Authorization is the process of allowing an entity to have access to something or perform specific actions in a computer system.
In a multi-user system, the system administrator uses the authorization mechanism to define permissions for each user or group of users. Once a user is logged in, via a process called authentication, the system determines which resources should be available to them during their session. So the term authorization can have two related meanings:
This is a part of an extensive series of guides about access management.
In this article:
Authentication is the process of verifying a user’s identity—making sure they are who they say they are. Traditionally, the most common method for identity authentication was a password. If the username provided by a user matched the password credentials, the identity was determined valid and the user was granted access.
Learn more in our detailed guide about authentication
Authorization comes into action after the user’s identity has been verified through authentication. It provides full or partial access to resources such as devices, files, applications, specific operations or data. To take a simple example:
Learn more in our detailed guide about authentication vs. authorization
Authorization works by determining a user’s permissions and access levels after their identity has been authenticated. The process involves several key steps:
RBAC mechanisms allow or restrict access to users according to their roles within the organization. It provides users with access to data and applications required to perform their jobs while minimizing the risk of unauthorized activities like access to sensitive data.
Organizations can use RBAC to define how each user can interact with data. For example, it lets you allow read/write or read-only access to specific roles to limit a user’s ability to perform unauthorized actions, such as data deletion and commands execution.
Learn more in our detailed guide to RBAC
ABAC lets you define access and privileges based on attributes (or characteristics) instead of roles. It helps protect objects such as network devices, IT resources, and data from unauthorized actions and users that do not have the approved characteristics defined by the organization’s security policies.
ABAC evolved from simple access control lists to a form of logical access control. It was initially endorsed in 2011 by the Federal Chief Information Officers Council to help federal organizations improve access control architectures. The council recommended ABAC to help organizations safely share information.
Learn more in our detailed guide to ABAC
ReBAC applies access decisions according to the relationships between subjects such as users, applications, and devices. When a subject requests access to a resource, the ReBAC mechanism grants or denies access according to the relationships the subject has.
ReBAC does not allow access based on a certain role (like RBAC) or attributes (like ABAC). Instead, it allows access based on a subject’s relationships with other entities. These relationships influence how the authorization policy grants or denies access to protected resources.
Social networks use ReBAC to allow access. Facebook, for example, allows friends of friends to access photos and posts. It means friends can see the user’s posts and also the friends of these friends. However, this is where it stops—third connections are not allowed access.
JSON Web Token (JWT) is an open standard that defines how to securely transmit information between parties like JSON objects. It verifies information by digitally signing it. JWTs are compact and self-contained. You can sign JWTs using a public/private key pair through RSA or ECDSA, or a secret through the HMAC algorithm.
You can also encrypt JWTs to increase security. Signed tokens can verify claims’ integrity, and encrypted tokens hide claims from other parties. When you use public/private key pairs to sign tokens, the signature certifies that only the party that holds the private key signed it.
You can use JWT for authorization mechanisms. After the user logs in, each subsequent request includes the JWT to allow the user to access the services, resources, and routes permitted with this token. Since JWT can easily be used for different domains and has a small overhead, it also powers many Single Sign-On (SSO) mechanisms.
Related content: Read our guide about JWT authorization
In large organizations, data access needs vary significantly based on job functions and responsibilities. Role-Based Access Control (RBAC) is a common strategy to manage this complexity. RBAC assigns permissions to roles rather than individuals, simplifying administration and enhancing security.
Consider a scenario where the finance department needs to generate quarterly financial reports. The analysts have access to financial databases, accounting software, and reporting tools, all governed by their role permissions. However, these analysts cannot access HR records or confidential executive communications, as their role does not include these permissions. This segmentation reduces the risk of unauthorized data access and ensures compliance with data protection regulations.
Cloud providers like AWS, Azure, and Google Cloud implement Attribute-Based Access Control (ABAC) to handle the dynamic and complex access requirements of modern enterprises. ABAC policies consider attributes such as user roles, department, project involvement, and security clearance levels. This allows for more granular control compared to RBAC.
For example, a company using AWS can set policies where only members of the DevOps group have access to deploy new applications, while developers in a specific project team can only access the development and testing environments specific to their project. Additionally, ABAC can enforce time-based access controls, allowing access during work hours and restricting it outside of these times.
In healthcare, protecting patient data is of utmost importance due to legal and ethical considerations. RBAC is commonly used to ensure that only authorized medical staff can access patient records, adhering to principles like the Health Insurance Portability and Accountability Act (HIPAA) in the U.S.
For example, a nurse might have access to basic patient information such as contact details and medication schedules, essential for daily care. In contrast, doctors and specialists have comprehensive access to a patient’s medical history, diagnosis, and treatment plans. This hierarchy ensures that sensitive information is only accessible to those with a legitimate need, thus protecting patient confidentiality and maintaining compliance with regulatory standards.
eCommerce platforms face the challenge of securing user sessions and authorizing actions seamlessly across various services. JSON Web Token (JWT) is a popular solution for this purpose. JWT tokens are generated upon user authentication and included in subsequent requests to authorize actions like adding items to the cart, placing orders, or accessing order history.
