definition application", e.g. in the form of anaccess control list or acapability, or a policy administration point e.g.XACML. On the basis of the "principle of least privilege": consumers should only be authorized to access whatever they need to do their jobs. Older and single user operating systems often had weak or non-existent authentication and access control systems.
"Anonymous consumers" or "guests", are consumers that have not been required to authenticate. They often have limited authorization. On a distributed system, it is often desirable to grant access without requiring a unique identity. Familiar examples ofaccess tokens include keys, certificates and tickets: they grant access without proving identity.
Trusted consumers are often authorized for unrestricted access to resources on a system, but must be verified so that the access control system can make the access approval decision. "Partially trusted" and guests will often have restricted authorization in order to protect resources against improper access and usage. The access policy in some operating systems, by default, grant all consumers full access to all resources. Others do the opposite, insisting that the administrator explicitly authorizes a consumer to use each resource.
Even when access is controlled through a combination of authentication andaccess control lists, the problems of maintaining the authorization data is not trivial, and often represents as much administrative burden as managing authentication credentials. It is often necessary to change or remove a user's authorization: this is done by changing or deleting the corresponding access rules on the system. Usingatomic authorization is an alternative to per-system authorization management, where atrusted third party securely distributes authorization information.
Inpublic policy, authorization is a feature of trusted systems used forsecurity orsocial control.
Inbanking, anauthorization is a hold placed on a customer's account when a purchase is made using adebit card orcredit card.
Inpublishing, sometimes public lectures and other freely available texts are published without the approval of theauthor. These are called unauthorized texts. An example is the 2002 'The Theory of Everything: The Origin and Fate of the Universe', which was collected fromStephen Hawking's lectures and published without his permission as per copyright law.[citation needed]
