What is Authorization (AuthZ)? Identity and Access Management

About

After a user has been authenticated, the next critical aspect of security is ensuring that the user can do and see what they are authorized to do and see.

Authorization is the process of validating what an authenticated user can access.

Authorization is also known as:

  • access privileges
  • access control
  • and other access type wording.

Authorization is abbreviated as AuthZ for authentication versus AuthN for authentication.

Authorization is the process of granting a user (authenticated or not) access to a resource in accordance with their assigned privileges.

Authorization is a broad term for controlling access to resources based on user privileges.

Implementation

Function

if !(authZFunctionISAuthorized(principal, resource, action, request)){
  // get the rules from a ''policy'' file
  // apply them and return the result
  return "Not Authorized"
}

where:

  • principal (subject)
  • the resource (table, image, function, …)
  • the action (get, put, delete, …)
  • the request to give environment information (time, origin, ip, header, …)

Policy

The authorization function is up to the developer and enforce a set of authorization rules known as policy.

Their definition may be as simple as listing:

  • subjects (user, process, …)
  • objects (resources),
  • and the desired allowed action

Access control model

In security, the authorization function may implement one or more of the following Access control models:

  • Access Control List (ACL)
  • Role-based (with wildcard match or not) known broadly as Role-Based Access Control or RBAC)
  • Permission-based (note that a permission may come from a role)
  • Logical (If And Or Not then)
  • Time-based (ie: allow access the last 5 days of the month, from 8am till 10am, etc.)
  • Request Context-based (ie: allow access if the ip address is 'xxx.xxx.xxx.xxx')
  • Custom-based (ie: based on a script or hard-coded code specific to an application)
  • Data-based (ie Row-Level Access control)

And there is more

You can assign a user to:

  • a group of users (role) that has some permissions
  • permissions directly

An authorization may be just a string or a set of strings that represent:

  • a permission (for example printer for the authorization to access printers)
  • a role (ie: admin, manager, etc.)

ACL

ACL is a list of permissions associated with a resource

Example: 

alice, key1, read
bob, key2, write
  • Alice can read key1
  • Bob can write key2

User Account Control (UAC)

UAC limits application software to standard user privileges until an administrator authorizes an increase or elevation. See also wiki/User space




Discover More
Authentication / Authorization Protocol / Flow

Authentication - Authorization Protocol / Flow are framework that describes a procedure to authenticate and authorize a client. (OpenId)
Authorization Server

The server that delivers the authorization. authentication server
Yarn Hortonworks
HDFS - Permissions (Authorization)

in HDFS A user authorization is defined through one of the below method: POSIX style permissions/HDFS ACLs or Apache Ranger Apache Knox (Authentication Services)...
Yarn Hortonworks
Hadoop - Authorization

in Hadoop. how to configure and manage Service Level Authorization for Hadoop.
Card Puncher Data Processing
Hive - Authorization

in Hive storage based authorization SQL...
Java Conceptuel Diagram
Java - Java Authentication and Authorization Service 1.0 (JAAS)

The Java Authentication and Authorization Service (“JAAS”) provides a way for a J2EE application to authenticate and authorize a specific user or group of users to run it. JAAS is a Java programing...
Obi Edition
OBIEE - Authorization

Authorization process in an OBIEE context. The object authorization are specified with the help of : Permissions in the BI Server and Privileges in the BI Presentation Service This process is first...
Oracle Apex Authorization Application
Oracle Apex - Authorization

While conditions control the rendering and processing of specific controls or components on a page, authorization schemes control user access. Authorization schemes use the identities established by...
Security - Realms

A (security) realm is: a administrative domain security policy domain container a protection spaces (It gives namespace functionality. One user may exist in two different realms) for the authentication...
Software Security
Software Security

Security regroups many subject area. The most known are: Identity management with: authentication (user/password) and its method (ldap, table, ...) authorization (group, privileges and role, object...



Share this page:
Follow us:
Task Runner