Authorization (also spelt Authorisation) is the function of specifying access rights to resources, which is related to information security Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Mainly the Information Security Consultants are associated with it and computer security Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended in general and to access control Access control is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. An access control system, within the field of physical security, is generally seen as the second layer in the security of a physical structure in particular. More formally, "to authorize" is to define access policy. For example, human resources Human resources is a term used to describe the individuals who comprise the workforce of an organization, although it is also applied in labor economics to, for example, business sectors or even whole nations. Human resources is also the name of the function within an organization charged with the overall responsibility for implementing strategies staff are normally authorized to access employee records, and this policy is usually formalized as access control rules in a computer system. During operation, the system uses the access control rules to decide whether access requests from (authenticated Authentication is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true ("authentification" is a French language variant of this word). This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what) consumers shall be granted or rejected. Resources include individual files' or items' data The term data refers to groups of information that represent the qualitative or quantitative attributes of a variable or set of variables. Data are typically the results of measurements and can be the basis of graphs, images, or observations of a set of variables. Data are often viewed as the lowest level of abstraction from which information and, computer programs A computer program is a sequence of instructions written to perform a specified task for a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute the instructions. The same program in its human-, computer devices A personal computer is made up of multiple physical components of computer hardware, upon which can be installed an operating system and a multitude of software to perform the operator's desired functions and functionality provided by computer applications Application software, also known as applications or apps, is computer software designed to help the user to perform singular or multiple related specific tasks. Examples include Enterprise software, Accounting software, Office suites, Graphics software and media players. Examples of consumers are computer users, computer programs and other devices on the computer.
Contents |
Overview
Access control in computer systems and networks relies on access policies. The access control process can be divided into two phases: 1) policy definition phase, and 2) policy enforcement phase. Authorization is the function of the policy definition phase which precedes the policy enforcement phase where access requests are granted or rejected based on the previously defined authorizations.
Most modern, multi-user operating systems include access control and thereby rely on authorization. Access control also makes use of authentication Authentication is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true ("authentification" is a French language variant of this word). This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what to verify the identity Identity is an umbrella term used throughout the social sciences to describe a person's conception and expression of their individuality or group affiliations . The term is used more specifically in psychology and sociology, including the two forms of social psychology. The term is also used with respect to place identity of consumers. When a consumer tries to access a resource, the access control process checks that the consumer has been authorized to use that resource. Authorization is the responsibility of an authority, such as a department manager, within the application domain, but is often delegated to a custodian such as a system administrator A system administrator, systems administrator, or sysadmin, is a person employed to maintain and operate a computer system and/or network. System administrators may be members of an information technology or Electronics and Communication Engineering department. Authorizations are expressed as access policies in some type of "policy definition application", e.g. in the form of an access control list An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file has an or a capability Capability-based security is a concept in the design of secure computing systems. A capability is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights. A user program on a capability-based operating system must use a capability to access an object. Capability-, on the basis of the "principle of least privilege In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module must be able to access only such information and resources that are necessary to its": consumers should only be authorized to access whatever they need to do their jobs. Older and single user operating systems often had weak or non-existent authentication and access control systems.
"Anonymous consumers" or "guests", are consumers that have not been required to authenticate. They often have limited authorization. On a distributed system, it is often desirable to grant access without requiring a unique identity. Familiar examples of access tokens include keys and tickets: they grant access without proving identity.
Trusted consumers that have been authenticated are often authorized to unrestricted access to resources. "Partially trusted" and guests will often have restricted authorization in order to protect resources against improper access and usage. The access policy in some operating systems, by default, grant all consumers full access to all resources. Others do the opposite, insisting that the administrator explicitly authorizes a consumer to use each resource.
Even when access is controlled through a combination of authentication and access control lists An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file has an, the problems of maintaining the authorization data is not trivial, and often represents as much administrative burden as managing authentication credentials. It is often necessary to change or remove a user's authorization: this is done by changing or deleting the corresponding access rules on the system. Using atomic Atomic authorization is the act of securing authorization rights independently from the intermediary applications that utilize them and the parties to which they apply. More formally, in the field of computer security, to atomically authorize is to define policy that permits access to a specific resource, such that the authenticity of such policy authorization is an alternative to per-system authorization management, where a trusted third party securely distributes authorization information.
