Why is authorisation important

If you are the owner of a document, you can share it with someone else and define one or more access policies. For example, you can share your document with someone by letting them just add comments. Resource Owner: this is the user that creates a document, the owner of the document. Authorized User: the user who is given comment rights by the Resource Owner.

The following diagram represents the authorization to resource access:. There are several different authorization strategies that computer systems leverage during application deployment. Each one of these strategies will help application developers deal with different authorization requirements and authorization services. When using ABAC, a computer system defines whether a user has sufficient access privileges to execute an action based on a trait attribute or claim associated with that user.

An example use case of this authorization process is an online store that sells alcoholic beverages. A user of the online store needs to register and provide proof of their age. In the authorization context, this scenario can be described as follows:. Presenting the age claim allows the store to process access requests to buy alcohol. So, in this case, the decision to grant access to the resource is made upon the user attribute. RBAC, on the other hand, treats authorization as permissions associated with roles and not directly with users.

A role is nothing but a collection of permissions. For example, imagine that you work as a department manager in an organization. In this situation, you should have permissions that reflect your role, for example, the ability to approve vacation requests and expense requests, assign tasks, and so on.

To grant these permissions, a system manager would first create a role called "Manager" or similar. Then, they would assign these permissions to this role and would associate you with the "Manager" role. Of course, other users that need the same set of permissions can be associated with that role.

Authentication is used by a client when the client needs to know that the server is system it claims to be. In authentication, the user or computer has to prove its identity to the server or client. Usually, authentication by a server entails the use of a user name and password. Other ways to authenticate can be through cards, retina scans, voice recognition, and fingerprints. Authentication by a client usually involves the server giving a certificate to the client in which a trusted third party such as Verisign or Thawte states that the server belongs to the entity such as a bank that the client expects it to.

Authentication does not determine what tasks the individual can do or what files the individual can see. Authentication merely identifies and verifies who the person or system is. Authorization Authorization is a process by which a server determines if the client has permission to use a resource or access a file.

Authorization is usually coupled with authentication so that the server has some concept of who the client is that is requesting access. The type of authentication required for authorization may vary; passwords may be required in some cases but not in others. In some cases, there is no authorization; any user may be use a resource or access a file simply by asking for it. Most of the web pages on the Internet require no authentication or authorization. However, for highly sensitive information assets or transactions that exceed a certain threshold, the ABAC service can redirect the employee, customer or partner to use an MFA before the access is granted.

Then the ABAC policies can also decide what actions the employee can take once they are properly authenticated. This loose coupling of authentication and authorization is an example of the flexibility mentioned earlier - the MFA technique can be changed as those technologies evolve or as the risk tolerance for access to data is updated.

As controlling access to information becomes more complex it will become increasingly important to combine cross-domain identity protocols to solve real world business problems. By combining the right authentication protocols with an ABAC model, organizations can securely share critical information while improving the experience for all the users involved. Gerry Gebel is the vice president of business development at Axiomatics. He is responsible for sales, customer support, marketing, and business development for the Americas region.

Here are the latest Insider stories. More Insider Sign Out. Sign In Register. Sign Out Sign In Register. Latest Insider. Check out the latest Insider stories here.