Authorization is the process by which access rights are defined and managed. Authorization is used by security professionals and network administrators to control user and client privileges and to limit who has access to system resources (e.g., applications, data, files, services).

Authorization occurs after authentication; this means that the user's identity has already been verified at the time of authorization. Once the user is verified, the authorization mechanism verifies that user's access rules and either grants or refuses resource access. Access control policies contain authorization rules, which are set by network administrators based on the user's role in the organization. These policies determine who has access to perform given functions and how permissions apply for any special-access requirements (e.g., security clearances). 

A process diagram of granting a user permission: First is authentication (user's identity verified), then authorization (access rights granted or refused), and then access control (polices that contain authorization rules).

The AAA Process

Operating systems depend on authorization processes to manage applications. For example, Microsoft Windows operating systems use Active Directory (AD) for their security policy integration. Windows also establishes authentication and authorization services for internet-based applications (.NET) by integrating an open-source server-side web application framework (ASP.NET) to produce dynamic web pages.  Operating systems also use access control authorization to control access to file systems. Windows uses their New Technology File System (NTFS) to maintain access control lists (ACL)—i.e., sets of rules—for all resources.

Another example of authorization processes' importance is in firewalls. Since firewalls are designed to apply different security levels to separate components of a network, they can use an authorization policy that allows traffic through based on the ACL. The ACL's rules are composed of a condition clause, formed by a series of predicates over some packet header fields, and an action clause, which determines the action to be enforced (i.e., allowing or denying the traffic). 

Authorization and Risk Management

NIST defines authorization as "the official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls" (NIST, 2010, p. B-1).

Authorization is done in the fifth Risk Management Framework (RMF) step, after information system categorization, controls selection, controls implementation, and assessment. It is accomplished by finalizing the assessment report and the system security plan and completing the plan of action and milestones (POA&M). The POA&M then goes to the authorizing official (AO) for approval, which includes the AO accepting residual risk. The result of an authorization is an approval to operate (ATO).

Authorization is an RMF concept. Many federal agencies have used RMF since its inception in 2010. For ATO in Department of Defense (DoD) agencies, until directed to use RMF in 2014, Certification and Accreditation (C&A) indicated acceptance of risk under the DoD Information Assurance Certification and Accreditation Process (DIACAP) (DoD, 2007). There is significant difference in the two processes, particularly in the sixth RMF step: continuous monitoring (CM). CM provides AOs with increasing confidence in their authorizations by continuously reassessing and accepting risk that is ideally decreasing. Conversely, if the risks increase, the information system (IS) may lose its ATO.

Risk assessments during CM are based on security impact analyses to "determine the extent to which proposed or actual changes to the information system or its environment of operation can affect or have affected the security state of the system" (NIST, 2010, p. 38). In this way, the AO implements the RMF concept of ongoing authorization.

We can also look at authorization as a grant to a subject (i.e., user) of access to services and other objects in an information system. Authorization is part of the design of system architecture to meet access requirements and is thereby inherent in a system's information management model (IMM) (NSA, 2002). Authorization is implemented through ACLs, in which subjects are authorized to exercise rights objects (e.g., read, write, execute, list, delete, change).


Department of Defense (DoD). (2007, Nov. 28). DoD Information Assurance Certification and Accreditation Process (DIACAP) (Department of Defense Instruction 8510.01).

National Institute of Standards and Technology (NIST). (2010, February). Guide for applying the risk management framework to federal information systems: NIST Special Publication 800-37, Revision 1.

National Security Agency (NSA). (2002, September). Information assurance technical framework (IATF) release 3.1.

Check Your Knowledge

Question 1
When a systems administrator implements access control lists, he or she is providing which of the following for the system user?