Confusion
The term authorization is often incorrectly used in the sense of the policy enforcement phase function. This confusing interpretation can be traced back to the introduction of Cisco's AAA server. Examples of this can be seen in RFC2904 [1], and Cisco AAA [2]. However, the correct and fundamental meaning of authorization is not compatible with this usage of the term. For example the fundamental security services confidentiality Confidentiality is an ethical principle associated with several professions . In ethics, and (in some places) in law and alternative forms of legal dispute resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to third parties. In, integrity Integrity is a concept of consistency of actions, values, methods, measures, principles, expectations and outcomes. In western ethics, integrity is regarded as the quality of having an intuitive sense of honesty and truthfulness in regard to the motivations for one's actions.[citation needed] Integrity can be regarded as the opposite of hypocrisy, and availability 1. The degree to which a system, subsystem, or equipment is operable and in a committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time. Simply put, availability is the proportion of time a system is in a functioning condition are defined in terms of authorization [3] For example, confidentiality is defined by the International Organization for Standardization The International Organization for Standardization , widely known as ISO (pronounced /ˈaɪsoʊ/ EYE-soe), is an international-standard-setting body composed of representatives from various national standards organizations. Founded on 23 February 1947, the organization promulgates worldwide proprietary industrial and commercial standards. It has (ISO) as "ensuring that information is accessible only to those authorized to have access", where authorization is a function of the policy definition phase. It would be absurd to interpret confidentiality as "ensuring that information is accessible only to those who are granted access when requested", because people who access systems e.g. with stolen passwords would then be "authorized". It is common that logon screens provide warnings like: "Only authorized users may access this system", e.g. [4]. Incorrect usage of the term authorization would invalidate such warnings, because attackers with stolen passwords could claim that they were authorized.
The confusion around authorization is so widespread that both interpretations (i.e. authorization both as policy definition phase and as policy enforcement phase) often appear within the same document, e.g. [5].
Examples of correct usage of the authorization concept include e.g. [6] [7].
Related Interpretations
Public policy
In public policy A policy is typically described as a principle or rule to guide decisions and achieve rational outcome. The term is not normally used to denote what is actually done, this is normally referred to as either procedure or protocol. Whereas a policy will contain the 'what' and the 'why', procedures or protocols contain the 'what', the 'how', the ', authorization is a feature of trusted systems In the security engineering subspecialty of computer science, a trusted system is a system that is relied upon to a specified extent to enforce a specified security policy. As such, a trusted system is one whose failure may break a specified security policy used for security Security has to be compared to related concepts: safety, continuity, reliability. The key difference between security and reliability is that security must take into account the actions of people attempting to cause destruction or social control Social control refers generally to societal and political mechanisms or processes that regulate individual and group behavior, leading to conformity and compliance to the rules of a given society, state, or social group. Many mechanisms of social control are cross-cultural, if only in the control mechanisms used to prevent the establishment of.
Banking
In banking Banking is generally a highly regulated industry, and government restrictions on financial activities by banks have varied over time and location. The current set of global bank capital standards are called Basel II. In some countries such as Germany, banks have historically owned major stakes in industrial corporations while in other countries, an authorization Authorization hold is the practice within the banking industry of authorizing electronic transactions done with a debit card or credit card and holding this balance as unavailable either until the merchant clears the transaction (also called settlement), or the hold "falls off." In the case of debit cards, authorization holds can fall is a hold placed on a customer's account when a purchase is made using a debit card A debit card is a plastic card that provides an alternative payment method to cash when making purchases. Functionally, it can be called an electronic cheque, as the funds are withdrawn directly from either the bank account, or from the remaining balance on the card. In some cases, the cards are designed exclusively for use on the Internet, and so or credit card A credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services. The issuer of the card grants a line of credit to the consumer from which the user can borrow money for payment to a merchant or as a cash advance to the.
