Authorization

Authorization is the decision step that follows authentication. It evaluates policies and context to determine whether a request should be allowed (e.g., which resources, actions, and conditions apply).

A process of determining, by evaluating applicable access control information, whether a subject is allowed to have the specified types of access to a particular resource.

The process or act of granting access privileges or the access privileges as granted.

An approval that is granted to a system entity to access a system resource. (Compare: permission, privilege.)

Usage: Some synonyms are "permission" and "privilege". Specific terms are preferred in certain contexts:

• /PKI/ "Authorization" SHOULD be used, to align with "certification authority" in the standard [X509].
• /role-based access control/ "Permission" SHOULD be used, to align with the standard [ANSI].
• /computer operating systems/ "Privilege" SHOULD be used, to align with the literature. (See: privileged process, privileged user.)

Tutorial: The semantics and granularity of authorizations depend on the application and implementation (see: "first law" under "Courtney's laws"). An authorization may specify a particular access mode -- such as read, write, or execute -- for one or more system resources.

A process for granting approval to a system entity to access a system resource.

"The process by which a properly appointed person or persons grants permission to perform some action on behalf of an organization. This process assesses transaction risk, confirms that a given transaction does not raise the account holder's debt above the account's credit limit, and reserves the specified amount of credit. (When a merchant obtains authorization, payment for the authorized amount is guaranteed -- provided, of course, that the merchant followed the rules associated with the authorization process.)" [SET2]