What Is Authorization? Definition & Comparison with Access Control

Most people know what the word "authorize" means in everyday life. We use this term to describe access based on some kind of role, status, or merit. For example, we're authorized to eat in the campus dining room due to our status as a college student. 

In computing terms, "to authorize" means to identify the digital resources someone can access after they log in to a system. 

If you're confused by these terms, don't worry. Let's dig a little deeper.

A Formal Authorization Definition 

Authorization is the process of matching users to the right digital assets. The work starts with policy. 

A person with authority, such as a department head or IT manager, determines what access a person should have. They could define access rules by:

• Departments. Every person that works within a specific group has access to the same files. 
• Titles. Access varies depending on the role a user plays within the company. 
• Individuality. What a person can see depends on the work a person does, seniority within the company, or something else altogether. 

Crafting rules like this takes time and expertise, and it's often work people with seniority tackle. People with system administrator jobs can enforce the policies. This job typically involves solving user problems, so adding to or removing file access may become part of everyday work. 

How Does Authorization Work? 

People gain access by following a series of predictable steps. 

Authorization involves:

• Authentication. Organizations can manage authentication in a variety of ways. They can require a name/password combination to allow the system to verify a person's identity. Almost half of all companies add to this process with two-factor authentication steps, such as tapping in a one-time code sent to a cell phone. A simple step like this cuts down on fraud. 
• Database checks. With authentication complete, the system knows who you are and what administrators believe you should use in your work. 
• Access control. The system unlocks access to these assets, and the user can begin work. 

Most people have used authorization processes before, even if they didn't know it. Major systems use authorization, including:

• Windows. Windows requires you to set up at least one authorized user, and a password protects your access. 
• iTunes. You must authorize your computer to purchase items within the store. 
• Your employer. Again, almost every corporate computer system out there requires users to log in and move through authorization before accessing files. 

Computers are fast by design, and it often takes just seconds to complete this complex process. You may never know it's happening.

Authorization vs. Access Control 

If authorization involves defining a policy, access control puts the policies to work. These two terms aren't interchangeable. But they do work hand in hand. 

Once you've completed the authorization process, the system knows who you are and what you should see. The access control system unlocks the assets, so you can do the work you need to do.

Knowledge Is Power

The more you know about how security systems work, the better you can protect your company and your coworkers from hackers and malignant actors.

At Okta, we work hard to define terms simply, so everyone can learn. And we build robust tools everyone needs to manage authorization, authentication, and access control. Learn more. 

References

Network and Computer Systems Administrators. (September 2020). Bureau of Labor Statistics. 

Why Nearly 50 Percent of Organizations Are Failing at Password Security. (October 2018). TechRepublic. 

The Windows 10 Security Guide: How to Protect Your Business. (July 2020). ZD Net. 

Authorize or Deauthorize Your Computer for iTunes Store Purchases. (January 2020). Apple.