What is Authorization?
Authorization is the process of giving someone the ability to access a resource.
Of course, this definition may sound obscure, but many situations in real life can help illustrate what authorization means so that you can apply those concepts to computer systems.
A good example is house ownership. The owner has full access rights to the property (the resource) but can grant other people the right to access it. You say that the owner authorizes people to access it. This simple example allows us to introduce a few concepts in the authorization context.
For instance, accessing the house is a permission, that is, an action that you can perform on a resource. Other permissions on the house may be furnishing it, cleaning it, repair it, etc.
A permission becomes a privilege (or right) when it is assigned to someone. So, if you assign permission to furnish your house to your interior decorator, you are granting them that privilege.
On the other hand, the decorator may ask you permission to furnish your house. In this case, the requested permission is a scope, that is, the action that the decorator would like to perform at your house
Sometimes authorization is somewhat related to identity. Think of the process of boarding a plane. You have your boarding pass that states you are authorized to fly with that plane. However, it is not enough for the gate agent to let you get on board. You also need your passport stating your identity. In this case, the gate agent compares the name on the passport with the name on the boarding pass and let you go through if they match.
In the authorization context, your name is an attribute of your identity. Other attributes are your age, your language, your credit card, and anything else relevant in a specific scenario.
Your name written on the passport is a claim, that is, a declaration stating you've got that attribute. Someone reading your name on your passport can be sure of your name because they trust the government that issued your passport.
The boarding pass, along with the proof of identity of consumers, represents a kind of ‘access token’ that grants access rights to jump onto the plane.
In the scenarios described above, you can see that the act of authorizing enables entities to execute tasks that other entities are not allowed to complete.
Computer systems that use authorization work in a similar manner.
Want to learn more?
Keep reading at our Intro to IAM page to explore more topics around Identity and Access Management.