The IT Law Wiki
Register
Advertisement

Definitions[]

Cybersecurity[]

Authorization is

the process of granting or denying access rights and privileges to a protected resource, such as a network, system, application, function, or file.[1]
[a]ccess privileges granted to a user, program, or process or the act of granting those privileges.[2]
[g]ranting of rights, which includes the granting of access based on access rights."[3]

Federal legislation[]

An authorization is an act of Congress that establishes or continues a federal program or agency either for a specified period of time or indefinitely, specifies its general goals and conduct, and usually sets a ceiling on the amount of budget authority that can be provided in an annual appropriation. An authorization for an agency or program usually is required before an appropriation for that same agency or program can be passed.

General[]

Authorization is

[t]he process of granting a person, computer process, or device with access to certain information, services, or functionality. Authorization is derived from the identity of the person, computer process, or device requesting access that is verified through authentication.[4]

Authorization is "the process of deciding what an individual ought to be allowed to do."[5]

Security[]

Authorization is "the granting of rights, which includes the granting of access based on access rights."[6]

Authorization is

[t]he right or a permission that is granted to a system entity to access a system resource.[7]
[t]he official management decision to authorize operation of an information system and explicitly accept the risk operations (including mission, functions, image, or reputation), assets, or individuals, based on the implementation of an agreed-upon set of security controls.[8]
determining whether a subject (a user or system) is trusted to act for a given purpose, for example, allowed to read a particular file.[9]

State computer crime[]

Under the West Virginia computer crime law, authorization is

the express or implied consent given by a person to another to access or use said person's computer, computer network, computer program, computer software, computer system, password, identifying code or personal identification number.[10]

Telecommunications[]

Authorization is

a right granted by a regulatory authority permitting the operation of a radio station, radio application or electronic communication service in conformance with national laws and prescribed technical conditions.[11]

Overview[]

Cybersecurity[]

Authorization mechanisms fall into four major categories:

A key component of authorization and a basic principle for securing computer resources and data is the concept of least privilege.

To restrict legitimate users’ access in this way, organizations establish access rights and permissions. User rights are allowable actions that can be assigned to users or to groups of users. File and directory permissions are rules that regulate which users have access to a particular file or directory and the extent of that access. To avoid unintentionally giving users unnecessary access to sensitive files, directories, and special machine instructions that programs use to communicate with the operating system, an organization must give careful consideration to its assignment of rights and permissions.

A password can be considered a form of authorization if it is issued by a higher level authority. If embedded in a form of identification such as a smart card, a password can be considered an added form of authentication.

To enable authorization in a public key encryption system, an additional mechanism must be used, such as bilateral or multilateral trading agreements between the communicating parties.

Security[]

Authorization in a physical context is the granting or confirmation of authority to perform a task or to be in some specific place. Having a physical token such as a key is an example. It may also come as a real-time affirmation done remotely in response to a request or action. The second form, “real-time affirmation done remotely,” involves permission being communicated when demanded by controlling authorities at the portal.

From a security standpoint, there are few technologies used in the first form, although electronic access cards are an example of a technology. The second form involves a combination of identification and authentication by an authorizing entity.

References[]

  1. "Authorization" means "[t]he granting of appropriate access privileges to authenticated users."Electronic Government: Planned e-Authentication Gateway Faces Formidable Development Challenges, at 32.
  2. CNSSI 4009, at 10.
  3. Framework for Cyber-Physical Systems, at 6.
  4. Privacy Technology Focus Group Final Report, App. B, at 51.
  5. Who Goes There?: Authentication Through the Lens of Privacy, at 20.
  6. ISO 7498-2.
  7. NIST Special Publication 800-82, at B-1.
  8. National Strategy for Trusted Identities in Cyberspace, at 32.
  9. Cryptography's Role in Securing the Information Society, App. B, Glossary, at 354.
  10. West Virginia Computer Crime and Abuse Act, W. Va. Stat. §61-3C-3.
  11. Perspectives on the Value of Shared Spectrum Access, at 15.

See also[]

Advertisement