There are actually two things that we talk about, authorization and authentication.
Authentication is the process of determining that someone (or something) is who (or what) it claims to be.
Authorization is the process of determining that someone (or something) is allowed to do what it would like to do.
The two are frequently combined, but can be completely separated.
Here are some examples:
I log on to my computer and try to delete a file, which fails because I don't have permission. I have been authenticated to the system, but I am not authorized to delete that file.
My employee badge lets me through the front door, but not into all doors because while merely being authenticated as an employee authorizes me for the main parts of the building, it does not authorize me for all parts of the building.
The notion that being an employee of a company authorizes you for all access is simply nonsense. HR records, for example, are always under tight control. Company infrastructure, be it the server room or the boiler room, has restricted access.
I hope this helps.
For more information on this topic, visit these other SearchSecurity resources:
Best Web Links: Authentication/Access Control
News and Analysis: Authentication questions and answers
Tech Tip: Authentication
This was first published in April 2002