Publishing
In publishing Publishing is the process of production and dissemination of literature or information – the activity of making information available for public view. In some cases authors may be their own publishers, meaning: originators and developers of content also provide media to deliver and display the content, sometimes public lectures and other freely available texts are published without the consent of the author An author is broadly defined as "the person who originates or gives existence to anything" and that authorship determines responsibility for what is created. Narrowly defined, an author is the originator of any written work. These are called unauthorized texts. An example is the 2002 'The Theory of Everything: The Origin and Fate of the Universe The Theory of Everything: The Origin and Fate of the Universe is an unauthorized 2002 book of some collected works by Stephen Hawking . It was assembled from seven lectures on audiotape by Hawking originally released in 1994 under the title, Stephen W. Hawking's Life Works: The Cambridge Lectures (ISBN 1-55800-986-8). The book's title is in' , which was collected from Stephen Hawking Stephen William Hawking, CH, CBE, FRS, FRSA is a British theoretical physicist, whose scientific career spans over forty years. His books and public appearances have made him an academic celebrity and he is an Honorary Fellow of the Royal Society of Arts, a lifetime member of the Pontifical Academy of Sciences, and in 2009 was awarded the's lectures and published without his permission.
References
- ^ J. Vollbrecht et al. AAA Authorization Framework. IETF, 2000 txt.
- ^ B.J. Caroll. Cisco Access Control Security: AAA Administration Services. Cisco Press, 2004
- ^ ISO 7498-2 Information Processing Systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture. ISO/IEC 1989
- ^ Access Warning Statements, University of California, Berkeley [1]
- ^ Understanding SOA Security Design and Implementation. IBM Redbook 2007 PDF
- ^ A. H. Karp. Authorization-Based Access Control for the Services Oriented Architecture. Proceedings of the Fourth International Conference on Creating, Connecting, and Collaborating through Computing (C5), 26-27 January 2006, Berkeley, CA, USA.PDF
- ^ A. Jøsang, D. Gollmann, R. Au. A Method for Access Authorisation Through Delegation Networks. Proceedings of the Australasian Information Security Workshop (AISW'06), Hobart, January 2006. PDF
See also
- Security engineering Security engineering is a specialized field of engineering that deals with the development of detailed engineering plans and designs for security features, controls and systems. It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined
- Computer security Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended
- Authentication Authentication is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true ("authentification" is a French language variant of this word). This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what
- Access control Access control is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. An access control system, within the field of physical security, is generally seen as the second layer in the security of a physical structure
- Kerberos (protocol) Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by Massachusetts Institute of Technology (MIT) that implements this protocol. Its designers aimed primarily at a client-server
- Operating system An operating system is the software on a computer that manages the way different programs use its hardware, and regulates the ways that a user controls the computer. Operating systems are found on almost any device that contains a computer with multiple programs—from cellular phones and video game consoles to supercomputers and web servers. Some
- Authorization OSID
- Authorization hold Authorization hold is the practice within the banking industry of authorizing electronic transactions done with a debit card or credit card and holding this balance as unavailable either until the merchant clears the transaction (also called settlement), or the hold "falls off." In the case of debit cards, authorization holds can fall
- XACML XACML stands for eXtensible Access Control Markup Language. It is a declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies. It is a replacement for IBM's XML access control language which is no longer in development
Categories: Authentication methods Categories: Applications of cryptography | Computer security | Identification
Personal tools
- New features
- Log in / create account
Namespaces
- Article
- Discussion
Variants
Views
- Read
- Edit
- View history
Actions
Navigation
- Main page The Central London Railway was a railway company established in 1889 to construct a deep-level underground "tube" railway in London. Funding for construction was obtained in 1895 through a syndicate of financiers and construction work took place from 1896 to 1900. When opened in 1900, the railway served 13 stations and ran completely
- Contents A portal is an introductory page for a given topic. It complements the main article of the subject by introducing the reader to key articles, images, and categories that further describe the subject. They also include to-do lists that are used mostly by Wikipedia's editors
- Featured content Featured content represents the best that Wikipedia has to offer. These are the articles, pictures, and other contributions that showcase the polished result of the collaborative efforts that drive Wikipedia. All featured content undergoes a thorough review process to ensure that it meets the highest standards and can serve as an example of our
- Current events Worldwide current events | Topic-specific: Science and technology | Sports
- Random article
Interaction
- About Wikipedia
- Community portal
- Recent changes
- Contact Wikipedia
- Donate to Wikipedia
- Help
Toolbox
- What links here
- Related changes
- Upload file
- Special pages
- Permanent link
- Cite this page
Print/export
- Create a book
- Download as PDF
- Printable version
Languages
- Česky
- Deutsch
- Ελληνικά
- Español
- فارسی
- Galego
- Latviešu
- 日本語
- Nederlands
- Polski
- Português
- Qaraqalpaqsha
- Română
- Русский
- Shqip