Authorization
What Is Authorization?
Authorization is the process of determining whether an authenticated entity has permission to perform a requested action on a resource within an information system. It follows authentication in the sequence of security decisions: authentication establishes who is making a request, and authorization determines what that entity is allowed to do. The distinction matters because a user who has successfully proven their identity may still be denied access to specific data, functions, or operations if the authorization policy does not grant those permissions to their account, role, or attributes.
Authorization decisions are governed by access control policies that express the rules an enforcement mechanism applies to permit or deny requests. These policies may be encoded in role assignments, attribute conditions, capability lists, or formal policy languages. The scope of authorization extends beyond human users to include service accounts, application processes, and devices, all of which must be granted only the minimum permissions necessary for their function, a principle known as least privilege. Privacy protections in multi-user systems depend heavily on authorization policy: without correctly scoped access controls, data belonging to one user is accessible to others.
Access Control Models
Several formal models structure how authorization policies are expressed and evaluated. Discretionary access control (DAC) allows resource owners to set permissions for their own objects; mandatory access control (MAC) enforces system-wide policy that users cannot override, common in classified government environments. Role-based access control (RBAC), formalized by David Ferraiolo and Rick Kuhn in 1992 and standardized as INCITS 359-2012, assigns permissions to roles rather than individuals. The NIST Role-Based Access Control project estimates that RBAC adoption saved industry over one billion dollars through reduced administrative overhead and more consistent policy enforcement.
Attribute-based access control (ABAC) generalizes beyond roles to evaluate arbitrary attributes of the subject, resource, action, and environment when making an access decision. NIST Special Publication 800-162 defines ABAC and describes its implementation considerations. An ABAC policy might grant access to a medical record only if the requesting user's department attribute is "oncology" and the environment attribute for current time falls within working hours. XACML (eXtensible Access Control Markup Language), standardized by OASIS, provides a declarative XML-based policy language for expressing and evaluating ABAC-compatible access control policies.
Policy Enforcement
The architectural pattern for authorization separates policy decision from policy enforcement. A Policy Decision Point (PDP) evaluates the access request against the applicable policy and returns a permit or deny decision. A Policy Enforcement Point (PEP) intercepts the request, queries the PDP, and either allows or blocks the operation based on the response. This separation allows policies to be updated centrally without modifying application code at every enforcement point.
Policy administration must also address how permissions are assigned, reviewed, and revoked. Privilege creep, the accumulation of permissions beyond what a user currently needs as their role evolves, is a common operational problem. Periodic access reviews, in which managers certify that their team members' permissions remain appropriate, are a standard control in regulated environments.
Authorization in Distributed Systems
In distributed systems and microservices architectures, authorization decisions must often be made across service boundaries. OAuth 2.0 and its extension, OpenID Connect, provide delegation protocols that allow users to authorize third-party applications to access resources on their behalf without sharing credentials. JSON Web Tokens (JWTs) carry claims about a user's identity and permissions across service calls in a cryptographically verifiable format. Zero-trust architecture extends authorization enforcement to every internal service call, rejecting the assumption that traffic inside a network perimeter is inherently trustworthy and instead requiring each request to be individually authorized against policy.
The NIST Special Publication 800-207 on Zero Trust Architecture defines the principles and deployment models for zero-trust approaches to authorization in enterprise and cloud environments.
Applications
Authorization has applications in a range of fields, including:
- Enterprise identity and access management systems controlling employee access to business applications
- Healthcare information systems restricting access to patient records by clinical role
- Cloud computing platforms governing access to virtual machines, storage, and services
- Financial systems enforcing separation of duties to prevent fraud
- Government and defense systems implementing mandatory access control for classified information