100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

Authorization

BeginnerConcept3.5K learners

Authorization is the process of determining what an authenticated identity is permitted to do within a system — which resources it can read, modify, or delete. It runs after authentication (which confirms who you are) and enforces…

Definition

Authorization is the process of determining what an authenticated identity is permitted to do within a system — which resources it can read, modify, or delete. It runs after authentication (which confirms who you are) and enforces access-control policies such as roles, scopes, or attribute rules on every subsequent request or action.

Overview

Authorization answers the question 'what are you allowed to do?' after authentication has already answered 'who are you?'. Systems typically implement it through models like role-based access control (RBAC), where permissions are grouped into roles assigned to users, or attribute-based access control (ABAC), where decisions depend on user, resource, and environment attributes evaluated at request time. OAuth 2.0 scopes are a common authorization mechanism for APIs, letting a token carry a limited set of permitted actions rather than full account access. Authorization checks belong on the server side, never solely in client code, because client-side checks can be bypassed. A well-designed system enforces authorization at multiple layers — API gateway, service, and database — to avoid a single point of failure. Common vulnerabilities arise from missing or inconsistent checks, such as insecure direct object references (IDOR), where an endpoint fails to verify that the requesting user actually owns the resource being accessed. Authorization is distinct from but dependent on authentication: a system must first establish identity reliably before it can apply permission rules to that identity. Session tokens, JWTs, and API keys typically carry both an authenticated identity and, often, embedded authorization claims (roles or scopes) that services use to make access decisions without a database round trip.

Key Concepts

  • Runs after authentication, using the established identity to decide permitted actions
  • Common models: RBAC (roles), ABAC (attributes), and ACLs (per-resource lists)
  • Enforced server-side on every request, not just in UI logic
  • Often expressed as OAuth 2.0 scopes or JWT claims for API access
  • Applies at multiple layers: gateway, service, and data store
  • Principle of least privilege limits default access to the minimum required
  • Policy engines (e.g., OPA, Casbin) centralize authorization logic across services

Use Cases

Restricting admin dashboard routes to users with an admin role
Scoping OAuth access tokens to read-only calendar access
Enforcing row-level security so users see only their own database records
Gating premium features behind a subscription-tier check
Limiting a microservice's API key to specific endpoints
Applying multi-tenant isolation so one customer cannot access another's data
Auditing permission changes for compliance (SOC 2, HIPAA)

Frequently Asked Questions