What is Authorization?
Authorization is the process of granting or denying access rights and privileges to authenticated users based on their identity and defined permissions.
Key Questions:
- What can this user access?
- What actions can they perform?
- When can they access it?
- From where can they access it?
Authentication vs Authorization
| Aspect | Authentication | Authorization |
|---|---|---|
| Purpose | Verify identity | Grant permissions |
| Question | Who are you? | What can you do? |
| Process | Login verification | Access control |
| When | Before access | After authentication |
| Example | Password check | File permissions |
Access Control Models
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Rule-Based Access Control
Discretionary Access Control (DAC)
Principle: Resource owners decide who can access their resources
Characteristics:
- Owner-controlled permissions
- Flexible access rules
- User discretion in sharing
- Common in file systems
Examples:
- File permissions (rwx)
- Shared folders
- Database table access
DAC Example: File Permissions
Unix/Linux File Permissions:
• Owner: read, write, execute
• Group: read, execute
• Others: read only
Commands:
rwxr-xr--• Owner: read, write, execute
• Group: read, execute
• Others: read only
Commands:
chmod 754 filenamechown user:group filenameMandatory Access Control (MAC)
Principle: System enforces strict access policies based on security classifications
Characteristics:
- System-enforced rules
- Security labels/classifications
- No user discretion
- High-security environments
Classifications:
- Top Secret
- Secret
- Confidential
- Unclassified
MAC Security Rules
Bell-LaPadula Model:
- No Read Up: Can't read higher classification
- No Write Down: Can't write to lower classification
Biba Model:
- No Read Down: Can't read lower integrity
- No Write Up: Can't write to higher integrity
Role-Based Access Control (RBAC)
Principle: Access permissions assigned to roles, users assigned to roles
Components:
- Users: Individuals or systems
- Roles: Job functions or responsibilities
- Permissions: Access rights to resources
- Sessions: Active user-role assignments
RBAC Example: Hospital System
Roles:
• Doctor: View/edit patient records, prescribe medications
• Nurse: View patient records, update vitals
• Administrator: Manage user accounts, system settings
• Billing: Access billing information, insurance data
User Assignment:
Dr. Smith → Doctor role
Nurse Johnson → Nurse role
Admin Brown → Administrator role
• Doctor: View/edit patient records, prescribe medications
• Nurse: View patient records, update vitals
• Administrator: Manage user accounts, system settings
• Billing: Access billing information, insurance data
User Assignment:
Dr. Smith → Doctor role
Nurse Johnson → Nurse role
Admin Brown → Administrator role
RBAC Hierarchy
Role Inheritance: Senior roles inherit permissions from junior roles
Example Hierarchy:
CEO
├── Department Manager
│ ├── Team Lead
│ │ └── Employee
│ └── Senior Employee
└── Project Manager
CEO inherits all permissions from subordinate roles
CEO
├── Department Manager
│ ├── Team Lead
│ │ └── Employee
│ └── Senior Employee
└── Project Manager
CEO inherits all permissions from subordinate roles
Attribute-Based Access Control (ABAC)
Principle: Access decisions based on attributes of users, resources, and environment
Attribute Types:
- Subject: User department, clearance level
- Resource: File classification, sensitivity
- Environment: Time, location, network
- Action: Read, write, delete, execute
ABAC Policy Example
Policy: "Allow access to confidential financial reports if:"
• User is in Finance department
• User has 'Manager' role
• Access during business hours (9 AM - 5 PM)
• From corporate network
• Action is 'read' only
Dynamic Evaluation:
All conditions checked in real-time for each access request
• User is in Finance department
• User has 'Manager' role
• Access during business hours (9 AM - 5 PM)
• From corporate network
• Action is 'read' only
Dynamic Evaluation:
All conditions checked in real-time for each access request
Rule-Based Access Control
Principle: Access granted or denied based on predefined rules
Examples:
- Firewall rules (IP addresses, ports)
- Time-based restrictions
- Location-based access
- Conditional logic rules
Firewall Rule Example:
"Allow HTTP traffic from 192.168.1.0/24 to web server on port 80 during business hours"
"Allow HTTP traffic from 192.168.1.0/24 to web server on port 80 during business hours"
Core Access Control Principles
- Least Privilege: Minimum necessary access
- Separation of Duties: Divide critical tasks
- Need to Know: Access based on job requirements
- Defense in Depth: Multiple security layers
- Zero Trust: Never trust, always verify
Principle of Least Privilege
Definition: Grant users only the minimum access rights necessary to perform their job functions
Implementation:
- Start with no access
- Add permissions as needed
- Regular access reviews
- Remove unused permissions
- Time-limited access for temporary needs
Benefits:
- Reduces attack surface
- Limits breach impact
- Improves compliance
Separation of Duties
Definition: Divide critical operations among multiple people to prevent fraud and errors
Examples:
- Financial: Different people for purchase approval and payment
- IT: Separate development and production access
- Security: Different administrators for user accounts and permissions
Implementation:
- Two-person control
- Dual authorization
- Workflow approvals
Access Control Matrix
| Subject\Object | File A | File B | Database | Printer |
|---|---|---|---|---|
| Alice | Read, Write | Read | - | |
| Bob | Read | Read, Write | Select | - |
| Carol | - | Read | Select, Insert |
Access Control Model Comparison
| Model | Flexibility | Security | Complexity | Best For |
|---|---|---|---|---|
| DAC | High | Medium | Low | File systems |
| MAC | Low | Very High | Medium | Military/Government |
| RBAC | Medium | High | Medium | Enterprise |
| ABAC | Very High | High | High | Complex environments |
Implementation Challenges
- Role Explosion: Too many specific roles in RBAC
- Permission Creep: Accumulating unnecessary permissions
- Complexity: Balancing security and usability
- Maintenance: Keeping permissions current
- Compliance: Meeting regulatory requirements
- Integration: Consistent policies across systems
Modern Access Control Trends
- Zero Trust Architecture: Verify everything
- Just-in-Time Access: Temporary elevated permissions
- Privileged Access Management: Control admin accounts
- Risk-Based Access: Dynamic decisions based on risk
- Cloud-Native Controls: API-driven policies
Zero Trust Architecture
Core Principle: "Never trust, always verify"
Key Components:
- Identity verification for every access
- Device authentication and validation
- Micro-segmentation of networks
- Continuous monitoring and validation
- Least privilege access enforcement
Access Control Best Practices
- Implement principle of least privilege
- Regular access reviews and audits
- Automate provisioning and deprovisioning
- Use role-based access where appropriate
- Monitor and log access activities
- Separate administrative duties
- Plan for emergency access procedures
- Train users on security policies
Common Implementation Mistakes
- Over-privileging: Granting too much access
- Shared Accounts: Multiple people using same credentials
- Stale Permissions: Not removing access when no longer needed
- Weak Reviews: Infrequent or superficial audits
- Emergency Backdoors: Bypasses without proper controls
- Poor Documentation: Unclear policies and procedures
Key Takeaways
- Authorization controls what authenticated users can do
- Different models suit different security needs
- Least privilege is fundamental principle
- Regular reviews prevent permission creep
- Zero trust is becoming the standard
- Balance security with operational needs
Remember: Effective access control requires ongoing management, not just initial setup