richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cleaned up Literature folder

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-18 12:48:01 +02:00
parent 73a6380034
commit fe5eda4e05
586 changed files with 53911 additions and 2475 deletions
Download patch file Download diff file Expand all files Collapse all files

33
Corpus/ISMS/Authorization vs Access Control.md Normal file
View file

@ -0,0 +1,33 @@
---
tags:
- infosec
- type/explainer
---
# Authorization vs. Access Control
[Authorization](../Standards/ISO27x/Authorization.md) defines _what_ a user (or system) is allowed to do, [access control ](Access%20Control.md) is the _system_ or _process_ that enforces those defined permissions.
## Authorization
- **What it is:** Authorization is the **process of determining what a verified user (or system) is allowed to do or access** once their identity has been confirmed (authenticated). It's about defining the **rights, privileges, or permissions** associated with a specific identity.
- **The "Why":** It answers the question, "What can this person/system do?"
- **Policy-driven:** Authorization is primarily concerned with establishing the policies and rules that dictate access. These policies can be based on various factors like Roles, Attributes or Relationships (see [Access Control Models](Access%20Control%20Models.md)).
- **Examples:**
- A bank's policy stating that only the account holder can access their individual account online.
- A department head deciding that everyone in their department has access to a specific shared drive.
- Defining that a "guest" user has very limited access to a website.
## Access Control
- **What it is:** Access control is the **mechanism or system that enforces the authorization policies**. It's the technical implementation that actually grants or denies access to a resource based on the authorized permissions.
- **The "How":** It answers the question, "How is the 'what' actually applied and managed?"
- **Enforcement:** Access control is the act of putting those policies into practice. It involves:
- Checking a user's identity ([Authentication](../Standards/ISO27x/Authentication.md)).
- Consulting the pre-defined [Authorization](../Standards/ISO27x/Authorization.md)authorization rules.
- Granting or denying access to specific resources (files, applications, data, network segments, physical locations, etc.) or actions (read, write, delete, execute).
- **Examples:**
- An Access Control List (ACL) on a file system that specifies which users or groups can read, write, or execute a particular file.
- A firewall rule that allows or denies traffic based on source IP address and port.
- A system that prompts for an administrator password before allowing software installation.
- Physical security systems like keycard readers that only grant entry to authorized personnel.