What Is Authorisation?

I feel that the security concepts of Authentication and Authorisation need to be better understood within the software engineering community. Usually, IT professionals mention both terms in the same context, thus masking gaps in knowledge. Nonetheless, at times only one of the concepts is appropriate, and then—at least in my experience—the incorrect term is used almost as often as the correct one. The same applies to me—for longer than I care to admit, I was oblivious to the difference between Authentication and Authorisation.

In my article on Authenication, our real-world example was being lucky enough to be invited to an exclusive event, and we’ll continue with this scenario to explain Authorisation. As we left it in our hypothetical illustration, we had successfully identified ourselves with the security detail at the entrance. Authentication is synonymous with identification.

Authorisation

Next, security checks whether we are on ‘The List’. Names on the list are allowed to enter—they are permitted or authorised. On the other hand, if our name is not listed, access will be denied—we are disallowed, forbidden or unauthorised to enter. Authorisation is not a difficult concept. 

Authorisation is the permission to perform an action or get access to a resource.

I like an example by Matthew Brett, who summed up the concepts of Authentication and Authorisation in a single sentence: “Sorry authentic 15-year-old, you’re not authorised to go into the R18 movie, but you are authorised for the R13.”. Nice and concise. 

A few properties of Authentication and Authorisation:

• Access to Resources held by a Third Party.   When we request access to secured resources, we must authenticate ourselves with the resource owner. We must also pass an authorisation check before resource access will be granted.
• Authentication happens before Authorisation.   Since access rights belong to an identity, Authentication must happen before Authorisation. We must identify ourselves before the party protecting the resource can decide whether or not we are allowed access.
• Authentication is a function of Identity only.   The Identity of the 15-year-old at the movies is, unsurprisingly, the 15-year-old. The outcome of an Authentication attempt is always True or False—either one can authenticate oneself to the satisfaction of a resource gatekeeper—or not.
• Authorisation is a function of Identity and Action.   Authorisation is more fine-grained than Authentication—it depends on who’s asking (Identity) and what they are asking for (Resource). The authentic 15-year-old (Identity) is not allowed (Authorisation: Denied/False) into the R18 movie (Resource). However, the 15-year-old (Identity) will be permitted into the R13 movie (Different Resource)—Authorisation: Granted/True.

Conclusion

To sum up the pertinent points:

• Authentication and Authorisation are (usually) needed to access secured resources.
• Authentication is about identity. As in answering the question ‘Who are you?’.
• Authorisation, or permission to access resources, attaches to an identity. 
• Authentication comes before Authorisation.