What is Authorization in Information Security?


Authorization is the procedure of permitting someone to do something. It defines it an approach to check if the user has permission to need a resource or not. It can represent that what data and information one user can access.

It is also called as AuthZ. The authorization generally works with authentication so that the system can understand who is accessing the information. Authorization is a security structure used to decide user/client privileges or access levels associated with system resources, such as computer programs, files, services, data and application features.

Authorization is generally preceded by authentication for customer identity verification. System administrators (SA) are generally assigned permission levels covering some system and customer resources.

During authorization, a system checks an authenticated user's access rules and either grants or waste resource access. Modern and multiuser operating systems based on efficiently designed authorization processes to support application deployment and administration.

Key factors such as user type, number, and credentials needing verification and associated actions and roles. For instance, role-based authorization can be designated by user groups needing definite user resource tracking privileges.

Moreover, authorization can be based on an enterprise authentication structure, such as Active Directory (AD), for seamless security policy integration. For instance, ASP.NET works with Internet Information Server (IIS) and Microsoft Windows to support authentication and authorization services for internet-based .NET applications.

Windows uses New Technology File System (NTFS) to support Access Control Lists (ACL) for some resources. The ACL serves as the final authority on resource access. The .NET Framework supports an alternate role-based security method for authorization support.

Role-based security is a dynamic approach that suits server applications and is same to code access security checks, where authorized application users are decide as per the roles.

An authorization policy indicate what the identity is enabled to do. For instance, any customer of a bank can make and use an identity (e.g., a user name) to log into that bank's online service but the bank's authorization policy should ensure that only it can authorized to access the individual account online once the identity is verified.

Authorization can be used to more granular levels than simply a website or company intranet. The individual identity can be contained in a set of identities that share a common authorization policy.

For instance, suppose a database that includes both customer purchases and a customer's personal and credit card data.

A merchant can make an authorization policy for this database to enable a marketing group access to all customer purchases but avoid access to all user personal and credit card data, so that the marketing team can identify famous products to promote or put on sale.

Updated on: 11-Mar-2022

3K+ Views

Kickstart Your Career

Get certified by completing the course

Get Started
Advertisements