Authorization

Authorization is the process of determining what actions or resources an authenticated user is permitted to access.

Authorization answers "what can you do?" after authentication has verified identity.

Authorization models: - RBAC (Role-Based): Access based on assigned roles - ABAC (Attribute-Based): Dynamic policies using attributes - ReBAC (Relationship-Based): Access based on relationships - DAC (Discretionary): Owners control access - MAC (Mandatory): System-enforced policies

Authorization implementation: - Access Control Lists (ACLs) - Permission matrices - Policy engines (OPA, Cedar) - OAuth 2.0 scopes

Best practices: - Default deny (explicit allow required) - Least privilege access - Regular access reviews

Why It Matters

Broken authorization is the #1 vulnerability in the OWASP API Security Top 10. Even with strong authentication, improper authorization allows users to access data belonging to others, escalate privileges, or perform unauthorized actions. Implementing proper authorization at the API level—not just the UI—is critical for preventing data breaches and meeting compliance requirements.

Key Points

Determines permitted actions after authentication

RBAC is most common enterprise model

Default deny is the secure approach

Must be enforced at API/resource level

Regular reviews prevent permission creep

Applicable Compliance Frameworks

SOC 2 ISO 27001 HIPAA PCI DSS

Related Terms

Authentication

Authentication is the process of verifying the identity of a user, device, or system before granting access to resources.

Access Control

Access control is a security mechanism that regulates who can view or use resources in a computing environment, ensuring only authorized users can access systems and data.

Least Privilege

The principle of least privilege grants users only the minimum permissions necessary to perform their job functions, reducing security risk.