What is authorization and how it works

Topic: Security basics

Authorization is deciding what an authenticated identity can do (read, write, delete, admin). Learn role-based and attribute-based models, least privilege, and how to apply authorization after authentication. Use this when designing permissions or debugging access denied.

Intent: Decision

Quick answer

  • Authorization runs after authentication. It answers what this user or service is allowed to do (files, APIs, roles). Implement with ACLs, roles, or policies depending on the system.
  • Least privilege means granting only the minimum permissions needed for the task. Prefer roles over individual permissions so you can change one role and affect many users.
  • Use this when you get access denied despite valid login, or when designing who can do what; check both authentication (who) and authorization (what) when access fails.

Prerequisites

Steps

  1. Place after authentication

    Authorization is checked after the identity is verified. The system looks up permissions for that identity (user, role, service account) and allows or denies the action.

  2. Understand models

    ACL lists who can do what on a resource. Role-based assigns roles (admin, reader) and maps permissions to roles. Policy-based uses rules (if role X and resource Y then allow).

  3. Apply least privilege

    Grant only the minimum needed. Prefer roles for groups of users; audit and remove unused permissions; use separate accounts or roles for different environments (prod vs dev).

  4. Debug access denied

    Confirm the user is authenticated; then check which permission is missing (file mode, IAM policy, app role). Fix by adding the right permission or role, not by over-granting.

Summary

Authorization decides what an authenticated identity can do. Use roles or policies and least privilege; debug access denied by checking both auth and the specific permission that was denied.

Prerequisites

Steps

Step 1: Place after authentication

Authorization is evaluated after identity is verified. The system looks up permissions for that identity and allows or denies the action.

Step 2: Understand models

ACLs, role-based (RBAC), and policy-based authorization. Choose the model that fits your system and scale.

Step 3: Apply least privilege

Grant minimum required permissions; use roles for groups; remove unused access; separate prod and dev access.

Step 4: Debug access denied

Verify authentication first; then identify the missing permission (file, API, role); add the correct permission instead of over-granting.

Verification

You can explain how authorization fits after authentication and how to apply least privilege.

Troubleshooting

Too many permissions — Audit roles and remove unused; create narrower roles. Access denied after login — Check role membership and resource-level policies.

Next steps

Continue to