Authorization is the process of granting a user or group of users certain permissions, access rights, and privileges in a computer system.
The difference between authorization, authentication, and identification
Authorization is not to be confused with user identification and authentication. It usually takes place upon the completion of these processes.
Let’s suppose a user wants to access a certain document in the corporate cloud. First, they enter a login from their account, and the system checks whether this login is in its database. This is identification.
If the login exists, the system will request a password from the user, compute its hash, and check if it corresponds to a hash in the database. This is authentication.
If the login and password are correct, the system will check whether the user has the right to read and modify the requested document and, if so, will grant them access to the file. This is authorization.
Some services ask for the login and password simultaneously, but regardless, they perform user identification first and then, if the user is successfully identified, proceed to authentication. For the user, the moment of transition from identification to authentication in such a case is imperceptible.
Authorization is also possible without identification (or authentication). For example, a service can provide users who haven’t entered a login and password with a certain set of rights by default — say, to read documents without being able to edit them. In other words, unidentified users in this case are authorized to read documents.
Types of authorization
There are several authorization models, also known as access control models. The three main ones are role-based, discretionary, and mandatory.
- Role-based access control model (RBAC). The administrator assigns the user one or more roles and grants permissions and privileges to those roles. This model is used in many application programs and operating systems.
For example, all users with the role of “Cashier” have access to cash transactions in an accounting system, whereas users with the role of “Commodity expert” do not, but do have access to warehouse files. Additionally, both roles have access to the general news feed.
- Discretionary access control model (DAC). The access rights to a particular object are granted to a particular user. Additionally, the right to determine access level belongs to either the owner of a particular object (for instance, its creator) or the superuser (essentially the owner of all the objects in the system). Moreover, a user with a certain access level can transfer rights assigned to him or her to other users.
For example, user A, who has created a text file, can assign user B the right to read the file and user C the right to read and modify it. Additionally, users B and C can transfer their rights to user D.
The discretionary model is used in some operating systems, for example the Windows NT family (including Windows 10) and Unix. This same model is used to grant access, for example, to documents on Google Drive.
- Mandatory access control model (MAC). The administrator assigns each of the system’s elements a certain level of confidentiality. Users receive an access level that determines which objects they can work with. Such a model is usually hierarchical, with a high access level including the right to work with all lower levels as well. The mandatory authorization model is used in systems where security is crucial — most often for accessing state secrets and by law enforcement agencies.
For example, an organization may have five levels of access, from 1 to 5. A user with access to 3rd-level files can also open 1st- and 2nd-level files but can’t work with 4th- and 5th-level files.