What Is Authorization and How Does It Work?
Authorization in cybersecurity refers to the process of granting or denying access to resources based on the identity and level of permission of a user or device (sometimes collectively referred to as an entity). Furthermore, part of the authorization process is enforcing access controls that determine what actions the entity is permitted to perform on a given resource. Authorization may be granted to entities on a case-by-case basis, or according to a predetermined model, such as role-based access control.
Authorization is a crucial component of cybersecurity. It fortifies confidentiality, integrity, and availability of data and resources within an IT environment by ensuring only authorized users may access and perform operations on them.
In the rest of the article, we will focus on authorization of users unless otherwise stated.
Relationship between authorization and authentication
Authorization works in tandem with authentication. Before a user is authorized access, they need to go through the authentication process first — confirmation of their identity (e.g., via magic links, biometrics).
To understand the distinction between authorization and authentication, consider an example of exercising the right to vote and voter registration:
Completing the voter registration process authenticates an individual i.e. validates their identity and confirms voting eligibility.
Registered voters are authorized to vote at polling stations. Depending on criteria such as political party affiliation or location, some voters may hold additional authorizations, such as primary or mail-in voting.
How does authorization work?
As mentioned before, authorization grants or denies access based on the user's permission level. For example, an employee may have read-only access to certain files, while a manager may have read-write access. Authorization is typically managed by an access control system, which enforces the policies and rules set by the organization.
Here’s a step-by-step overview of how authorization works in a typical cybersecurity context:
Authentication: First, users must confirm their identities, typically by entering a username and password (note: other better methods exist!).
Authorization request: Once the user is authenticated, they can request access to a specific resource, such as a file or database. This request includes information about the user, such as their username and any other relevant attributes, such as their role or group membership.
Access control: The access control system receives the authorization request and checks whether the user is authorized to access the requested resource. This typically involves consulting a set of policies or rules that define who can access which resources under what conditions.
Authorization decision: Based on the access control policies, the system makes an authorization decision, either granting or denying the user's request. If the user is granted access, they can proceed to access the resource. If access is denied, the user is informed that they do not have permission to access the resource.
Logging: Following the authorization decision, the system records all relevant information, such as the time of access, the user's identity, and activity. This information can be used for auditing and compliance purposes, as well as for detecting and investigating security incidents.
Revocation: Access permissions can be revoked at any time, either automatically based on predefined policies or manually by an administrator. When access is revoked, the user can no longer access the resource, and their activities are logged for auditing and investigation.
Types of authorization
Authorization may be granted based on various criteria or models. The three main models used are role-based, relationship-based, and attribute-based access control. Out of these, attributes are the broadest way to model authorization, since anything can theoretically be considered an attribute. Roles can be considered a subset of attributes, and relationships fall somewhere in between.
Common models used to govern authorizations include the following:
Role-Based Access Control (RBAC)
RBAC is a method of authorization that assigns users to specific roles based on their job responsibilities. Each role has a set of permissions that determine what actions the user can perform. For example, a bookkeeper in the accounting department may have read-only access to financial reports, while a senior accountant may have read-write access.
Attribute-Based Access Control (ABAC)
ABAC determines user authorizations by the attributes associated with their identity or account. These attributes may include their job title (as with RBAC), but also factor in other relevant information, such as location, department, team lead, shift, current projects, etc. As a result, ABAC is more granular than RBAC, allowing for more precise control over user access.
Relationship-Based Access Control (ReBAC)
ReBAC determines authorization based on relationships between resources and identities (or users). Some of these relationships include:
Data ownership: For example, after you create a post on LinkedIn, you can edit the post as well as delete it. However, you can't edit or delete the posts of others. You have these permissions for the posts you create since you are the "owner" of these posts.
Parent-child relationships: For example, if you have "edit" permissions for a folder, then you automatically have "edit" permissions on all the files within that folder, since the folder and files have a parent-child hierarchy.
User groups: Rather than individually assigning permissions to roles, you can club users into groups and assign permissions en masse to a group. This approach avoids the ballooning of roles with individual permissions as organizations grow in size.
Mandatory Access Control (MAC)
MAC is a method of authorization relying on security attributes that restrict access to resources based on the sensitivity of the data. The security policies are typically defined by the system administrator or security officer.
The clearance level of a user is typically determined by their job role, level of security clearance, or other factors that relate to their level of trustworthiness. The sensitivity level of a resource is determined by the value of the data it contains, as well as any legal or regulatory requirements for its protection.
Discretionary Access Control (DAC)
The opposite of MAC, DAC leaves authorization decisions at the discretion of individuals. Most commonly, the deciding individual is the owner of the resource a user requests access to. DAC is commonly used in smaller organizations or collaborative projects. However, it is not as secure as other access control models, and should be used with caution in settings where security is a high priority.
Authorization use cases
This section provides real-world scenarios demonstrating authorization in practice and the importance of proper management:
Authorization in operating systems: Operating systems often restrict access to sensitive files and settings. For example, a user may be required to enter an administrator password to install software or modify system settings.
Authorization in web applications: Web applications use authorization to restrict access to certain pages or features. For example, a user may need to be logged in and have a certain level of permission to view customer data or place an order.
Authorization in databases: Databases use authorization to restrict access to sensitive data. For example, a user may only be able to view data from a specific table or have read-only access to certain fields.
Authorization in cloud environments: Cloud environments use authorization to restrict access to virtual machines (VM), storage, and other resources. For instance, a user may be assigned the role of "VM Operator" which allows them to start, stop, and restart VMs, while another user may be assigned the role of "VM Administrator" which grants them full control over the VMs.
Authorization in IoT devices: Authorization is a critical mechanism used to secure and control access to sensitive settings or data on connected devices. For example, a smart home device such as a security camera may require users to enter a password or authenticate with other credentials before they can connect to it remotely.
Common challenges of authorization
Common challenges organizations face with authorization include the following:
Lack of understanding: Authorization depends on complex models that require active management. If organizations do not understand these complexities, then misconfigurations, security vulnerabilities, and improperly provisioned or unrevoked authorizations (i.e., “permission bloat”) can easily occur.
Weak authentication: Weak passwords and inadequate authentication methods can make it easy for attackers to bypass authorization controls and further infiltrate the environment.
Read more: 4 Benefits of Passwordless Authentication
Insufficient monitoring: Organizations remain in flux, with users joining, progressing through, and departing, among other changes. Over time, monitoring authorizations can become increasingly challenging. Without the correct monitoring settings, organizations will struggle to detect any unauthorized access or changes to authorization settings.
Human error: Humans maintain responsibility over security configurations and, in some cases, data entry. Errors can cause unintentional misconfigurations, data leaks, or incorrect provisioning.
Fine-grained authorization with Descope
Adding authorization to a B2B app can be a complex and time-consuming endeavor. Thinking about tenants, roles, relationships, and permissions diverts developers away from other business-critical initiatives. Moreover, before authorization comes authentication – which can also prove to be a laborious process to handle in-house. Not to mention, making mistakes with authentication and authorization can have grave consequences.
Descope helps developers build secure, frictionless authentication and user journeys for their apps. Descope’s drag-and-drop workflows, SDKs, and APIs abstract away the complexity of authentication so developers can spend time building their core product. B2B app builders can also use Descope to easily add RBAC and ReBAC to their app.