Editing Authorization (section)

{{Short description|Function of specifying access rights and privileges to resources}}
{{Redirect|Authorized|the 2007 Epsom Derby winner|Authorized (horse)}}
{{Redirect|Authorization code|the code allowing internet domain name transfers|Auth-Code}}
{{Use dmy dates|date=March 2023}}

'''Authorization''' or '''authorisation''' (see [[American and British English spelling differences#-ise, -ize (-isation, -ization)|spelling differences]]), in [[information security]], [[computer security]] and [[identity management|IAM]] (Identity and Access Management),<ref>{{citation |last1=Fraser |first1=B. |title=RFC 2196 – Site Security Handbook |year=1997 |publisher=[[Internet Engineering Task Force|IETF]]}}</ref> is the function of specifying rights/privileges for accessing resources, in most cases through an access policy, and then deciding whether a particular ''subject'' has privilege to access a particular ''resource''. Examples of ''subjects'' include human users, computer [[software]] and other [[Computer hardware|hardware]] on the computer. Examples of ''resources'' include individual files or an item's [[data]], [[computer program]]s, computer [[Computer hardware|device]]s and functionality provided by [[computer application]]s. For example, user accounts for [[human resources]] staff are typically configured with authorization for accessing employee records.

Authorization is closely related to [[access control]], which is what enforces the authorization policy by deciding whether access requests to resources from ([[authentication|authenticated]]) consumers shall be approved (granted) or disapproved (rejected).<ref>{{citation|first1=Audun|last1=Jøsang|title=A Consistent Definition of Authorization|year=2017|publisher=Proceedings of the 13th International Workshop on Security and Trust Management (STM 2017)}}</ref> 

Authorization should not be confused with [[authentication]], which is the process of verifying someone's identity.