Authorization

Introduction
For accessing protected resources in web applications or through a physical office,
two terms are used frequently. One is authentication, and the other is authorization.
While you may think these are the same, this is not actually the case. In this
reading, you will learn that they are different and that they play important roles in
the whole access control system.
Authentication versus authorization
Firstly, let’s imagine a scenario where you are trying to enter a building that
requires a keycard to access. Authentication is like swiping your keycard at the
entrance to prove you are a valid cardholder. But authorization is like being granted
access to certain areas of the building based on your job role or clearance level. Just
because you have a keycard and are authenticated to enter the building doesn't
mean you have free access to all areas. Your level of authorization determines
which areas you can access.
So, the main difference between authentication and authorization is that
authentication verifies the identity of a user, while authorization determines what
resources and services they are allowed to access. In other words, authentication is
the process of proving who you are, while authorization is the process of
determining what you are allowed to do.
Authentication is typically the first step in the access control process, as it ensures
that only authorized users are granted access to the system. Once a user is
authenticated, authorization mechanisms are used to determine what resources
and services those users will be allowed to access.
So, now that you understand authentication and authorization, let's explore the key
differences between them.

Authentication Authorization

Verifies the identity of a user, device, or system Determines what actions a user can perform

Prevents access if not verified Controls access to resources

First line of defense Second line of defense

Typically, a one-time event Ongoing process

Relies on user-provided credentials Relies on predefined policies and rules

Authorization is an ongoing process

This all means that authorization is not a one-time process. It requires continuous
monitoring and updating. As the needs of the organization and its users change
over time, access control policies should be reviewed and updated to ensure they
remain effective and relevant.
Changes in regulations or industry standards may also require updates to access
control policies to ensure compliance.
This ongoing authorization process can also involve monitoring user activity to
detect any unauthorized access or suspicious behavior. Monitoring also positions
organizations to detect and respond to potential security threats quickly. Most
importantly, network users should get regular training about security best practices.
If users understand their responsibilities in maintaining a secure environment, it can
help prevent security incidents.
In short, authorization is not a one-time event but rather a continuous process that
requires ongoing attention and effort to ensure the security of the organization's
resources and services. In other words, organizations need proper authorization
planning. And there are various models organizations can use for this.
Authorization models
There are several different authorization models used in modern organizations,
businesses, and computing. These models vary in their approach to controlling
access to resources and services and are designed to meet the specific needs of
different environments. Here are some of the most common authorization models:
Role-Based Access Control (RBAC): RBAC is a model that assigns permissions
and privileges to users based on their predefined roles within an organization. This
model is designed to simplify the management of large-scale systems by reducing
the need for individual user-level permissions. This is the most common access
control model that is widely adopted. Using RBAC, you can easily form a group of
individuals, assign them to a role and then grant or deny permissions based on this
role. The RBAC authorization model is so popular because it is time and cost-
effective.
Attribute-Based Access Control (ABAC): ABAC is like RBAC but considers
attributes such as user roles, geographical locations, environment conditions, and
other contextual information when making access control decisions. This model
provides fine-grained access control and enables organizations to implement
complex access policies based on multiple criteria.
Mandatory Access Control (MAC): MAC is a model that enforces access control
based on predefined security policies. In this model, access to resources is
controlled by a central authority rather than by individual users or resource owners.
The central authority decides who can access a resource based on their security
clearance level. This model is commonly used in government agencies, military
organizations, and other high-security environments.
Discretionary Access Control (DAC): DAC is a model in which users have the
discretion to control access to resources they own. In this model, the owner of the
resource decides who can access the resource and to what extent. For example, in
a shared folder, the owner can restrict access to specific files or folders. DAC is easy
to implement, but it can lead to security issues if the owner does not manage
access properly.
Rule-Based Access Control (RuBAC): This is a fairly new access control model
that incorporates the best of RBAC and ABAC and allows for greater flexibility in
access control. In this model, access to resources and services is determined by a
set of rules. These rules can be based on a combination of factors, such as "users
with role A can access this resource between 9 am and 5 pm, while users with role B
can access it between 5 pm and 9 am", and so on.
Federation: Federation is a model for controlling access to resources and services
across multiple organizations or domains. It enables secure collaboration between
organizations while maintaining control over access to resources. The great
advantage of Federation is that it allows users to access resources and services of
other organizations without requiring separate authentication for each organization.
In a federation model, each organization maintains its own identity and access
management system. These systems are then interconnected using a federation
protocol, such as Security Assertion Markup Language (SAML) or OpenID Connect.
When a user from one organization attempts to access a resource of another
organization, the federation protocol is used to authenticate the user and determine
their level of access.
Here's a table comparing RBAC, ABAC, MAC, DAC, and RuBAC:

RBAC ABAC MAC DAC RuBAC

Full form Role-based Attribute-based Mandatory Access Discretionary Rule-Based

Access Control Access Control Control Access Control Access Con

Based on Role Attribute Security labels Owner-based Rules

Access User's role User's attributes User's clearance User's ownership User-define
request level and object's and access rights rules
based on security level

Policy Centralized Centralized or Centralized Decentralized Centralized

enforcemen decentralized decentralize
t

Flexibility Low High Low High High

Complexity Low High High Medium High

Examples A company A hospital limiting A government A file system An online re

limiting access access to patient agency controlling allowing owners controlling
to HR information based access to to set access to
information on the doctor's classified permissions for products ba
based on an specialty information based files and folders on a set of r
employee's job on security
title clearance

Conclusion
In conclusion, both authentication and authorization are now vital to organizations
around the world. They enable organizations to verify employee identities and
authorize what resources and services they are allowed to access. Throughout this
reading, you learned how important authorization is within modern-day computing
and how it helps to maintain data security and privacy.
You also examined the different types of authorization policies such as RBAC, ABAC,
DAC, and MAC, along with their respective strengths and weaknesses. You then
discovered how authorization is granted and monitored within organizations.