Authorization

Controlling Access to Resources

Defining What Users Can Do

Authorization Methods

Authorization Definition

Authorization is the process of determining what an authenticated user is allowed to do - which resources they can access and what actions they can perform on those resources.

Core Questions Authorization Answers:

  • "What can you access?" - Resource permissions
  • "What actions can you perform?" - Operation permissions
  • "When can you access it?" - Time-based restrictions
  • "From where can you access it?" - Location constraints

Authorization vs Authentication

Aspect Authentication Authorization
Purpose Verify identity Grant permissions
Question "Who are you?" "What can you do?"
Process Login with credentials Check access rights
Frequency Once per session Every resource request
Example Username + password Read/write file permissions
Dependency Independent Requires authentication first

Significance in Cybersecurity

Why Authorization is Critical:

  • Principle of Least Privilege: Users get minimum necessary access
  • Data Protection: Prevents unauthorized data exposure
  • Compliance: Meets regulatory requirements
  • Risk Mitigation: Limits damage from compromised accounts
  • Operational Security: Maintains system integrity
  • Audit Trail: Tracks who accessed what resources

Key Authorization Concepts

Subject:

Entity requesting access (user, process, system)

  • Human users
  • Service accounts
  • Applications
  • Devices

Object/Resource:

What is being accessed

  • Files and folders
  • Database records
  • Network resources
  • Applications

Action/Operation:

What the subject wants to do with the object

  • Read: View or access data
  • Write: Modify or create data
  • Execute: Run programs or scripts
  • Delete: Remove data or resources
  • Admin: Change permissions or settings

Authorization Process Flow

Step-by-step Authorization Process:

1. User Authentication: User successfully logs in
   Example: Alice authenticates with username/password

2. Resource Request: User requests access to resource
   Example: Alice tries to open "financial_report.xlsx"

3. Policy Lookup: System checks authorization policies
   Example: Check Alice's permissions for financial files

4. Decision Making: Grant or deny access
   Example: Alice has "read" but not "write" permission

5. Enforcement: Apply the authorization decision
   Example: Allow file opening, disable editing features

6. Logging: Record the access attempt
   Example: Log "Alice accessed financial_report.xlsx (read)"

Authorization Implementation

Common Implementation Methods:

  • Access Control Lists (ACLs): Lists of permissions per resource
  • Role-Based Access Control (RBAC): Permissions assigned to roles
  • Attribute-Based Access Control (ABAC): Policy-based decisions
  • Capability-Based Security: Tokens representing permissions
  • Mandatory Access Control (MAC): System-enforced policies
  • Discretionary Access Control (DAC): Owner-controlled permissions

Access Control Lists (ACLs)

ACL Concept: Each resource has a list specifying which users/groups can perform which actions
File System ACL Example:

File: /documents/budget.xlsx
Access Control List:
- Owner (Alice): Read, Write, Delete
- Group (Finance): Read, Write
- Group (Managers): Read
- Others: No access

Database ACL Example:
Table: customer_data
- User (sales_user): SELECT, INSERT
- User (admin_user): SELECT, INSERT, UPDATE, DELETE
- Role (reports): SELECT only

Role-Based Access Control (RBAC)

RBAC Concept: Permissions are assigned to roles, and users are assigned to roles
Corporate RBAC Example:

Roles and Permissions:
Employee Role: Read company handbook, Submit timesheets
Manager Role: Employee permissions + Approve leave, View team reports
HR Role: Employee permissions + Access personnel files, Manage benefits
IT Admin Role: All permissions + System administration

User Assignments:
John Smith → Manager Role
Sarah Jones → HR Role
Mike Wilson → IT Admin Role

Attribute-Based Access Control (ABAC)

ABAC Concept: Access decisions based on attributes of users, resources, and environment
ABAC Policy Example:

Rule: "Allow access to patient records IF:"
- User.Department = "Medical"
- User.Role = "Doctor" OR "Nurse"
- Resource.Type = "PatientRecord"
- Time.Hour BETWEEN 06:00 AND 22:00
- Location.Zone = "Hospital"
- Patient.AssignedDoctor = User.ID OR User.Role = "Emergency"

