Authorization
Authorization is the process of verifying a user’s rights to perform specific actions or access certain sections of a system after their identity has already been established (authenticated). Authorization answers the question: “What is this user allowed to do?”
What is Authorization?
Authorization is the access control stage that determines a user’s level of permissions within a system. After successful login (authentication), the system checks which resources, functions, or data are available to that particular user.
Example:
In an online store, a customer can view their orders but cannot change prices—only an administrator has that right. This is authorization.
How Authorization Works
- A user undergoes authentication—entering a username/password, code, or logging in via SMS or OAuth.
- The system identifies the user.
- Authorization determines:
- Which pages they can open,
- Which operations they can perform,
- Which data they can view.
Authorization vs. Authentication
These concepts are often confused, but they serve different functions.
| Process | What it does |
| Authentication | Verifies who the user is (identity confirmation). |
| Authorization | Determines what they are allowed to do (access level). |
Simple Analogy:
- Authentication is a guard checking your ID.
- Authorization is the guard allowing you to enter only certain rooms.
Types of Authorization
- Role-Based (RBAC): Permissions are granted based on roles: admin, user, manager, editor.
- Discretionary (DAC): Access is determined by the resource owner (e.g., a folder owner decides who can open it).
- Mandatory (MAC): Used in high-security systems; access depends on security clearance levels.
- Attribute-Based (ABAC): Permissions are determined by a set of attributes: time, device, location, status.
Where Authorization is Used
- Online stores
- CRM systems
- Banking applications
- Corporate portals
- SaaS services
- Mobile applications
- Cloud services
- Website admin panels
It is used everywhere there is a division of access rights.
Authorization Methods
- Via roles and groups
- Via ACL (Access Control Lists)
- Via tokens (e.g., JWT)
- Via OAuth/OAuth2 for working with third-party services
- Via cookies and sessions
- Via API keys
Why Authorization is Important
- Data security
- Protection against unauthorized actions
- Prevention of user errors
- Proper distribution of permissions within a team
- Restriction of dangerous operations
Without authorization, any user could change settings, delete data, or perform prohibited actions.
Real-World Examples of Authorization
- A CMS administrator can change the website design, while an editor can only publish articles.
- A CRM manager sees only their own deals, whereas a supervisor sees those of all employees.
- A customer sees their own orders but cannot access others’ orders.
Conclusion
Authorization is the mechanism that determines which actions and resources are available to a user after their identity is confirmed. It is an essential security element, without which proper system management is impossible.
