Definitions[edit | edit source]

Cybersecurity[edit | edit source]

Authorization is

the process of granting or denying access rights and privileges to a protected resource, such as a network, system, application, function, or file.[1]
[a]ccess privileges granted to a user, program, or process or the act of granting those privileges.[2]
[g]ranting of rights, which includes the granting of access based on access rights."[3]

Federal legislation[edit | edit source]

An authorization is an act of Congress that establishes or continues a federal program or agency either for a specified period of time or indefinitely, specifies its general goals and conduct, and usually sets a ceiling on the amount of budget authority that can be provided in an annual appropriation. An authorization for an agency or program usually is required before an appropriation for that same agency or program can be passed.

General[edit | edit source]

Authorization is

[t]he process of granting a person, computer process, or device with access to certain information, services, or functionality. Authorization is derived from the identity of the person, computer process, or device requesting access that is verified through authentication.[4]

Authorization is "the process of deciding what an individual ought to be allowed to do."[5]

Security[edit | edit source]

Authorization is "the granting of rights, which includes the granting of access based on access rights."[6]

Authorization is

[t]he right or a permission that is granted to a system entity to access a system resource.[7]
[t]he official management decision to authorize operation of an information system and explicitly accept the risk operations (including mission, functions, image, or reputation), assets, or individuals, based on the implementation of an agreed-upon set of security controls.[8]
determining whether a subject (a user or system) is trusted to act for a given purpose, for example, allowed to read a particular file.[9]

State computer crime[edit | edit source]

Under the West Virginia computer crime law, authorization is

the express or implied consent given by a person to another to access or use said person's computer, computer network, computer program, computer software, computer system, password, identifying code or personal identification number.[10]

Telecommunications[edit | edit source]

Authorization is

a right granted by a regulatory authority permitting the operation of a radio station, radio application or electronic communication service in conformance with national laws and prescribed technical conditions.[11]

Overview[edit | edit source]

Cybersecurity[edit | edit source]

Authorization mechanisms fall into four major categories:

A key component of authorization and a basic principle for securing computer resources and data is the concept of least privilege.

To restrict legitimate users’ access in this way, organizations establish access rights and permissions. User rights are allowable actions that can be assigned to users or to groups of users. File and directory permissions are rules that regulate which users have access to a particular file or directory and the extent of that access. To avoid unintentionally giving users unnecessary access to sensitive files, directories, and special machine instructions that programs use to communicate with the operating system, an organization must give careful consideration to its assignment of rights and permissions.

A password can be considered a form of authorization if it is issued by a higher level authority. If embedded in a form of identification such as a smart card, a password can be considered an added form of authentication.

To enable authorization in a public key encryption system, an additional mechanism must be used, such as bilateral or multilateral trading agreements between the communicating parties.

Security[edit | edit source]

Authorization in a physical context is the granting or confirmation of authority to perform a task or to be in some specific place. Having a physical token such as a key is an example. It may also come as a real-time affirmation done remotely in response to a request or action. The second form, “real-time affirmation done remotely,” involves permission being communicated when demanded by controlling authorities at the portal.

From a security standpoint, there are few technologies used in the first form, although electronic access cards are an example of a technology. The second form involves a combination of identification and authentication by an authorizing entity.

References[edit | edit source]

See also[edit | edit source]

Community content is available under CC-BY-SA unless otherwise noted.