Scribd
Upload
15 views

Authorization (1)

Authorization is a security mechanism that determines what actions a user can perform within a system, based on their permissions. It differs from authentication, which verifies the user's identity, and involves various access control models like Role-Based Access Control (RBAC) and Discretionary Access Control (DAC). Effective authorization improves security, minimizes risks, customizes access control, and streamlines user experience.

Uploaded by

sahiljamwal2720
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views

Authorization (1)

Authorization is a security mechanism that determines what actions a user can perform within a system, based on their permissions. It differs from authentication, which verifies the user's identity, and involves various access control models like Role-Based Access Control (RBAC) and Discretionary Access Control (DAC). Effective authorization improves security, minimizes risks, customizes access control, and streamlines user experience.

Uploaded by

sahiljamwal2720
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Authorization

Also study difference of authentication and authorization from mam notes aur anywhere else

Authorization is a security mechanism used in computing to determine and enforce what specific
actions a user or process is allowed to perform within a system. It is typically based on verifying
permissions associated with users, roles, or objects within an application, service, or resource.

Key Concepts in Authorization

1. Authentication vs. Authorization:

o Authentication verifies who the user is.

o Authorization defines what the user is allowed to do.

o For example, after a user logs in (authentication), the system checks their
permissions (authorization) to determine what actions or resources they can access.

2. Permissions and Access Control:

o Permissions are rules that define which actions are allowed on a resource.

o Access Control enforces these permissions. There are several models for access
control, which dictate how permissions are granted and enforced.

Common Access Control Models

1. Role-Based Access Control (RBAC):

o Users are assigned roles (e.g., Admin, Editor, Viewer).

o Each role has predefined permissions for accessing specific resources or


performing certain actions.

o Example: An “Admin” role might allow read, write, delete permissions, while a
“Viewer” role may only allow read permissions.

2. Discretionary Access Control (DAC):

o Users have control over the resources they own and can decide who else can
access them.

o This model is commonly used in file systems where owners can set permissions
on their files.

3. Mandatory Access Control (MAC):

o Access is granted based on fixed policies controlled by the system or a central


authority, often seen in government or military environments.

o Access levels are often based on security classifications, such as “Confidential,”


“Secret,” and “Top Secret.”
Working

Authentication First: The user logs in, proving their identity to the system.

Identify Role/Attributes: The system retrieves the user’s role (like Admin or Viewer) or attributes
(like department).

Permission Check: When the user attempts an action, the system checks if their role or attributes
have the necessary permissions for that action.

Access Control Decision:

 If the user has permission, they can proceed.

 If not, access is denied, and an error message is shown.

Authorization Techniques

1. Access Control Lists (ACLs):

o ACLs define permissions for each user or role on a specific resource.

o Example: A file might have an ACL specifying that “User A” can read and write, while
“User B” can only read.

2. OAuth and Token-Based Authorization:

o OAuth is a protocol used for token-based authorization.

o An application requests authorization for a third-party service from a user , and if


granted, receives an access token. This token can be used to access resources on
behalf of the user.

o Example: A user grants permission for an app to access their Google Drive files, and
the app receives a token to act on the user’s behalf.

3. JSON Web Tokens (JWTs):

o JWTs are a way to securely transmit information between parties as a JSON object.

o Commonly used for stateless authorization, where the server does not store any
user session data. The token itself contains claims about the user and their
permissions.

4. OpenID Authorization :
OpenID Connect allows applications (clients) to verify a user's identity based on
authentication performed by an external Authorization Server (e.g., Google,
Facebook) and obtain basic profile information about the user. It is widely used for
Single Sign-On (SSO), allowing users to log in once and access multiple services.
Benefits:

Improved Security:

 By restricting access to resources based on user permissions, authorization prevents


unauthorized users from accessing sensitive data or performing harmful actions, reducing
security risks.

Minimizes the Principle of Least Privilege Risks:

 Authorization ensures that users have only the minimum access necessary for their roles,
limiting potential damage from accidental or malicious actions.

Customizable Access Control:

 With models like Role-Based Access Control (RBAC) or Attribute-Based Access Control
(ABAC), organizations can customize permissions based on users' roles, attributes, or specific
needs.

Streamlined User Experience:

 Authorization allows users to see only the resources and options they are authorized for,
simplifying the user interface and enhancing usability.

Reduced Risk of Data Breach and Insider Threats:

 By limiting access to sensitive data and critical systems, authorization helps reduce the risk
of data breaches and insider threats, as only trusted users can access key resources.

You might also like