In cybersecurity, authorization is the crucial function of specifying and controlling the access rights of users, systems, or services to particular resources or operations. It occurs after a user or system has been successfully authenticated—having proven their identity. Authorization ensures that even if an entity is legitimate, it can only perform actions and access data for which it has explicit permissions, adhering to the principle of least privilege.

What Is Authorization in Cybersecurity?

Authorization is the security mechanism that answers the question: "What are you allowed to do?" While authentication verifies identity (who you are), authorization determines permissions (what you can access or do). This process relies on authorization policies, which dictate the rules and conditions for access based on factors like user roles, attributes, or contextual information.

Authorization governs access to:

• Files and databases
• Applications and software features
• Network resources and services
• Administrative functions and system configurations

Why Is Authorization Important in Network Security?

Authorization is a critical layer of defense that prevents unauthorized actions even after successful authentication. Its importance includes:

• Data Protection: Prevents unauthorized users from viewing, modifying, or deleting sensitive information
• Compliance: Helps organizations meet regulatory requirements (GDPR, HIPAA, SOX) by enforcing access controls
• Breach Containment: Limits the damage a compromised account can cause by restricting its permissions
• Operational Integrity: Ensures users can only perform actions appropriate to their role

How Does Authorization Work?

Authorization operates through a structured process that evaluates access requests against predefined policies:

1. Authentication: The user or system first proves their identity
2. Access Request: A request is made to access a resource or perform an action
3. Policy Evaluation: The authorization system checks the request against defined policies
4. Decision: Access is granted or denied based on the evaluation
5. Enforcement: The decision is enforced by the system

When Is Authorization Performed in a Security Process?

Authorization always occurs after authentication in the security workflow. The typical sequence is:

1. Identification: User claims an identity (e.g., enters username)
2. Authentication: Identity is verified (e.g., password, MFA)
3. Authorization: Permissions are determined and enforced
4. Accounting/Auditing: Actions are logged for review

This sequence ensures that only verified entities receive appropriate access levels.

Which Authorization Model Is Best?

The optimal authorization model depends on organizational needs. Common models include:

Role-Based Access Control (RBAC)

Assigns permissions based on user roles within an organization. Ideal for organizations with well-defined job functions and hierarchical structures.

Attribute-Based Access Control (ABAC)

Uses attributes (user, resource, environment) to make dynamic access decisions. Provides greater flexibility for complex, context-dependent scenarios. See NIST SP 800-162 for detailed guidance.

Discretionary Access Control (DAC)

Resource owners control access to their resources. Common in file systems but less centrally managed.

Real-World Examples

Banking Application

A user logs into a banking app (authentication). Authorization then determines they can view their own account balance but cannot access another customer's account or approve loans. This ensures customers only interact with their own financial data.

Corporate Environment

An employee with a "Marketing Manager" role gains access to marketing campaign tools and files through RBAC. However, the same authorization system prevents them from accessing HR records or finance databases, protecting sensitive organizational data across departments.