Authorization
Encyclopedia
Authorization is the function of specifying access rights to resources, which is related to information security
and computer security
in general and to access control
in particular. More formally, "to authorize" is to define access policy. For example, human resources
staff are normally authorized to access employee records, and this policy is usually formalized as access control rules in a computer system. During operation, the system uses the access control rules to decide whether access requests from (authenticated
) consumers shall be approved (granted) or disapproved (rejected). Resources include individual files' or items' data
, computer program
s, computer device
s and functionality provided by computer applications. Examples of consumers are computer users, computer programs and other devices on the computer.
Most modern, multi-user operating systems include access control and thereby rely on authorization. Access control also makes use of authentication
to verify the identity
of consumers. When a consumer tries to access a resource, the access control process checks that the consumer has been authorized to use that resource. Authorization is the responsibility of an authority, such as a department manager, within the application domain, but is often delegated to a custodian such as a system administrator
. Authorizations are expressed as access policies in some type of "policy definition application", e.g. in the form of an access control list
or a capability
, on the basis of the "principle of least privilege
": consumers should only be authorized to access whatever they need to do their jobs. Older and single user operating systems often had weak or non-existent authentication and access control systems.
"Anonymous consumers" or "guests", are consumers that have not been required to authenticate. They often have limited authorization. On a distributed system, it is often desirable to grant access without requiring a unique identity. Familiar examples of access token
s include keys and tickets: they grant access without proving identity.
Trusted consumers are often authorized for unrestricted access to resources on a system, but must be authenticated so that the access control system can make the access approval decision. "Partially trusted" and guests will often have restricted authorization in order to protect resources against improper access and usage. The access policy in some operating systems, by default, grant all consumers full access to all resources. Others do the opposite, insisting that the administrator explicitly authorizes a consumer to use each resource.
Even when access is controlled through a combination of authentication and access control list
s, the problems of maintaining the authorization data is not trivial, and often represents as much administrative burden as managing authentication credentials. It is often necessary to change or remove a user's authorization: this is done by changing or deleting the corresponding access rules on the system. Using atomic
authorization is an alternative to per-system authorization management, where a trusted third party
securely distributes authorization information.
, authorization is a feature of trusted systems used for security
or social control
.
is a hold placed on a customer's account when a purchase is made using a debit card
or credit card
.
, sometimes public lectures and other freely available texts are published without the consent of the author
. These are called unauthorized texts. An example is the 2002 'The Theory of Everything: The Origin and Fate of the Universe
' , which was collected from Stephen Hawking
's lectures and published without his permission as per copyright law.
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
and computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
in general and to access control
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
in particular. More formally, "to authorize" is to define access policy. For example, human resources
Human resources
Human resources is a term used to describe the individuals who make up the workforce of an organization, although it is also applied in labor economics to, for example, business sectors or even whole nations...
staff are normally authorized to access employee records, and this policy is usually formalized as access control rules in a computer system. During operation, the system uses the access control rules to decide whether access requests from (authenticated
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
) consumers shall be approved (granted) or disapproved (rejected). Resources include individual files' or items' data
Data
The term data refers to qualitative or quantitative attributes of a variable or set of variables. Data are typically the results of measurements and can be the basis of graphs, images, or observations of a set of variables. Data are often viewed as the lowest level of abstraction from which...
, computer program
Computer program
A computer program is a sequence of instructions written to perform a specified task with a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute...
s, computer device
Computer hardware
Personal computer hardware are component devices which are typically installed into or peripheral to a computer case to create a personal computer upon which system software is installed including a firmware interface such as a BIOS and an operating system which supports application software that...
s and functionality provided by computer applications. Examples of consumers are computer users, computer programs and other devices on the computer.
Overview
Access control in computer systems and networks relies on access policies. The access control process can be divided into two phases: 1) policy definition phase where access is authorized, and 2) policy enforcement phase where access requests are approved or disapproved. Authorization is thus the function of the policy definition phase which precedes the policy enforcement phase where access requests are approved or disapproved based on the previously defined authorizations.Most modern, multi-user operating systems include access control and thereby rely on authorization. Access control also makes use of authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
to verify the identity
Identity (social science)
Identity is a term used to describe a person's conception and expression of their individuality or group affiliations . The term is used more specifically in psychology and sociology, and is given a great deal of attention in social psychology...
of consumers. When a consumer tries to access a resource, the access control process checks that the consumer has been authorized to use that resource. Authorization is the responsibility of an authority, such as a department manager, within the application domain, but is often delegated to a custodian such as a system administrator
System administrator
A system administrator, IT systems administrator, systems administrator, or sysadmin is a person employed to maintain and operate a computer system and/or network...
