Understanding what users can do after they've been authenticated
Authorization determines what authenticated users can do within a system. While authentication verifies identity ("who you are"), authorization establishes permissions ("what you can do").
Verifies who a user is
Example: Checking ID card to enter a building
Happens before authorization
Uses passwords, biometrics, tokens
Determines what a user can do
Example: Determining which rooms you can enter
Happens after authentication
Uses permissions, roles, policies
In a hospital information system:
In a company's accounting software:
In an educational platform:
| Mechanism | Description | Example |
|---|---|---|
| Role-Based Access Control (RBAC) | Permissions based on user roles | Admin, Editor, Viewer roles in a content management system |
| Rule-Based Access Control | Permissions based on predefined rules | Allow access only during business hours |
| Attribute-Based Access Control (ABAC) | Permissions based on user attributes and context | Allow access based on department, location, and security clearance |