richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Sparks/Authorization vs Access Control.md

2.4 KiB
Raw Blame History

tags
infosec
type/explainer

Authorization vs. Access Control

Authorization defines what a user (or system) is allowed to do, access control is the system or process that enforces those defined permissions.

Authorization

  • What it is: Authorization is the process of determining what a verified user (or system) is allowed to do or access once their identity has been confirmed (authenticated). It's about defining the rights, privileges, or permissions associated with a specific identity.
  • The "Why": It answers the question, "What can this person/system do?"
  • Policy-driven: Authorization is primarily concerned with establishing the policies and rules that dictate access. These policies can be based on various factors like Roles, Attributes or Relationships (see Access Control Models).
  • Examples:
    • A bank's policy stating that only the account holder can access their individual account online.
    • A department head deciding that everyone in their department has access to a specific shared drive.
    • Defining that a "guest" user has very limited access to a website.

Access Control

  • What it is: Access control is the mechanism or system that enforces the authorization policies. It's the technical implementation that actually grants or denies access to a resource based on the authorized permissions.
  • The "How": It answers the question, "How is the 'what' actually applied and managed?"
  • Enforcement: Access control is the act of putting those policies into practice. It involves:
    • Checking a user's identity (Authentication).
    • Consulting the pre-defined Authorizationauthorization rules.
    • Granting or denying access to specific resources (files, applications, data, network segments, physical locations, etc.) or actions (read, write, delete, execute).
  • Examples:
    • An Access Control List (ACL) on a file system that specifies which users or groups can read, write, or execute a particular file.
    • A firewall rule that allows or denies traffic based on source IP address and port.
    • A system that prompts for an administrator password before allowing software installation.
    • Physical security systems like keycard readers that only grant entry to authorized personnel.