Skip to main content
Milav
  1. Resources/
  2. Study Materials/
  3. Information & Communication Technology Engineering/
  4. ICT Semester 5/
  5. Cyber Security (4353204)/

5 mins· ·
Milav Dabgar
Author
Milav Dabgar
Experienced lecturer in the electrical and electronic manufacturing industry. Skilled in Embedded Systems, Image Processing, Data Science, MATLAB, Python, STM32. Strong education professional with a Master’s degree in Communication Systems Engineering from L.D. College of Engineering - Ahmedabad.
Authorization

Authorization

Controlling Access to Resources

Defining What Users Can Do

Authorization Methods

Authorization Definition

Authorization is the process of determining what an authenticated user is allowed to do - which resources they can access and what actions they can perform on those resources.

Core Questions Authorization Answers:

  • "What can you access?" - Resource permissions
  • "What actions can you perform?" - Operation permissions
  • "When can you access it?" - Time-based restrictions
  • "From where can you access it?" - Location constraints

Authorization vs Authentication

AspectAuthenticationAuthorization
PurposeVerify identityGrant permissions
Question"Who are you?""What can you do?"
ProcessLogin with credentialsCheck access rights
FrequencyOnce per sessionEvery resource request
ExampleUsername + passwordRead/write file permissions
DependencyIndependentRequires authentication first

Significance in Cybersecurity

Why Authorization is Critical:

  • Principle of Least Privilege: Users get minimum necessary access
  • Data Protection: Prevents unauthorized data exposure
  • Compliance: Meets regulatory requirements
  • Risk Mitigation: Limits damage from compromised accounts
  • Operational Security: Maintains system integrity
  • Audit Trail: Tracks who accessed what resources

Key Authorization Concepts

Subject:

Entity requesting access (user, process, system)

  • Human users
  • Service accounts
  • Applications
  • Devices

Object/Resource:

What is being accessed

  • Files and folders
  • Database records
  • Network resources
  • Applications

Action/Operation:

What the subject wants to do with the object

  • Read: View or access data
  • Write: Modify or create data
  • Execute: Run programs or scripts
  • Delete: Remove data or resources
  • Admin: Change permissions or settings

Authorization Process Flow

Step-by-step Authorization Process:

1. User Authentication: User successfully logs in
   Example: Alice authenticates with username/password

2. Resource Request: User requests access to resource
   Example: Alice tries to open "financial_report.xlsx"

3. Policy Lookup: System checks authorization policies
   Example: Check Alice's permissions for financial files

4. Decision Making: Grant or deny access
   Example: Alice has "read" but not "write" permission

5. Enforcement: Apply the authorization decision
   Example: Allow file opening, disable editing features

6. Logging: Record the access attempt
   Example: Log "Alice accessed financial_report.xlsx (read)"

Authorization Implementation

Common Implementation Methods:

  • Access Control Lists (ACLs): Lists of permissions per resource
  • Role-Based Access Control (RBAC): Permissions assigned to roles
  • Attribute-Based Access Control (ABAC): Policy-based decisions
  • Capability-Based Security: Tokens representing permissions
  • Mandatory Access Control (MAC): System-enforced policies
  • Discretionary Access Control (DAC): Owner-controlled permissions

Access Control Lists (ACLs)

ACL Concept: Each resource has a list specifying which users/groups can perform which actions
File System ACL Example:

File: /documents/budget.xlsx
Access Control List:
- Owner (Alice): Read, Write, Delete
- Group (Finance): Read, Write
- Group (Managers): Read
- Others: No access

Database ACL Example:
Table: customer_data
- User (sales_user): SELECT, INSERT
- User (admin_user): SELECT, INSERT, UPDATE, DELETE
- Role (reports): SELECT only

Role-Based Access Control (RBAC)

RBAC Concept: Permissions are assigned to roles, and users are assigned to roles
Corporate RBAC Example:

Roles and Permissions:
Employee Role: Read company handbook, Submit timesheets
Manager Role: Employee permissions + Approve leave, View team reports
HR Role: Employee permissions + Access personnel files, Manage benefits
IT Admin Role: All permissions + System administration

User Assignments:
John Smith → Manager Role
Sarah Jones → HR Role
Mike Wilson → IT Admin Role

Attribute-Based Access Control (ABAC)

ABAC Concept: Access decisions based on attributes of users, resources, and environment
ABAC Policy Example:

