School of Information Systems

Authorization (Part 1)

Process of determining what services the user can enjoy that has been identified by the process of authentication. The proven identity in the authentication process becomes the root for determining the services that a user has the right to enjoy.

The logical thinking in authorization is “without knowing who you are, I don’t know what’s good for your and what’s not, what you’re allowed to do or not”, just like in avengers movie, there is a lot of agent, but they have different level of security level access, the higher the level, the more things they could do at their will.

In access control, that’s is the logical thinking of authorization. They differentiate the authentication, based on comparing data of the authenticity of a particular document, and the subject of verification of a subject that is in the claim, whether or not it is.

Example

Any customer of a bank can create and use an identity (e.g., a user name) to log into that bank’s online service but the bank’s authorization policy must ensure that only you are authorized to access your individual account online once your identity is verified.

Type of authorization

There is two type of authorization based on security services in access control, both classifying their level of authorization.

  1. Server-side authorization

There is 3 mode in server-side authorization based on incoming request

  • None : no authorization performed, the simplest type of authorization. This is commonly because the incoming request require no type of level of security.
  • Self : the client could be allowed to use the services, or the request are accepted simply if the client is the same as the services identity
  • Gridmap : is a list of authorized user listed of ACL(access control list), if this type of authorization is used, only the user who are in the list of ACL may invoke it
  1. Client-side authorization

Same as server-side they have 3 mode in this type, but this type of authorization might seem odd because is generally seen from the server’s perspective or which means the client request or application could be seen by the server to authorized.

  • None : no authorization performed, which means the same.
  • Self : the client will authorize a request if the services identity is the same as the client, this could be working if and only if its identity it matches the client’s
  • Host : the client will authorize request if the host returns an identity containing host name. this process done trough host certificate identification.