What is authorization?

Authorization is the process that decides what an already‑identified user (or system) is allowed to do. After a user proves who they are (authentication), authorization checks their permissions and grants or denies access to resources like files, pages, or actions.

Let's break it down

  • Identity: Who the user is (established by authentication).
  • Roles: Groups that define a set of permissions (e.g., admin, editor, viewer).
  • Permissions: Specific rights such as “read”, “write”, “delete”, or “execute”.
  • Policies: Rules that combine roles and permissions, often written in simple language or code.
  • Access Control Lists (ACLs): Lists attached to a resource that specify which users or roles can access it and how.

Why does it matter?

Authorization protects sensitive data and functionality from being accessed or changed by the wrong people. It helps prevent data leaks, fraud, and accidental damage, and it keeps companies compliant with regulations like GDPR or HIPAA.

Where is it used?

  • Websites and web apps (login‑protected pages, admin panels)
  • APIs (controlling which apps can call which endpoints)
  • Operating systems (file permissions, sudo rights)
  • Cloud platforms (IAM roles for servers, storage, databases)
  • Mobile apps (feature unlocks based on subscription level)

Good things about it

  • Granular control: You can give exactly the rights needed, no more, no less.
  • Principle of least privilege: Limits potential damage if an account is compromised.
  • Auditability: Logs of who accessed what make it easier to investigate incidents.
  • Scalability: Role‑based models let you manage permissions for thousands of users with a few rules.

Not-so-good things

  • Complexity: Designing and maintaining detailed permission sets can become confusing.
  • Misconfiguration risk: A single wrong rule can expose data or block legitimate users.
  • Performance overhead: Checking permissions on every request adds a small delay, especially in large systems.
  • User frustration: Over‑restrictive settings may prevent users from doing their jobs, leading to workarounds.