Authorization

Authorization or authorisation (see spelling differences) is the function of specifying rights/privileges for accessing resources, which is related to general information security and computer security, and to IAM (Identity and Access Management) in particular.^[1] More formally, "to authorize" is to define an access policy during the configuration of systems and user accounts. For example, user accounts for human resources staff are typically configured with authorization for accessing employee records, and this policy gets formalized as access control rules in a computer system. Authorization must not be confused with access control. During usage, access control enforces the authorization policy by deciding whether access requests to resources from (authenticated) consumers shall be approved (granted) or disapproved (rejected).^[2] Resources include individual files or an item's data, computer programs, computer devices and functionality provided by computer applications. Examples of consumers are computer users, computer software and other hardware on the computer.

^ Fraser, B. (1997), RFC 2196 – Site Security Handbook, IETF
^ Jøsang, Audun (2017), A Consistent Definition of Authorization, Proceedings of the 13th International Workshop on Security and Trust Management (STM 2017)

[1] Fraser, B. (1997), RFC 2196 – Site Security Handbook, IETF

[2] Jøsang, Audun (2017), A Consistent Definition of Authorization, Proceedings of the 13th International Workshop on Security and Trust Management (STM 2017)

[1]

[2]