Rule: "Allow access to patient records IF:"
- User.Department = "Medical"
- User.Role = "Doctor" OR "Nurse"
- Resource.Type = "PatientRecord"
- Time.Hour BETWEEN 06:00 AND 22:00
- Location.Zone = "Hospital"
- Patient.AssignedDoctor = User.ID OR User.Role = "Emergency"

Dynamic Evaluation:
Every access request evaluates all conditions in real-time

Authorization Challenges

Common Implementation Challenges:

  • Complexity: Managing permissions across multiple systems
  • Scalability: Performance impact with many users/resources
  • Consistency: Ensuring uniform policies across platforms
  • Maintenance: Keeping permissions current as roles change
  • Granularity: Balancing detailed control with simplicity
  • Delegation: Allowing users to grant permissions to others
  • Audit: Tracking who has access to what

Permission Models

Positive Permissions:

Explicitly grant access

  • Default: No access
  • Must be granted explicitly
  • More secure approach
  • Example: "Allow read access"

Negative Permissions:

Explicitly deny access

  • Default: Full access
  • Deny specific actions
  • Used for exceptions
  • Example: "Deny delete access"

Mixed Model:

Combination of positive and negative permissions with precedence rules

  • Typically: Deny permissions override allow permissions
  • More flexible but complex
  • Requires careful policy design

Contextual Authorization

Time-Based Authorization:

  • Business hours restrictions
  • Scheduled access windows
  • Temporary permissions
  • Time-limited tokens

Location-Based Authorization:

  • IP address restrictions
  • Geographic limitations
  • Network zone requirements
  • Device location verification
Example Policy:
"Financial data can only be accessed from corporate offices during business hours by Finance department employees"

Authorization in Modern Systems

Cloud and Microservices:

  • API-Based Authorization: Token-based access control
  • Zero Trust Networks: Verify every request
  • Service-to-Service Auth: Machine-to-machine authorization
  • Dynamic Policies: Real-time policy evaluation
  • Centralized Authorization: Policy decision points
OAuth 2.0 & JWT: Modern standards for API authorization and token-based access control

Authorization Best Practices

  1. Principle of Least Privilege: Grant minimum necessary access
  2. Regular Access Reviews: Periodic audits of permissions
  3. Separation of Duties: Divide critical functions
  4. Default Deny: No access unless explicitly granted
  5. Centralized Management: Single point of policy control
  6. Automated Provisioning: Consistent permission assignment
  7. Logging and Monitoring: Track all authorization decisions
  8. Documentation: Clear policies and procedures

Common Authorization Pitfalls

Avoid These Mistakes:

  • Over-Privileging: Granting excessive permissions
  • Permission Creep: Accumulating unnecessary access over time
  • Shared Accounts: Multiple users with same credentials
  • Stale Permissions: Not removing access when roles change
  • Inconsistent Policies: Different rules across systems
  • Poor Documentation: Unclear authorization procedures
  • Lack of Monitoring: No visibility into access patterns
  • Emergency Backdoors: Uncontrolled bypass mechanisms

Regulatory Compliance

Authorization Requirements in Regulations:

  • SOX: Financial data access controls and segregation of duties
  • HIPAA: Patient data access based on minimum necessary rule
  • GDPR: Data access controls and purpose limitation
  • PCI DSS: Cardholder data access restrictions
  • SOC 2: Logical access controls and user access reviews
Common Requirements: Role-based access, regular reviews, audit trails, access documentation

Future of Authorization

  • AI-Driven Policies: Machine learning for access patterns
  • Risk-Based Authorization: Dynamic access based on risk assessment
  • Zero Trust Authorization: Continuous verification approach
  • Blockchain Identity: Decentralized authorization systems
  • Privacy-Preserving Auth: Access without revealing identity
  • Intent-Based Authorization: Access based on declared intent
  • Quantum-Safe Authorization: Preparing for quantum computing

Key Takeaways

  • Authorization determines what authenticated users can do
  • Follows authentication in the security process
  • Must implement principle of least privilege
  • Requires regular review and maintenance
  • Should be centrally managed when possible
  • Must support audit and compliance requirements
  • Context-aware authorization provides enhanced security
Remember: Good authorization is the key to data protection and regulatory compliance

Thank You

Questions & Discussion

Next: Authorization Methods Deep Dive