Authorization Mechanisms
Authorization is the process of verifying a user's permissions to access specific resources or perform certain actions within a system after their identity has been authenticated.
Authorization determines what a user is allowed to do. It follows authentication, which confirms who the user is. Authorization relies on [access control mechanisms](/en/terms/access-control-mechanisms), such as role-based access control (RBAC) or attribute-based access control (ABAC), to grant or deny access based on predefined rules and policies. This process ensures that users only have access to the resources and functionalities they are authorized to use, enhancing security and preventing unauthorized actions.
graph LR
Center["Authorization Mechanisms"]:::main
Pre_authentication["authentication"]:::pre --> Center
click Pre_authentication "/terms/authentication"
Rel_rbac["rbac"]:::related -.-> Center
click Rel_rbac "/terms/rbac"
Rel_authentication["authentication"]:::related -.-> Center
click Rel_authentication "/terms/authentication"
Rel_single_sign_on_sso["single-sign-on-sso"]:::related -.-> Center
click Rel_single_sign_on_sso "/terms/single-sign-on-sso"
classDef main fill:#7c3aed,stroke:#8b5cf6,stroke-width:2px,color:white,font-weight:bold,rx:5,ry:5;
classDef pre fill:#0f172a,stroke:#3b82f6,color:#94a3b8,rx:5,ry:5;
classDef child fill:#0f172a,stroke:#10b981,color:#94a3b8,rx:5,ry:5;
classDef related fill:#0f172a,stroke:#8b5cf6,stroke-dasharray: 5 5,color:#94a3b8,rx:5,ry:5;
linkStyle default stroke:#4b5563,stroke-width:2px;
🧒 Explain Like I'm 5
[Authorization mechanisms](/en/terms/authorization-mechanisms) are like the different types of locks and security systems in a building. A simple lock (ACL) just checks a key. A more complex system might check your ID badge, the time of day, and whether you've finished your safety training (ABAC). The 'mechanism' is the actual machine or software code that says 'Yes' or 'No' to your request.
🤓 Expert Deep Dive
``markdown
## Technical Specification: Authorization - Deep Dive Analysis
Authorization is the process of verifying and enforcing access rights and permissions for an authenticated principal (user, service, etc.) to specific resources and actions. It operates after successful authentication.
### Core Concepts
Distinction from Authentication: Authentication confirms identity ('who you are'); Authorization defines permissible operations ('what you can do').
Policy-Based Decision Making: Access is granted or denied based on evaluating predefined policies against requests.
Granularity of Permissions: Permissions range from broad roles to fine-grained actions (e.g., read, write, delete, execute) on specific resources.
Resource-Centric vs. Identity-Centric: Authorization can be modeled by defining what principals can access a resource, or what resources and actions a principal is allowed.
Contextual Authorization: Access decisions may incorporate dynamic environmental factors (e.g., time, location, device posture).
### Authorization Models
Access Control Lists (ACLs): Permissions attached to resources, specifying access for principals.
Role-Based Access Control (RBAC): Permissions are assigned to roles, which are then assigned to users. Simplifies management.
Attribute-Based Access Control (ABAC): Access decisions are based on policies evaluating attributes of the subject, object, action, and environment. Highly flexible.
Policy-Based Access Control (PBAC): Access is driven by explicit, declarative policies; often encompasses ABAC.
### Authorization Decision Lifecycle
Policy Enforcement Point (PEP): Intercepts requests and forwards them for decision.
Policy Decision Point (PDP): Evaluates policies and makes a Permit/Deny decision.
Policy Information Point (PIP): Provides context or attributes to the PDP.
* Policy Administration Point (PAP): Manages policies.
### Technical Considerations
Includes data storage (IAM, databases), enforcement mechanisms (API gateways, service meshes), dynamic vs. static authorization, distributed system challenges (JWTs, microservices), scalability, revocation, auditing, the Principle of Least Privilege, and Separation of Duties.
### ELI5 Analogy: The Library System
Authentication is showing ID for a library card. Authorization is what your card allows: borrowing books, accessing study rooms, or viewing rare archives. The librarian checks your card's permissions against library rules (policies) to determine your access.
``