What is Authorization?
Authorization in cybersecurity refers to the process of granting or denying access to resources
based on the identity and permission level of a user or device (collectively referred to as an
entity).
The authorization process implements access controls that determine the exact activities an entity
is allowed to execute on a specific resource.
Authorization is a crucial component of cybersecurity, strengthening confidentiality, integrity,
and availability of data and resources within an IT environment. It ensures that only authorized
users may access and perform operations on them. It protects your company's sensitive
information from unauthorized access, whether due to internal mistakes or external attacks.
Properly set authorization can contain the damage by limiting entities to the least amount of
data necessary to perform a job.
Authorization vs. authentication
Authentication Authorization
Definitio Verifying the identity of a user, Granting or denying access to resources
n system, or process. based on the authenticated user's
permissions.
Purpose Confirming the user is who they Determining what actions or resources a
claim to be. user is allowed to access.
Focus Identity verification. Access control.
Process Usually involves verifying Involves checking if the authenticated user
credentials (e.g., has the necessary permissions for the
username/password, biometrics). requested action/resource.
Goal Ensuring only authorized users gain Restricting access to specific
access. functionalities or data based on
permissions.
Example Logging into an email account with A user with 'admin' privileges being able to
s a username and password. configure system settings.
Types of authorization
Authorization may be granted based on various criteria or access control models. The three main
models used are:
Role-based
Relationship-based
Attribute-based
Role-Based Access Control (RBAC)
RBAC is a method of authorization that assigns users to specific roles based on their job
responsibilities. Each role has a set of permissions that determine what actions the user can
perform.
For example, a bookkeeper in an accounting department may have read-only access to financial
reports, while a senior accountant may have read-write access.
Authorization in cybersecurity refers to the process of granting or denying access to resources
based on the identity and permission level of a user or device (collectively referred to as an
entity).
The authorization process implements access controls that determine the exact activities an entity
is allowed to execute on a specific resource.
Authorization is a crucial component of cybersecurity, strengthening confidentiality, integrity,
and availability of data and resources within an IT environment. It ensures that only authorized
users may access and perform operations on them. It protects your company's sensitive
information from unauthorized access, whether due to internal mistakes or external attacks.
Properly set authorization can contain the damage by limiting entities to the least amount of
data necessary to perform a job.
Authorization vs. authentication
Authentication Authorization
Definitio Verifying the identity of a user, Granting or denying access to resources
n system, or process. based on the authenticated user's
permissions.
Purpose Confirming the user is who they Determining what actions or resources a
claim to be. user is allowed to access.
Focus Identity verification. Access control.
Process Usually involves verifying Involves checking if the authenticated user
credentials (e.g., has the necessary permissions for the
username/password, biometrics). requested action/resource.
Goal Ensuring only authorized users gain Restricting access to specific
access. functionalities or data based on
permissions.
Example Logging into an email account with A user with 'admin' privileges being able to
s a username and password. configure system settings.
Types of authorization
Authorization may be granted based on various criteria or access control models. The three main
models used are:
Role-based
Relationship-based
Attribute-based
Role-Based Access Control (RBAC)
RBAC is a method of authorization that assigns users to specific roles based on their job
responsibilities. Each role has a set of permissions that determine what actions the user can
perform.
For example, a bookkeeper in an accounting department may have read-only access to financial
reports, while a senior accountant may have read-write access.
