Authorization

Authorization is the security process that determines and enforces what authenticated identities are allowed to do in a system, including access to data, services, and operations based on defined policies and rules.

Expanded Explanation

1. Technical Function and Core Characteristics

Authorization verifies whether a subject that has already authenticated can access specific resources or perform specific actions. It evaluates attributes such as identity, role, device, location, time and risk signals against predefined policies and entitlements.

Core authorization mechanisms include Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), rule-based models and policy-based access control frameworks. Systems commonly implement authorization through policy decision points, policy enforcement points and centralized policy administration components.

2. Enterprise Usage and Architectural Context

Enterprises use authorization to protect applications, APIs, data stores, infrastructure and Software-as-a-Service (SaaS) services by enforcing least privilege and segregation of duties. Authorization decisions occur at multiple layers, including network, application, database, Operating System (OS) and cloud management planes.

Modern enterprise architectures use standards-based authorization protocols and frameworks, such as Open Authorization 2.0 (OAuth 2.0), OpenID Connect (OIDC) for delegated authorization scenarios and XACML for policy-based access control. Zero trust architectures place authorization checks close to resources and enforce continuous verification based on context.

3. Related or Adjacent Technologies

Authorization operates in conjunction with authentication, which establishes identity before any access decision. It also interacts with identity and access management systems, directories, privilege management tools and secrets management to obtain user attributes, group memberships and resource metadata.

Security technologies such as Single Sign-On (SSO), Multifactor Authentication (MFA), Application Programming Interface (API) gateways, web access management, cloud access security brokers and endpoint security tools often embed authorization functions. Logging and monitoring systems record authorization decisions for audit, compliance and Security Operations (SecOps).

4. Business and Operational Significance

Authorization supports compliance with regulations and standards that require control over who can view, modify or administer systems and data, including privacy, financial reporting and sector-specific security rules. It reduces unauthorized access risk and supports auditable access governance.

Enterprises use centralized and policy-based authorization to maintain consistent controls across heterogeneous environments, including multi-cloud and hybrid infrastructures. Well-implemented authorization reduces administrative overhead, supports role lifecycle management and enables safer adoption of external users, partners and machine identities.