Authorization

Authorization or authorisation (see spelling differences), in information security, computer security and IAM (Identity and Access Management),^[1] is the function of specifying rights/privileges for accessing resources, in most cases through an access policy, and then deciding whether a particular subject has privilege to access a particular resource. Examples of subjects include human users, computer software and other hardware on the computer. Examples of resources include individual files or an item's data, computer programs, computer devices and functionality provided by computer applications. For example, user accounts for human resources staff are typically configured with authorization for accessing employee records.

Authorization is closely related to access control, which is what enforces the authorization policy by deciding whether access requests to resources from (authenticated) consumers shall be approved (granted) or disapproved (rejected).^[2]

Authorization should not be confused with authentication, which is the process of verifying someone's identity.

^ Fraser, B. (1997), RFC 2196 – Site Security Handbook, IETF
^ Jøsang, Audun (2017), A Consistent Definition of Authorization, Proceedings of the 13th International Workshop on Security and Trust Management (STM 2017)

[1] Fraser, B. (1997), RFC 2196 – Site Security Handbook, IETF

[2] Jøsang, Audun (2017), A Consistent Definition of Authorization, Proceedings of the 13th International Workshop on Security and Trust Management (STM 2017)

[1]

[2]