What is authorization?

Authorization is the process of determining whether to grant or deny users the right to access resources. Authorization operates by following a set of predefined rules and policies. These rules are typically managed by an access control system that establishes permissions based on the organization's compliance requirements. When a user is attempting to access a resource, the authorization system will evaluate their permissions and the organization’s predefined policies before permitting the user to access the resource.

Authorization vs authentication: What’s the difference?

Authentication is the process of verifying that a user is who they say they are. Authorization, on the other hand, is the process of granting access to resources and what actions the user can perform with those resources. After a user is authenticated using their credentials, the system then goes through the authorization process.

Both authorization and authentication work together to ensure that users have access to the resources they need while maintaining the organization’s security and integrity.

The importance of authorization

Without strong authorization processes, organizations have poor governance, resulting in a lack of visibility and control over employees' activities and an increased risk of unauthorized user access. Let's see how authorization addresses these concerns.

Follows the Principle of Least Privilege (PoLP): The principle of least privilege is a cybersecurity concept in which users are only given access to the resources that are necessary to do their jobs. Following this principle ensures increased security and control over privileges because it reduces the organization’s attack surface. Authorization adheres to this principle as it strictly grants the minimum level of access rights, limiting unauthorized access.
Provides centralized access control: Authorization allows organizations to define, manage and update user access rights in one centralized location. With this efficient functionality, it is ensured that specific access permissions are applied corresponding to each user and role.

Types of authorization models

Here are five types of authorization models organizations use to secure access to resources.

Role-Based Access Control (RBAC)

Role-based access control is a type of access control that defines permissions based on the user's role and functions within the organization. For instance, lower-level employees will not have access to highly sensitive information or systems that privileged users would. When a user tries gaining access to a resource, the system will inspect the user's role to determine if the resource is associated with their job responsibilities.

Relationship-Based Access Control (ReBAC)

Relationship-based access control is a type of access control that focuses on the relationship between the user and the resource. Think of Google Drive – an owner of a document has access to view, edit and share the document. A member of the same team may only have permission to view the document while another member may be authorized to view and edit the document.

Attribute-Based Access Control (ABAC)

Attribute-based access control is a type of access control that evaluates the attributes associated with a user to determine if they can access resources. This authorization model is a more detailed form of access control because it assesses the subject, resource, action and environment. ABAC will authorize access to specific resources associated with these characteristics.

Discretionary Access Control (DAC)

Discretionary access control is a type of access control in which resource owners take responsibility for deciding how their resources will be shared. Let's say that a user wants to access a specific document. It is ultimately up to the discretion of the document’s owner to authorize the user and set up their permissions. In some cases, resource owners will grant certain users higher privileges. These privileges might include the ability to manage or modify access rights for other users.

Mandatory Access Control (MAC)

Mandatory access control is a type of access control that manages access permissions based on the sensitivity of the resource and the user's security level. When a user is attempting to access a resource, the system will compare the user’s security level to the resources’s security classification. If the user’s security level is equal to or greater than the resources’s classification, they will be authorized to access it. MAC is mainly used in government or military environments that require top-notch security.