. Authorizations are expressed as access policies in some type of "policy definition application", e.g. in the form of an access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
or a capability
Capability-based security
Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights...
, on the basis of the "principle of least privilege
Principle of least privilege
In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module must be able to access only the...
": consumers should only be authorized to access whatever they need to do their jobs. Older and single user operating systems often had weak or non-existent authentication and access control systems.
"Anonymous consumers" or "guests", are consumers that have not been required to authenticate. They often have limited authorization. On a distributed system, it is often desirable to grant access without requiring a unique identity. Familiar examples of access token
Token
A token is an object of value, and may refer to:* In logic, computational linguistics, and information retrieval, a token is an instance of a type; see Type-token distinction...
s include keys and tickets: they grant access without proving identity.
Trusted consumers are often authorized for unrestricted access to resources on a system, but must be authenticated so that the access control system can make the access approval decision. "Partially trusted" and guests will often have restricted authorization in order to protect resources against improper access and usage. The access policy in some operating systems, by default, grant all consumers full access to all resources. Others do the opposite, insisting that the administrator explicitly authorizes a consumer to use each resource.
Even when access is controlled through a combination of authentication and access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
s, the problems of maintaining the authorization data is not trivial, and often represents as much administrative burden as managing authentication credentials. It is often necessary to change or remove a user's authorization: this is done by changing or deleting the corresponding access rules on the system. Using atomic
Atomic Authorization
Atomic authorization is the act of securing authorization rights independently from the intermediary applications that utilize them and the parties to which they apply...
authorization is an alternative to per-system authorization management, where a trusted third party
Trusted third party
In cryptography, a trusted third party is an entity which facilitates interactions between two parties who both trust the third party; The Third Party reviews all critical transaction communications between the parties, based on the ease of creating fraudulent digital content. In TTP models, the...
securely distributes authorization information.
Public policy
In public policyPolicy
A policy is typically described as a principle or rule to guide decisions and achieve rational outcome. The term is not normally used to denote what is actually done, this is normally referred to as either procedure or protocol...
, authorization is a feature of trusted systems used for security
Security
Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
or social control
Social control
Social control refers generally to societal and political mechanisms or processes that regulate individual and group behavior, leading to conformity and compliance to the rules of a given society, state, or social group. Many mechanisms of social control are cross-cultural, if only in the control...
.
Banking
In banking, an authorizationAuthorization hold
Authorization hold is the practice within the banking industry of authorizing electronic transactions done with a debit card or credit card and holding this balance as unavailable either until the merchant clears the transaction , or the hold "falls off." In the case of debit cards,...
is a hold placed on a customer's account when a purchase is made using a debit card
Debit card
A debit card is a plastic card that provides the cardholder electronic access to his or her bank account/s at a financial institution...
or credit card
Credit card
A credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services...
.
Publishing
In publishingPublishing
Publishing is the process of production and dissemination of literature or information—the activity of making information available to the general public...
, sometimes public lectures and other freely available texts are published without the consent of the author
Author
An author is broadly defined as "the person who originates or gives existence to anything" and that authorship determines responsibility for what is created. Narrowly defined, an author is the originator of any written work.-Legal significance:...
. These are called unauthorized texts. An example is the 2002 'The Theory of Everything: The Origin and Fate of the Universe
The Theory of Everything
The Theory of Everything: The Origin and Fate of the Universe is an unauthorized 2002 book of some collected works by Stephen Hawking. It was assembled from seven lectures on audiotape by Hawking originally released in 1994 under the title, Stephen W. Hawking's Life Works: The Cambridge Lectures...
' , which was collected from Stephen Hawking
Stephen Hawking
Stephen William Hawking, CH, CBE, FRS, FRSA is an English theoretical physicist and cosmologist, whose scientific books and public appearances have made him an academic celebrity...
's lectures and published without his permission as per copyright law.
See also
- Security engineeringSecurity engineeringSecurity engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...
- Computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- AuthenticationAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...
- Access controlAccess controlAccess control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
- Kerberos (protocol)
- Operating systemOperating systemAn operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
- Authorization OSID
- Authorization holdAuthorization holdAuthorization hold is the practice within the banking industry of authorizing electronic transactions done with a debit card or credit card and holding this balance as unavailable either until the merchant clears the transaction , or the hold "falls off." In the case of debit cards,...
- Privilege escalationPrivilege escalationPrivilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...
- XACMLXACMLXACML stands for eXtensible Access Control Markup Language. The standard defines a declarative access control policy language implemented in XML and a processing model describing how to evaluate authorization requests according to the rules defined in policies.As a published standard...