Can you give me a good explanation of authorization? I am particularly concerned about the request phase. Our Security Administrators are constantly questioned as to why someone needs authorization to logon on to an application. Users feel that as long as they are an employee for the company, no further authorization is required. I intuitively know the concept, but have failed miserably when dealing with non IT personnel.
There are actually two things that we talk about, authorization and authentication.
Authentication is the process of determining that someone (or something) is who (or what) it claims to be.
Authorization is the process of determining that someone (or something) is allowed to do what it would like to do.
The two are frequently combined, but can be completely separated.
Here are some examples:
I log on to my computer and try to delete a file, which fails because I don't have permission. I have been authenticated to the system, but I am not authorized to delete that file.
My employee badge lets me through the front door, but not into all doors because while merely being authenticated as an employee authorizes me for the main parts of the building, it does not authorize me for all parts of the building.
The notion that being an employee of a company authorizes you for all access is simply nonsense. HR records, for example, are always under tight control. Company infrastructure, be it the server room or the boiler room, has restricted access.
I hope this helps.
For more information on this topic, visit these other SearchSecurity resources:
Best Web Links: Authentication/Access Control
News and Analysis: Authentication questions and answers
Tech Tip: Authentication
Dig Deeper on Privileged access management
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.