--- tags: - infosec - type/explainer --- # Authorization vs. Access Control [Authorization](../Standards/ISO27x/Authorization.md) defines _what_ a user (or system) is allowed to do, [access control ](Access%20Control.md) is the _system_ or _process_ that enforces those defined permissions. ## Authorization - **What it is:** Authorization is the **process of determining what a verified user (or system) is allowed to do or access** once their identity has been confirmed (authenticated). It's about defining the **rights, privileges, or permissions** associated with a specific identity. - **The "Why":** It answers the question, "What can this person/system do?" - **Policy-driven:** Authorization is primarily concerned with establishing the policies and rules that dictate access. These policies can be based on various factors like Roles, Attributes or Relationships (see [Access Control Models](Access%20Control%20Models.md)). - **Examples:** - A bank's policy stating that only the account holder can access their individual account online. - A department head deciding that everyone in their department has access to a specific shared drive. - Defining that a "guest" user has very limited access to a website. ## Access Control - **What it is:** Access control is the **mechanism or system that enforces the authorization policies**. It's the technical implementation that actually grants or denies access to a resource based on the authorized permissions. - **The "How":** It answers the question, "How is the 'what' actually applied and managed?" - **Enforcement:** Access control is the act of putting those policies into practice. It involves: - Checking a user's identity ([Authentication](../Standards/ISO27x/Authentication.md)). - Consulting the pre-defined [Authorization](../Standards/ISO27x/Authorization.md)authorization rules. - Granting or denying access to specific resources (files, applications, data, network segments, physical locations, etc.) or actions (read, write, delete, execute). - **Examples:** - An Access Control List (ACL) on a file system that specifies which users or groups can read, write, or execute a particular file. - A firewall rule that allows or denies traffic based on source IP address and port. - A system that prompts for an administrator password before allowing software installation. - Physical security systems like keycard readers that only grant entry to authorized personnel.