TLDR: Authorization is all about giving the right access to the right people for the right things.
Authorization, or authorisation (spelled differently in different places), is a way of specifying who can access certain things. It's all about making sure that the right people have the right permissions to use certain resources, like files, programs, and devices on a computer. For example, in a company, the human resources staff might be authorized to access employee records, while other employees might not have that permission. This is usually done through access control rules in a computer system. When someone wants to access something, the system checks if they have been authorized to do so based on these rules. It's like having a bouncer at a club who checks your ID to see if you're allowed to enter.
Access control in computer systems and networks relies on access policies. These policies define who is authorized to access what. There are two main phases in the access control process: the policy definition phase and the policy enforcement phase. In the policy definition phase, access is authorized by setting up the rules for who can access what. In the policy enforcement phase, access requests are either approved or disapproved based on these rules. This helps ensure that only authorized users can access certain resources.
Most modern operating systems have a feature called role-based access control (RBAC), which means that access is granted based on the role or job of the user. For example, a manager might have access to certain files and programs that regular employees don't. Access control also relies on authentication, which is the process of verifying the identity of the user. When someone tries to access a resource, the system checks if they have been authorized to use it based on their identity.
Sometimes, access is granted without requiring a unique identity. This is often the case in distributed systems where granting access to a unique identity is not necessary. Access tokens, like keys or tickets, can be used to grant access without proving identity.
It's important to note that authorization is not just about granting access, but also about managing and maintaining those authorizations. This can be a complex task, especially in large systems with many users and resources. It's necessary to change or remove authorizations when needed, and this is usually done by changing or deleting the access rules in the system. Some systems use atomic authorization, where a trusted third party securely distributes authorization information to simplify the management process.
In addition to computer security, authorization is also used in other contexts. In public policy, authorization is a feature of trusted systems used for security or social control. In banking, authorization refers to the hold placed on a customer's account when a purchase is made using a debit or credit card. In publishing, unauthorized texts are texts that are published without the approval of the author.
So, in a nutshell, authorization is all about giving the right access to the right people for the right things. It's like having a VIP pass that lets you into certain areas, but only if you're on the guest list.