What Is Authorization?

Authorization is a very common term in computer security. But most people confuse it with authentication. Let me explain it with an example.

• Imagine you registered for an event open only to registered users. On the day of the event, when you arrive, they verify your identity at the gate. This is the authentication step. It confirms you are a registered member.
• Once authenticated, authorization takes place. It’s like receiving a special card that tells you what you can do inside the event and which areas you can access. Authorization sets the boundaries and permissions for your actions at the event.

Now, let's dig deeper into the topic and see why authorization has become a major security concept.

What is authorization?

Authorization is the process of deciding what actions, parts of a website, or application a given user can access after they have been authenticated.

Once you are authenticated, the backend server checks your roles, permissions, or access levels. Then, it determines what actions you can perform and which resources you can access.

With proper authorization, users can do only what they are allowed within the application.

Authorization vs. authentication

In authentication, a user’s identity is verified to grant access to a system. Users must input their login details, like a username or email address and password, for verification. After successful authentication, the server identifies whether the user is trusted to access the system. Authentication involves transmitting information through an ID token.

In authorization, a user’s permissions are checked to decide which actions they can perform on which resources. Authorization requires the user’s privileges or security levels. At the end of this process, it determines what permissions a user has. Information is transmitted through an access token during authorization.

Let's compare the differences between authorization and authentication with a table.

Real-world use cases for authorization

Let's consider some practical use cases to understand how authorization is used in real-world use cases.

In financial management systems, a junior accountant may only have access to input and view transaction data. However, a senior accountant or finance manager has the authorization to approve transactions and generate financial reports.

Next, let's take a hospital's electronic health record system. There, a nurse might have the authorization to view a patient’s medical history and update routine care notes. However, a doctor could have high-level access to prescribe medications and modify treatment plans.

How does authorization work?

Learning about how authorization works is important because that helps you to implement proper access control for your systems. It starts with authentication.

• Step 1: Authentication. During this step, user identity verification will happen. User data such as username and password will be used for the identity verification.
• Step 2: Authorization Request. After authentication, the user requests access to a resource. This request may include the user role or the user’s group.
• Step 3: Access Control Evaluation. The access control system checks if the user’s request matches with the defined policies or rules.
• Step 4: Authorization Decision. The back-end server decides whether to allow or deny access based on the policies. If access is given, the user can access the resource. If it's denied users are informed of the restriction.
• Step 5: Logging and Auditing. Log all access activities for auditing and security purposes.
• Step 6: Permission Revocation. The system should be able to revoke the access rights of any user at any time, especially if the activity appears suspicious. It also should be able to record any subsequent actions for review.

Types of authorization techniques

Let’s look at the most common authorization techniques.

Role-Based Access Control

RBAC is the process of assigning permissions to system users based on a user role. This approach is more manageable than directly assigning permissions to a user.

• In RBAC, admins analyze the needs of the users and group them into roles.
• Admins consider responsibilities specific to different users while grouping them.
• The system admins can assign one or multiple roles to a user and one or multiple permissions to a role.

Relationship-Based Access Control

ReBAC grants authorization based on the relationships between users and resources. For example: A user can edit a document they created but can't edit documents created by someone else.

In this method, instead of assigning permissions individually, you can group users together and assign permissions to the entire group. This is helpful when the organization scales.

Attribute-Based Access Control

ABAC grants permissions based on a user's attributes or characteristics. In this method, an organization’s access policies make decisions based on the attributes of the subject, resource, action, and environment involved in the access event.

For example, it can be based on:

• Job title
• Location
• Department

Security Assertion Markup Language

SAML is an open standard. It is used for exchanging various types of authorization details between an identity provider and a service provider. In a basic role-based access control scenario, a SAML assertion from the identity provider can include user roles as attributes. The service provider then uses these roles to grant access to specific resources.

eXtensible Access Control Markup Language

XACML is an XML-based policy creation language. Users can define access control policies defining who can do what and when. It is mainly used as an attribute-based control authorization solution.

OpenID Connect

OIDC is considered an authentication as well as authorization protocol. It was created on top of OAuth 2.0. This is used for providing SSO among multiple applications. During the authorization process, OIDC issues access tokens that are used to authorize applications to access user data.

Also, it supports defining scopes and managing user consent. OIDC also supports token revocation, so that admins have the capability to revoke access to any resource during any emergency.

JWT (JSON Web Tokens) Authorization

JWT (JSON Web Token) provides authorization by generating a token that contains encoded user information, which the server can verify and decode using a secret key. This token passed from the backend to the front end, is sent with API requests to access protected routes. The server checks the token's validity to grant or deny access. These tokens include an expiration time to limit unauthorized access in case the token is compromised.

What are the benefits of authorization?

After learning about how authorization functions and the various techniques involved, here is a list of the key benefits of authorization:

• Helps control who can access specific data by protecting sensitive information from unauthorized parties.
• Helps to prevent security vulnerabilities such as data breaches.
• In authorization, actions taken within a system are tied to specific users. Therefore it increases accountability and makes it easier to track and audit activities within the system.
• Authorization frameworks can be adapted to various environments, from on-premises systems to cloud-based applications.
• With strategies like Role-Based Access Control, it's easy to manage user permissions in bulk. This reduces administrative overhead.
• By managing access based on roles or attributes, authorization strengthens security.

Challenges in implementing authorization solutions

One of the major challenges in implementing authorization solutions is that these models require careful management. Therefore, if you fail to manage the system properly it can lead to issues such as:

• Misconfigurations
• Security gaps
• Excessive or outdated permissions

Another challenge is that inadequate authentication methods, like weak passwords, can compromise authorization controls.

Also, errors in security configuration and data management can result in unintended security breaches, such as misconfigurations or assigning incorrect permissions.

Best practices for implementing authorization solutions

Here is a list of recommended best practices for implementing authorization solutions.

Design early

Need to design authorization solutions early in the software development lifecycle. It helps to thoroughly plan the roles and privileges. So it won't add complexity as the application scales.

Fine-grained access policies

Utilize authorization policies like RBAC, ABAC, or mandatory access controls to enforce fine-grained access. Implement a default deny policy to prevent unauthorized access, even if other controls are bypassed.

Secure session management

Maintain authorization states server-side and sign all session data to prevent tampering. Use cryptography libraries or signed JWT tokens to manage session cookies and CSRF tokens.

Resource ownership verification

Implement resource ownership verification to prevent cross-account vulnerabilities like IDOR. With this practice, only the rightful owner can access or modify their data.

Factors to consider when building authorization

To create an effective, secure, and manageable authorization system, you need to consider several factors.

• Access control strategy - Pick a suitable strategy like Role-Based Access Control or Attribute-Based Access Control. Evaluating available options and selecting a proper strategy helps you to effectively manage how access is granted to your resources.
• Role assignment method - Implement a method for assigning IAM roles, such as admin or other privileges, to users across your system.
• Policy management - Enable admins to define and manage access policies for users, groups, devices, apps, and other entities within their domains.
• Manage access for customers - Provide access for customers to assign and manage user roles, permissions, and policies, reducing your administrative workload.
• Admin management provisions - Make sure that the system admins have provisions to manage roles, permissions, and policies for both your users and customers.