What is Authorisation?
Authorisation, in relation to identity and access management (IAM), refers to the process of granting or denying access to resources or services based on the permissions or privileges associated with a user's authenticated identity. While authentication verifies the identity of a user, authorisation determines what actions that user is allowed to perform and what resources they can access within a system or application.
How Authorisation Works
Permissions assignment
After a user successfully authenticates their identity, the system checks their identity against a set of predefined permissions or access control rules.
Access Control Lists (ACLs)
These rules define the specific actions a user is permitted to perform and the resources they are allowed to access. This can include reading, writing, executing or deleting files, accessing specific functionalities within an application or performing administrative tasks.
Policy evaluation
The system evaluates the user's permissions against the access control rules associated with the requested resource or service.
Access decision
Based on the evaluation, the system either grants or denies access to the requested resource or service. If access is granted, the user is allowed to perform the authorised actions. If access is denied, the user is restricted from performing certain actions or accessing certain resources.
Authorisation mechanisms can vary in complexity, ranging from simple role-based access control (RBAC) systems to more granular and dynamic attribute-based access control (ABAC) systems.
Role-Based Access Control (RBAC):
Users are assigned roles, and permissions are assigned to roles. Users inherit permissions based on their assigned roles. For example, a user with the "manager" role might have permissions to view financial reports.
Attribute-Based Access Control (ABAC):
Access decisions are based on attributes associated with the user, the resource, and the context of the request. This allows for more dynamic and fine-grained access control based on factors such as user attributes, resource properties, and environmental conditions.
Mandatory Access Control (MAC): Access decisions are based on security labels assigned to users and resources by a central authority. MAC is commonly used in environments where security requirements are stringent, such as government or military systems.
Authorisation is a critical component of IAM systems, ensuring that only authorised users are granted access to sensitive information and resources, thereby helping to protect against unauthorised access, data breaches and other security threats. Effective authorisation policies and access control mechanisms are essential for maintaining the security and integrity of digital systems and safeguarding against insider threats and external attacks.