NoteVerse

Authorization

Comprehensive study notes, diagrams, and exam preparation for Authorization.

Authorization

Definition

Authorization is the security process of verifying what specific applications, files, and data a user has access to. While authentication confirms who you are, authorization determines what you are allowed to do.

Main Content

1. Access Control Models

  • These are frameworks used to manage how subjects (users) access objects (data/resources).
  • Examples include Mandatory Access Control (MAC), Discretionary Access Control (DAC), and Role-Based Access Control (RBAC).

2. The Principle of Least Privilege

  • This concept dictates that a user should be granted the minimum level of access required to perform their specific job functions.
  • By limiting permissions, the potential damage from a compromised account or insider threat is significantly reduced.

3. Authorization Tokens

  • Modern systems often use tokens (like JSON Web Tokens or JWTs) to store authorization claims.
  • These tokens tell the server exactly which actions the user is permitted to perform without requiring a database lookup every time.

Working / Process

1. Identity Verification

  • The user presents their credentials (like a username and password) to the system.
  • The system confirms the identity (Authentication) before the authorization process can begin.

2. Request Submission

  • The authenticated user attempts to access a specific resource, such as "Read File A" or "Delete Database B."
  • The request is sent to the Authorization engine.

3. Policy Enforcement

  • The system compares the user's roles and permissions against the security policies defined by the administrator.
  • If the policy allows, the action is granted; if not, an "Access Denied" error is returned.
[User] --> [Authentication] --> [Authorization Engine] --> [Resource]
               |                      |
      (Who are you?)           (Can you do this?)

Advantages / Applications

  • Enhances system security by preventing unauthorized users from accessing sensitive data.
  • Streamlines administrative management by using roles to grant permissions to groups rather than individuals.
  • Ensures compliance with data protection laws (like GDPR or HIPAA) by maintaining a strict audit trail of who accessed what information.

Summary

Authorization is the critical security layer that enforces access rights after a user’s identity is confirmed. It ensures that individuals can only interact with the specific resources necessary for their responsibilities, thereby protecting organizational data from unauthorized use. Important terms to remember include Least Privilege, Access Control Lists (ACL), and Role-Based Access Control (RBAC).

← Prev: Digital signature and authentication protocols
Next: Access control mechanism →