Overview#
Authorization (AuthZ) is the process where a Trustor Delegates a Permission to a Trustee to perform a privilege against a Target ResourceAllowing an Entity to do something. (Thing Explainer)
Authorization is a Facet Of Building Trust
Authorization enforcement is performed by Access Control
Authorization and Authentication#
Authorization is usually only attempted following authentication so that the Policy Enforcement Point has some Level Of Assurance of the Trustee is attempting to access a Protected Resource.Authorization does not always imply Authentication as when Bearer Tokens are utilized. This is also true when a Hotel Key Card is utilized.
Definition[2]#
Authorization noun- the act of authorizing.
- permission or power granted by an authority; sanction.
- a legislative act authorizing money to be spent for government programs that specifies a maximum spending level without provision for actual funds.
In security engineering and computer security, authorization is the concept of allowing access to Resources only to those permitted to use them.[1]
A number of components are typically be involved in an authorization process, including:
- The Access Control system.
- The Permission system.
- The Policy.
Examples#
- Door Key Card is a Bearer Token which provides Authorization to a Protected Doorto any Entity which has possession.
Consent vs Authorization#
Frankly, I can not determine a difference (Consent vs Authorization) in Authorization and Authorized, Authorise or Authorization other than the noun vs verb thing.
There maybe some narrow legal definitions (think HIPAA) that delineate differences between consent and authorization but in general, they are the same.
More Information#
There might be more information for this subject on one of the following:- ACDC Grant type
- ACE-OAuth
- API-Gateway
- About
- Access Control
- Access Control Engine
- Access Control Policy
- Access Proxy
- Access Token
- Adaptive Policy-based Access Management
- Apache Web Server and LDAP
- Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
- Attribute Certificate
- Authentication
- Authentication Agent
- Authentication Context Class Reference
- Authentication Request
- Authentication, Authorization and Accounting (AAA) Transport Profile
- Authorization
- Authorization API
- Authorization Code
- Authorization Code Flow
- Authorization Header
- Authorization Response
- Authorization_endpoint
- Authorized
- Basic Authentication Scheme
- Beneficiary
- Best Practices OpenID Connect
- Best Practices for LDAP Security
- BeyondCorp
- Bind Request
- Bob Blakley
- Certificate
- Claim
- Cloud Access Security Broker
- Computer Fraud and Abuse Act
- Consensus
- Consent
- Consent Dialog
- Consent Mechanism
- Consent vs Authorization
- Credential
- Custodian
- DIAMETER
- Data Accuracy
- Data Classification
- Data Origin
- Data Ownership
- Data Privacy
- Delegation
- Device Flow
- Diffie-Hellman or RSA
- Digital Identity
- DirX Access
- Dynamic Authorization Management
- Eavesdropper
- Encryption
- Enterprise Directory
- Essential Claim
- Extranet
- Fast Healthcare Interoperability Resources
- Federated Authorization for UMA 2.0
- Front-End Processors
- Glossary Of LDAP And Directory Terminology
- Google Cloud IAM
- Grant Types
- HIPAA Privacy Rule
- HTTP 407
- IAM Charter
- IDM The Application Developers Dilemma
- IDSA Integration Framework
- Ian Glazer
- Identity Aware Proxy
- Identity Broker
- Identity Governance and Administration
- Identity State
- Implicit Grant
- Incremental authorization
- Industry 4.0
- Invalid_grant
- JSPWiki Roles and Groups
- Java Authentication and Authorization Service
- Java KeyStore
- Jurisdiction
- Kerberos
- Kerberos Error Codes
- LDAP Proxy User
- LDAP for Linux and Unix Clients
- Law of agency
- LeftMenu
- Liberty Alliance
- Logical Access Control
- Main
- Mandatory Access Control
- Microservice
- Mod_auth_openidc
- Neo-Security Stack
- OAuth
- OAuth 2.0
- OAuth 2.0 Actors
- OAuth 2.0 Authorization
- OAuth 2.0 Client Registration
- OAuth 2.0 Incremental Authorization
- OAuth 2.0 JWT Secured Authorization Request
- OAuth 2.0 NOT an Authentication protocol
- OAuth 2.0 Software Statement
- OAuth 2.0 Token Introspection
- OAuth 2.0 Vulnerabilities
- OAuth Scope Example
- OXD
- Offline Authorization
- OpenAM
- OpenPDS
- Payment Services Directive
- Permission
- Permissionless System
- PoP
- Policy Administration Point
- Policy Based Management System
- Policy Decision Point
- Policy Retrieval Point
- Privacy Considerations
- Privilege Conflict
- Privilege Management
- Privilege Management Infrastructure
- Protected Health Information
- Protection API Token
- Proxied Authorization Control
- Proxy
- RFC 2904
- RFC 5755
- RFC 6750
- Redirect_uri
- Refresh Token
- Registration_endpoint
- Remote Authentication Dial-In User Service
- Resource Access Control Facility
- SCIM
- Security Controls For This Wiki
- Security Domain
- Security Token
- Security Token Service
- Security-constraint
- Sensitive Authentication Data
- Service Account
- Session Management
- Simple Authentication
- Single Sign-On Scenarios
- Smart-On-FHIR profile
- Social Login
- Subscriber Identification Module
- System for Cross-domain Identity Management
- ThisWilki
- Token
- Token Storage
- Treatment, Payment and Health care Operations
- Trust
- Trustee
- Trustor
- Unauthorized
- Unfortunate event
- User-Managed Access
- Vulnerability
- WEB Access Management
- Web Blog_blogentry_010117_1
- Web Blog_blogentry_020816_1
- Web Blog_blogentry_030117_1
- Web Blog_blogentry_031017_1
- Web Blog_blogentry_070817_1
- Web Blog_blogentry_120218_1
- Web Blog_blogentry_140615_1
- Web Blog_blogentry_200217_2
- Web Blog_blogentry_231215_1
- Web Blog_blogentry_250816_1
- Web Blog_blogentry_260715_1
- WebID
- WebSEAL
- Which Jane Doe
- Who Am I Extended Operation
- Why Access Tokens
- Why OAuth 2.0
- Why OpenID Connect
- XACML
- Yadis
- [#1] - Authorization
- based on data observed:2010-05-18
- [#2] - dictionary.com - based on data observed:2010-05-18
