Editing Authorization

{{Short description|Function of specifying access rights and privileges to resources}}
{{Redirect|Authorized|the 2007 Epsom Derby winner|Authorized (horse)}}
{{Redirect|Authorization code|the code allowing internet domain name transfers|Auth-Code}}
{{Use dmy dates|date=March 2023}}

'''Authorization''' or '''authorisation''' (see [[American and British English spelling differences#-ise, -ize (-isation, -ization)|spelling differences]]), in [[information security]], [[computer security]] and [[identity management|IAM]] (Identity and Access Management),<ref>{{citation |last1=Fraser |first1=B. |title=RFC 2196 – Site Security Handbook |year=1997 |publisher=[[Internet Engineering Task Force|IETF]]}}</ref> is the function of specifying rights/privileges for accessing resources, in most cases through an access policy, and then deciding whether a particular ''subject'' has privilege to access a particular ''resource''. Examples of ''subjects'' include human users, computer [[software]] and other [[Computer hardware|hardware]] on the computer. Examples of ''resources'' include individual files or an item's [[data]], [[computer program]]s, computer [[Computer hardware|device]]s and functionality provided by [[computer application]]s. For example, user accounts for [[human resources]] staff are typically configured with authorization for accessing employee records.

Authorization is closely related to [[access control]], which is what enforces the authorization policy by deciding whether access requests to resources from ([[authentication|authenticated]]) consumers shall be approved (granted) or disapproved (rejected).<ref>{{citation|first1=Audun|last1=Jøsang|title=A Consistent Definition of Authorization|year=2017|publisher=Proceedings of the 13th International Workshop on Security and Trust Management (STM 2017)}}</ref> 

Authorization should not be confused with [[authentication]], which is the process of verifying someone's identity.

==Overview==
[[identity management|IAM]] consists the following two phases: the configuration phase where a user account is created and its corresponding access authorization policy is defined, and the usage phase where user authentication takes place followed by access control to ensure that the user/consumer only gets access to resources for which they are authorized. Hence, access control in [[computer]] systems and [[Computer network|networks]] relies on access authorization specified during configuration.  

Authorization is the responsibility of an [[authority]], such as a department manager, within the application domain, but is often delegated to a custodian such as a system administrator. Authorizations are expressed as access policies in some types of "policy definition application", e.g. in the form of an [[access control list]] or a [[Capability-based security|capability]], or a policy administration point e.g. [[XACML]]. 

Broken authorization is often listed as the number one risk in web applications. <ref>{{Cite web |title=A01 Broken Access Control - OWASP Top 10:2021 |url=https://owasp.org/Top10/A01_2021-Broken_Access_Control/ |access-date=2025-05-01 |website=owasp.org}}</ref> On the basis of the "[[principle of least privilege]]", consumers should only be authorized to access whatever they need to do their jobs, and nothing more.<ref>{{Cite web |title=Authorization - OWASP Cheat Sheet Series |url=https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html#enforce-least-privileges |access-date=2025-05-01 |website=cheatsheetseries.owasp.org}}</ref>

"Anonymous consumers" or "guests", are consumers that have not been required to authenticate. They often have limited authorization. On a distributed system, it is often desirable to grant access without requiring a unique identity. Familiar examples of [[access token]]s include keys, certificates and tickets: they grant access without proving identity.

== Implementation ==
A widely used framework for authorizing applications is [[OAuth 2.0|OAuth 2]]. It provides a standardized way for third-party applications to obtain limited access to a user's resources without exposing their credentials.<ref name=":0">{{Cite book |last=Hingnikar |first=Abhishek |title=Solving Identity Management in Modern Applications |publisher=[[Apress]] |year=2023 |isbn=9781484282601 |edition=2nd |pages=63, 147 |language=en}}</ref>

In modern systems, a widely used model for authorization is [[role-based access control]] (RBAC) where authorization is defined by granting subjects one or more roles, and then checking that the resource being accessed has been assigned at least one of those roles.<ref name=":0" /> However, with the rise of social media, [[Relationship-based access control]] is gaining more prominence. <ref>{{Cite journal |last=Gates |first=Carrie |date=2007 |title=Access control requirements for web 2.0 security and privacy |url=https://www.researchgate.net/publication/240787391 |journal=IEEE Web |volume=2 |pages=12-15}}</ref>

Even when access is controlled through a combination of authentication and [[access control list]]s, the problems of maintaining the authorization data is not trivial, and often represents as much administrative burden as managing authentication credentials. It is often necessary to change or remove a user's authorization: this is done by changing or deleting the corresponding access rules on the system. Using [[Atomic Authorization|atomic authorization]] is an alternative to per-system authorization management, where a [[trusted third party]] securely distributes authorization information.

==Related interpretations==
===Public policy===
In [[Policy|public policy]], authorization is a feature of trusted systems used for [[security]] or [[social control]].

===Banking===
In [[bank]]ing, an [[Authorization hold|authorization]] is a hold placed on a customer's account when a purchase is made using a [[debit card]] or [[credit card]].

===Publishing===
{{Further|Official#Adjective|Unauthorized biography}}
In [[publishing]], sometimes public lectures and other freely available texts are published without the approval of the [[author]]. These are called unauthorized texts. An example is the 2002 '' 'The Theory of Everything: The Origin and Fate of the Universe' '', which was collected from [[Stephen Hawking]]'s lectures and published without his permission as per copyright law.{{Citation needed|date=August 2021}}

==See also==
{{Wiktionary}}
{{div col|colwidth=30em}}
* [[Access control]]
* [[Authorization hold]]
* [[Authorization OSID]]
* [[Kerberos (protocol)]]
* [[Multi-party authorization]]
* [[OAuth]]
* [[OpenID Connect]] 
* [[OpenID]] 
* [[Usability of web authentication systems]]
* [[WebFinger]]
* [[WebID]]
* [[XACML]]
{{div col end}}

==References==
{{Reflist}}
{{Computer security}}
{{Authority control}}

[[Category:Computer access control]]
[[Category:Access control]]
[[Category:Authority]]