Authorization refers to the act of granting someone access to a resource.
Although this definition might sound confusing, many real-life situations can help you understand what authorization letter format is so that you can use those concepts in computer systems.
House ownership is a good example. While the owner is the only one with full rights to the property he can grant access to other people. The owner can authorize people’s access to it. We can use this simple example to illustrate a few concepts within the authorization context.
Accessing the house, for example, is permission. This is an action you can do on a resource. You may also have permission to furnish, clean, or repair the home.
When permission is granted to someone, it becomes a privilege. They are given that privilege if they consent for your interior decorator to furnish your home.
The decorator might ask permission to furnish your home. The requested authorization is a scope. This is the action the decorator would like for your house delivered.
Sometimes authorization can be tied to identity. Consider the procedure of getting on a plane. Your boarding pass states that you can fly on that particular plane. It is not enough to allow you on board. Your passport must also be used to prove your identity. If they match, the gate agent will check your key and let you through.
Your name is an attribute of your identity in the authorization context. Other attributes include age, language, credit card, and additional relevant information in a particular scenario.
The claim is your name on your passport. It is a declaration that you have that attribute. Because they trust the government that issued your ticket, anyone reading your name can be sure of your identity.
A boarding pass and proof of identity are two forms of an ‘access token’ which grants you the right to board the plane.
As you can see, authorizing allows entities to perform tasks not permitted by other entities.
Computer systems that similarly use authorization functions.
Handling Authorization for a Computer System
Computer systems have authorization rules. These rules are part of the IT discipline Identity & Access Management (IAM). IAM allows system managers to manage access to system resources and to set client privileges. The way IT systems handle authorization services is very similar to real-world access control processes.
Authorization Use case
Take a look at Google Docs, a collaboration tool.
You can create and share documents with the application. Other permissions include editing, deleting, and commenting on documents. You can share a copy with another person and set access policies. You can, for example, share your paper by allowing them to add comments.
- This scenario
- Resource – it’s the document
- Resource Owner – This is the user who creates a document—the paper’s owner.
- An authorized user is the user Resource owner who has granted comment rights.
- The diagram below shows the authorization for resource access.
- Authorization Strategies
Computer systems can use a variety of authorization strategies during application deployment. Role-Based Access Control (RBAC) and Attribute-Based Access Control are the most well-known. Auth0 recently investigated and solved Relationship-Based Access Control. Many other options exist, such as Graph-Based Access Control (GBAC) or Discretionary Access Controls (DAC). These strategies can help developers manage authorization requirements and authorize services.
Attribute Based Access Control (ABAC), and Authorization
ABAC is a computer system that determines whether a user has enough access privileges to perform an action based upon a trait (attribute or claim) associated with them. An online store selling alcoholic beverages is one example of an authorized use case. An online store user must register and show proof of age. This is the authorization context.
- The resource owner is the online store
- The resource is the alcoholic beverage
A claim is when the age of the consumer is validated during registration. This is proof of the user’s age attribute.
The store can process alcohol access requests by presenting the age claim. In this instance, the user attribute decides whether access is granted.
Role Based on Access Control (RBAC), and Authorization
RBAC, on the other side, treats authorizations as permissions associated with roles and not directly with users. A role can only be described as a collection of permissions. Imagine that you are a department manager within an organization. It would help if you were granted permissions corresponding to your position, such as the ability to approve vacation and expense requests and assign tasks. A system manager would create a role called “Manager” or something similar to grant these permissions. They would then set these permissions and associate you with “Manager.” You can associate that role with other users who have the same permissions.
RBAC has the advantage of making authorization privilege management more effortless. System managers can deal with permissions and users in bulk rather than individually.
Relationship Based Access Control (RBAC), and Authorization
Relationship-based access control asks about authorization: “Does this person have sufficient relationship to this object/action so they can access them? This connection can be made directly or indirectly, for example, by sharing a document, based on an attribute like membership in a role group. Sometimes traversing a graph of roles, organizations, objects, and groups requires exploring many nodes to establish a relationship between the user and the task. The ReBAC system implementer can decide which relationships are essential to gain access to information and what permissions they grant.
Auth0 recently released a developer preview for the upcoming Auth0 Fine-Grained Authorization Product based on ReBAC. Learn more on our Fine-Grained Authorization page.
To Read More: zoombazi.com