Authorization

What is authorization in cybersecurity?

Authorization is the critical security function of specifying and controlling the access rights of users, systems, or services to particular resources or operations. It determines what an authenticated entity is permitted to do, access, or see within a system or network. Authorization occurs after a user or system has been successfully authenticated—that is, after they have proven their identity.

While authentication answers the question "Who are you?", authorization answers the question "What are you allowed to do?" Even if an entity is legitimate, authorization ensures it can only perform actions and access data for which it has explicit permissions. This distinction is fundamental to building secure systems and is a cornerstone of modern access management frameworks endorsed by organizations such as NIST and the Cloud Security Alliance (CSA).

Why is authorization important in network security?

Authorization plays a vital role in protecting sensitive data and maintaining the integrity of systems and networks. Its importance stems from several key factors:

• Principle of Least Privilege: Authorization enforces the principle of least privilege, ensuring that users and systems only have the minimum level of access necessary to perform their tasks. This significantly reduces the attack surface and limits the potential damage from compromised accounts.
• Data Protection: By controlling who can read, modify, or delete specific data, authorization prevents unauthorized data exposure, tampering, and exfiltration.
• Regulatory Compliance: Many regulatory frameworks—such as GDPR, HIPAA, and PCI DSS—require organizations to implement strict access controls. Proper authorization mechanisms are essential for meeting these requirements.
• Insider Threat Mitigation: Even authenticated users should not have unrestricted access. Authorization helps contain risks from insider threats by restricting access based on clearly defined policies.
• Operational Integrity: In complex network environments, authorization ensures that systems and services interact only within permitted boundaries, preventing unintended disruptions or privilege escalation.

How does authorization work?

Authorization relies on authorization policies—a set of rules and conditions that dictate who can access what resources and under which circumstances. The process generally follows these steps:

1. Authentication: The user or system first proves their identity (e.g., via a password, biometric, or certificate).
2. Policy Evaluation: The authorization system evaluates the authenticated identity against the defined policies. These policies may consider factors such as the user's role, attributes, the resource being requested, and environmental conditions (e.g., time of day, location).
3. Access Decision: Based on the policy evaluation, the system grants or denies access to the requested resource or operation.
4. Enforcement: The access decision is enforced at the point of access—whether it's a file system, database, API endpoint, or network segment.

Authorization can be implemented through various models, including:

• Role-Based Access Control (RBAC): Permissions are assigned to roles, and users are assigned to roles. For example, a "Marketing Manager" role might grant access to marketing tools but not to HR databases.
• Attribute-Based Access Control (ABAC): Access decisions are based on attributes of the user, the resource, and the environment, as detailed in NIST Special Publication 800-162.
• Policy-Based Access Control (PBAC): Access is governed by a set of policies that combine attributes and rules into flexible, centralized decision-making.
• Discretionary Access Control (DAC): Resource owners set access permissions for their resources.
• Mandatory Access Control (MAC): Access is controlled by the system based on security classifications and clearances.

When is authorization performed in a security process?

Authorization is performed after authentication and is typically part of a broader security workflow often referred to as AAA (Authentication, Authorization, and Accounting):

1. Authentication verifies identity.
2. Authorization determines permitted actions and resources.
3. Accounting logs and monitors activity for auditing purposes.

In practice, authorization checks occur continuously throughout a user's session—not just at login. Every time a user requests a new resource, navigates to a different section, or attempts a privileged operation, the system re-evaluates authorization. This is especially true in modern architectures such as Zero Trust, where continuous verification is a core tenet.

Practical examples

• Banking application: A user logs into a banking app (authentication). Authorization then determines that they can view their own account balance but cannot access another customer's account or approve a loan—each action is governed by specific permissions.
• Enterprise environment: An employee's role (e.g., Marketing Manager) grants them access to specific marketing campaign tools and files, but prevents them from accessing HR or finance databases. This is a classic example of Role-Based Access Control (RBAC) in action.

Which authorization model is best?

There is no single "best" authorization model—the right choice depends on the organization's size, complexity, regulatory requirements, and use cases:

According to OWASP and IBM Security, many modern organizations adopt a hybrid approach, combining RBAC for broad role-based segmentation with ABAC for fine-grained, context-sensitive decisions. Regardless of the model chosen, the key is to ensure that authorization policies are regularly reviewed, consistently enforced, and aligned with the principle of least privilege.