Authorization determines what an authenticated user is permitted to do. After verifying identity (authentication), the system checks permissions to decide whether the user can read a file, execute a command, or access a resource. Authorization enforces the principle of least privilege by limiting access to what’s necessary.
Authorization decisions reference access control lists, role memberships, policies, or attributes. Modern systems often use centralized policy decision points that evaluate requests against complex rules considering context like time of day, device type, and risk level.
CISSP Relevance
Domain 5 (Identity and Access Management) covers authorization models and implementation. Understand the difference between authentication and authorization—candidates often confuse them. Know how RBAC, ABAC, and policy-based access control enforce authorization decisions across enterprise systems.
Authorization concepts are documented in NIST SP 800-162 on Access Control.
Related terms: Authentication, Access Control