What is authorisation?
- IAM Glossary
- What is authorisation?
Authorisation is the process of determining whether to grant or deny users the right to access resources. Authorisation operates by following a set of predefined rules and policies. These rules are typically managed by an access control system that establishes permissions based on the organisation's compliance requirements. When a user is attempting to access a resource, the authorisation system will evaluate their permissions and the organisation’s predefined policies before permitting the user to access the resource.
Authorisation vs authentication: What’s the difference?
Authentication is the process of verifying that a user is who they say they are. Authorisation, on the other hand, is the process of granting access to resources and what actions the user can perform with those resources. After a user is authenticated using their credentials, the system then goes through the authorisation process.
Both authorisation and authentication work together to ensure that users have access to the resources they need while maintaining the organisation’s security and integrity.
The importance of authorisation
Without strong authorisation processes, organisations have poor governance, resulting in a lack of visibility and control over employees' activities and an increased risk of unauthorised user access. Let's see how authorisation addresses these concerns.
- Follows the Principle of Least Privilege (PoLP): The principle of least privilege is a cybersecurity concept in which users are only given access to the resources that are necessary to do their jobs. Following this principle ensures increased security and control over privileges because it reduces the organisation’s attack surface. Authorisation adheres to this principle as it strictly grants the minimum level of access rights, limiting unauthorised access.
- Provides centralised access control: Authorisation allows organisations to define, manage and update user access rights in one centralised location. With this efficient functionality, it is ensured that specific access permissions are applied corresponding to each user and role.
Types of authorisation models
Here are five types of authorisation models organisations use to secure access to resources.
Role-Based Access Control (RBAC)
Role-based access control is a type of access control that defines permissions based on the user's role and functions within the organisation. For instance, lower-level employees will not have access to highly sensitive information or systems that privileged users would. When a user tries gaining access to a resource, the system will inspect the user's role to determine if the resource is associated with their job responsibilities.
Relationship-Based Access Control (ReBAC)
Relationship-based access control is a type of access control that focuses on the relationship between the user and the resource. Think of Google Drive – an owner of a document has access to view, edit and share the document. A member of the same team may only have permission to view the document while another member may be authorised to view and edit the document.
Attribute-Based Access Control (ABAC)
Attribute-based access control is a type of access control that evaluates the attributes associated with a user to determine if they can access resources. This authorisation model is a more detailed form of access control because it assesses the subject, resource, action and environment. ABAC will authorise access to specific resources associated with these characteristics.
Discretionary Access Control (DAC)
Discretionary access control is a type of access control in which resource owners take responsibility for deciding how their resources will be shared. Let's say that a user wants to access a specific document. It is ultimately up to the discretion of the document’s owner to authorise the user and set up their permissions. In some cases, resource owners will grant certain users higher privileges. These privileges might include the ability to manage or modify access rights for other users.
Mandatory Access Control (MAC)
Mandatory access control is a type of access control that manages access permissions based on the sensitivity of the resource and the user's security level. When a user is attempting to access a resource, the system will compare the user’s security level to the resources’s security classification. If the user’s security level is equal to or greater than the resources’s classification, they will be authorised to access it. MAC is mainly used in government or military environments that require top-notch security.