Consider an online retail site where a user logs in to make a purchase. After authentication, a JWT is created and sent to the user’s browser. This token is included in each request to the server, ensuring that the user remains authenticated without re-entering credentials. The JWT contains encoded information about the user’s session, ensuring secure and efficient authorization across the platform.
JWTs can also be easily integrated with Single Sign-On (SSO) systems, allowing users to access multiple related services with a single login, enhancing user experience and security.
Social networks like Facebook utilize ReBAC to manage access to user-generated content based on relationships. Users control who can view their posts, photos, and other content by defining their relationships with other users (e.g., friends, friends of friends).
For instance, a Facebook user can set a photo album’s privacy settings to ‘Friends,’ ensuring only direct friends can view the photos. They can also extend access to ‘Friends of Friends,’ allowing a broader audience while still maintaining a level of control. This approach helps users protect their privacy and manage their social interactions effectively. ReBAC’s flexibility allows social networks to offer nuanced privacy controls that cater to various user preferences and social dynamics.
As organizations grow and their IT infrastructure becomes more sophisticated, managing access control policies can become overwhelmingly complex. This complexity arises from the need to balance varying access requirements across different departments, roles, and projects. For example, different teams within an organization may require access to different sets of resources, and each team may have different levels of access permissions.
In addition, regulatory requirements often necessitate fine-grained access controls, adding another layer of intricacy to policy management. Ensuring that all these policies are correctly implemented and consistently enforced is a significant challenge, especially when using frameworks like Attribute-Based Access Control (ABAC), where multiple attributes and conditions must be managed.
Authorization systems must be capable of scaling efficiently as the organization grows. This means handling an increasing number of users, resources, and access requests without compromising performance or security.
Scalability issues can arise in various forms, such as delays in access decision-making processes, increased load on servers, and difficulties in maintaining up-to-date access control lists. In large enterprises and cloud environments, the dynamic and often unpredictable nature of scaling requirements further complicates the implementation of effective authorization mechanisms. This challenge is particularly pronounced in environments where thousands of access decisions must be made in real-time.
Integrating new authorization mechanisms with legacy systems presents a formidable challenge. Legacy systems were often not designed with modern access control requirements in mind, leading to potential compatibility issues. These older systems might use outdated or incompatible protocols, making it difficult to implement contemporary authorization solutions without significant modifications.
In addition, the integration process must ensure that the existing functionality remains uninterrupted, which often requires extensive testing and potentially custom development. This process can be time-consuming and resource-intensive, posing a significant barrier to updating authorization infrastructures.
Balancing robust security measures with a seamless user experience is a complex task. Overly stringent authorization controls can frustrate users, leading to reduced productivity and potential workarounds that compromise security.
For instance, if users frequently encounter access denials or cumbersome multi-factor authentication processes, they may seek less secure methods to achieve their goals. Striking the right balance involves not only implementing effective security controls but also designing intuitive and user-friendly interfaces and processes that do not hinder the user’s ability to perform their tasks efficiently.
Authorization functionality is a critical security component that should be considered during the early phases of the software development lifecycle. Building your application with security in mind helps ensure the design itself is secure, reducing complex and costly fixes when the product is already ready for release. When designing authorization, consider all requirements for roles and privileges and use the most suitable web framework supporting this type of authorization.
Authorization middleware enables you to configure short-lived authorization grants and set up the server to perform continuous authorization on each request. It means the authorization middleware handles the requests, eliminating the risks associated with API endpoints and unprotected URL paths.
Authorization policies enable you to configure and enforce fine-grained access controls. You can use various types of policies, such as mandatory access control (MAC), RBAC, ABAC, or discretionary access control (DAC).
ABAC is preferable over RBAC, according to the OWASP foundation. However, you should choose the method that suits the application’s requirements, and in some scenarios, ABAC may not be the optimal choice. Ideally, the authorization type should include at least one compulsory deny-by-default policy to block unauthorized access.
Related content: Read our guide to authorization policy (coming soon)
A scope bound defines a blast radius for functions and features. It reduces the impact of threats that manage to bypass security controls. Limiting functionality and features to a specific scope can help avoid various vulnerabilities, such as local file inclusion (LFI), remote file inclusion (RFI), and directory traversal. You can implement scope bounds by allowlisting specific local directories, program binaries, and URL endpoints.
Validation processes include data verification, and sanitization processes attempt to clean malicious inputs. Proper sanitization and validation of all values that compute authorization, including user inputs, can help prevent the exploitation of many vulnerabilities. Here are key best practices:
Using input validation and sanitization with scope bounds can help you avoid security risks associated with parameter tampering and vulnerabilities like path traversal, RFI, and LFI.
Applications should always include access controls. You can use standards like Oauth2, SAML, or OpenID Connect to implement single sign-on (SSO). SSO is an authentication scheme that enables you to defer authentication and authorization policy management to an external identity provider. SSO is considered a standard in application security, but you can use other authentication methods.
Start For Free
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of access management.
Authored by Frontegg
Authored by Faddom