Dynamic Evaluation:
Every access request evaluates all conditions in real-time

Authorization Challenges

Common Implementation Challenges:

  • Complexity: Managing permissions across multiple systems
  • Scalability: Performance impact with many users/resources
  • Consistency: Ensuring uniform policies across platforms
  • Maintenance: Keeping permissions current as roles change
  • Granularity: Balancing detailed control with simplicity
  • Delegation: Allowing users to grant permissions to others
  • Audit: Tracking who has access to what

Permission Models

Positive Permissions:

Explicitly grant access

  • Default: No access
  • Must be granted explicitly
  • More secure approach
  • Example: "Allow read access"

Negative Permissions:

Explicitly deny access

  • Default: Full access
  • Deny specific actions
  • Used for exceptions
  • Example: "Deny delete access"

Mixed Model:

Combination of positive and negative permissions with precedence rules

  • Typically: Deny permissions override allow permissions
  • More flexible but complex
  • Requires careful policy design

Contextual Authorization

Time-Based Authorization:

  • Business hours restrictions
  • Scheduled access windows
  • Temporary permissions
  • Time-limited tokens

Location-Based Authorization:

  • IP address restrictions
  • Geographic limitations
  • Network zone requirements
  • Device location verification
Example Policy:
"Financial data can only be accessed from corporate offices during business hours by Finance department employees"

Authorization in Modern Systems

Cloud and Microservices:

  • API-Based Authorization: Token-based access control
  • Zero Trust Networks: Verify every request
  • Service-to-Service Auth: Machine-to-machine authorization
  • Dynamic Policies: Real-time policy evaluation
  • Centralized Authorization: Policy decision points
OAuth 2.0 & JWT: Modern standards for API authorization and token-based access control

Authorization Best Practices

  1. Principle of Least Privilege: Grant minimum necessary access
  2. Regular Access Reviews: Periodic audits of permissions
  3. Separation of Duties: Divide critical functions
  4. Default Deny: No access unless explicitly granted
  5. Centralized Management: Single point of policy control
  6. Automated Provisioning: Consistent permission assignment
  7. Logging and Monitoring: Track all authorization decisions
  8. Documentation: Clear policies and procedures

Common Authorization Pitfalls

Avoid These Mistakes:

  • Over-Privileging: Granting excessive permissions
  • Permission Creep: Accumulating unnecessary access over time
  • Shared Accounts: Multiple users with same credentials
  • Stale Permissions: Not removing access when roles change
  • Inconsistent Policies: Different rules across systems
  • Poor Documentation: Unclear authorization procedures
  • Lack of Monitoring: No visibility into access patterns
  • Emergency Backdoors: Uncontrolled bypass mechanisms

Regulatory Compliance

Authorization Requirements in Regulations:

  • SOX: Financial data access controls and segregation of duties
  • HIPAA: Patient data access based on minimum necessary rule
  • GDPR: Data access controls and purpose limitation
  • PCI DSS: Cardholder data access restrictions
  • SOC 2: Logical access controls and user access reviews
Common Requirements: Role-based access, regular reviews, audit trails, access documentation

Future of Authorization

  • AI-Driven Policies: Machine learning for access patterns
  • Risk-Based Authorization: Dynamic access based on risk assessment
  • Zero Trust Authorization: Continuous verification approach
  • Blockchain Identity: Decentralized authorization systems
  • Privacy-Preserving Auth: Access without revealing identity
  • Intent-Based Authorization: Access based on declared intent
  • Quantum-Safe Authorization: Preparing for quantum computing

Key Takeaways

  • Authorization determines what authenticated users can do
  • Follows authentication in the security process
  • Must implement principle of least privilege
  • Requires regular review and maintenance
  • Should be centrally managed when possible
  • Must support audit and compliance requirements
  • Context-aware authorization provides enhanced security
Remember: Good authorization is the key to data protection and regulatory compliance

Thank You

Questions & Discussion

Next: Authorization Methods Deep Dive