Authorization
Authorization is the process of determining what an authenticated principal is permitted to do.
Senses
Access decision
Authorization is the decision step that follows authentication. It evaluates policies and context to determine whether a request should be allowed (e.g., which resources, actions, and conditions apply).
- NIST CSRC GlossaryJan 05, 2026NIST CSRC Glossary — Authorizationhttps://csrc.nist.gov/glossary/term/authorizationNIST states most site information is public information and may be distributed or copied, except material marked as copyrighted; attribution requested. Verify per-document markings before quoting.Source: NIST CSRC Glossary (csrc.nist.gov).
Sense 2
A process of determining, by evaluating applicable access control information, whether a subject is allowed to have the specified types of access to a particular resource.
The process or act of granting access privileges or the access privileges as granted.
- NICCS (CISA) Cybersecurity VocabularyJan 06, 2026NICCS glossary export (CSV)https://niccs.cisa.gov/rest/vocab/export-csvNICCS is a CISA (DHS) program. Individual glossary entries include a "From" attribution (e.g., CNSSI 4009, NIST SPs, NICE Framework). Treat "From" values as upstream provenance and verify before quoting large portions of text.Source: NICCS (CISA) Cybersecurity Vocabulary (niccs.cisa.gov).
1a (I)
An approval that is granted to a system entity to access a system resource. (Compare: permission, privilege.)
Usage: Some synonyms are "permission" and "privilege". Specific terms are preferred in certain contexts:
- /PKI/ "Authorization" SHOULD be used, to align with "certification authority" in the standard [X509].
- /role-based access control/ "Permission" SHOULD be used, to align with the standard [ANSI].
- /computer operating systems/ "Privilege" SHOULD be used, to align with the literature. (See: privileged process, privileged user.)
Tutorial: The semantics and granularity of authorizations depend on the application and implementation (see: "first law" under "Courtney's laws"). An authorization may specify a particular access mode -- such as read, write, or execute -- for one or more system resources.
- IETF RFC 4949 (Internet Security Glossary)Jan 06, 2026RFC 4949 — Internet Security Glossary (Version 2)https://www.rfc-editor.org/rfc/rfc4949.txtRFC 4949 is published by the IETF Trust and marked as "Distribution of this memo is unlimited". Verify IETF Trust copyright/licensing terms for reuse.Source: IETF RFC 4949 (rfc-editor.org).
1b (I)
A process for granting approval to a system entity to access a system resource.
- IETF RFC 4949 (Internet Security Glossary)Jan 06, 2026RFC 4949 — Internet Security Glossary (Version 2)https://www.rfc-editor.org/rfc/rfc4949.txtRFC 4949 is published by the IETF Trust and marked as "Distribution of this memo is unlimited". Verify IETF Trust copyright/licensing terms for reuse.Source: IETF RFC 4949 (rfc-editor.org).
2 (O) /SET/
"The process by which a properly appointed person or persons grants permission to perform some action on behalf of an organization. This process assesses transaction risk, confirms that a given transaction does not raise the account holder's debt above the account's credit limit, and reserves the specified amount of credit. (When a merchant obtains authorization, payment for the authorized amount is guaranteed -- provided, of course, that the merchant followed the rules associated with the authorization process.)" [SET2]
- IETF RFC 4949 (Internet Security Glossary)Jan 06, 2026RFC 4949 — Internet Security Glossary (Version 2)https://www.rfc-editor.org/rfc/rfc4949.txtRFC 4949 is published by the IETF Trust and marked as "Distribution of this memo is unlimited". Verify IETF Trust copyright/licensing terms for reuse.Source: IETF RFC 4949 (rfc-editor.org).