About
After a user has been authenticated, the next critical aspect of security is ensuring that the user can do and see what they are authorized to do and see.
Authorization is the process of validating what an authenticated user can access.
Authorization is also known as:
- access privileges
- access control
- and other access type wording.
Authorization is abbreviated as AuthZ for authentication versus AuthN for authentication.
Authorization is the process of granting a user (authenticated or not) access to a resource in accordance with their assigned privileges.
Authorization is a broad term for controlling access to resources based on user privileges.
Implementation
Function
if !(authZFunctionISAuthorized(principal, resource, action, request)){
// get the rules from a ''policy'' file
// apply them and return the result
return "Not Authorized"
}
where:
- the resource (table, image, function, …)
- the action (get, put, delete, …)
- the request to give environment information (time, origin, ip, header, …)
Policy
The authorization function is up to the developer and enforce a set of authorization rules known as policy.
Their definition may be as simple as listing:
- subjects (user, process, …)
- objects (resources),
- and the desired allowed action
Access control model
In security, the authorization function may implement one or more of the following Access control models:
- Access Control List (ACL)
- Role-based (with wildcard match or not) known broadly as Role-Based Access Control or RBAC)
- Permission-based (note that a permission may come from a role)
- Logical (If And Or Not then)
- Time-based (ie: allow access the last 5 days of the month, from 8am till 10am, etc.)
- Request Context-based (ie: allow access if the ip address is 'xxx.xxx.xxx.xxx')
- Custom-based (ie: based on a script or hard-coded code specific to an application)
And there is more
You can assign a user to:
- a group of users (role) that has some permissions
- permissions directly
An authorization may be just a string or a set of strings that represent:
- a permission (for example printer for the authorization to access printers)
- a role (ie: admin, manager, etc.)
ACL
ACL is a list of permissions associated with a resource
Example:
alice, key1, read
bob, key2, write
- Alice can read key1
- Bob can write key2
User Account Control (UAC)
UAC limits application software to standard user privileges until an administrator authorizes an increase or elevation. See also wiki/User space