Authorization (AuthZ) — IDM / IAM / IGA Glossary

Definition

Process of deciding whether an authenticated principal is permitted to perform a requested action on a resource. Distinct from authentication (which establishes identity). Authorization models: RBAC (roles), ABAC (attributes + rules), PBAC (policy-based), ReBAC (relationships). Enforced at policy enforcement points (API gateways, application middleware, microservice meshes).

Application: MidPoint: Authorization is a mechanism by which a computer system determines whether to allow or deny specific action to a user.

Standards & regulations

NIST SP 800-63-3 «Authorization is the process of determining whether an authenticated entity is allowed to perform a requested action on a resource.»
ISO/IEC 24760-1:2019 «authorization: granting of rights, which includes the granting of access based on access rights.»
ISO/IEC 2382:2015 «authorization: granting of permission to an entity (user, program, or process) to access resources.»
RFC 4949 «authorization (formal): An approval that is granted to a system entity to access a system resource.»
RFC 2904 «Authorization is the process of determining, by evaluating applicable access control policies, whether a subject is allowed to have the requested type of access to a particular resource.»
RFC 5280 «Authorization: The process of determining if a particular right, such as access to some resource, can be granted to the presenter of a particular credential.»
ISO/IEC 10181-3:1996 «authorization: process of granting or denying a requested right to access and use information system resources.»
NIST IR 7316 «Authorization is the process of determining if a specific request to access a resource by a particular principal is to be granted or denied, based on applicable security policies.»

Sources

NIST SP 800-63 Digital Identity Guidelines (NIST) primary source

Related terms

← Back to glossary · Open in main list

Authorization AuthZ

Definition

Related terms