Determines which systems, data, and actions an authenticated identity is allowed to access.
Authorization is the process of deciding what an identity is allowed to do after that identity has been established. In plain language, it defines which data, systems, features, or actions a user or service can access once authentication has already succeeded.
Authorization matters because proving identity does not make an action safe. A legitimate employee, service, or administrator should still receive only the access that fits the role, task, device, and context.
It also matters because some of the most serious security failures are authorization failures. Overly broad admin rights, missing object-level checks, or badly scoped service permissions can expose sensitive systems even when authentication is strong.
Authorization appears in SaaS role models, API scopes, cloud IAM policies, database permissions, Kubernetes role bindings, and privileged admin workflows. It is where organizations implement Least Privilege, enforce Role-Based Access Control, or apply contextual rules such as Attribute-Based Access Control.
Security teams also investigate authorization during audits and incidents. They ask whether the permission should have existed, whether it should have expired, and whether additional controls should have limited the action.
| Layer | Example question | Example control |
|---|---|---|
| Role or group | Does this job function normally need the feature? | RBAC assignment |
| Resource or object | Should this identity reach this specific record? | Object-level access check |
| Context or policy | Is this request safe under current conditions? | Device, network, or time-based policy |
Two employees sign in to the same HR system. Both are authenticated, but only the payroll specialist can export salary data or change compensation settings. The system recognizes both users; authorization determines the different outcomes.
Authorization is not the same as Authentication. Authentication verifies identity. Authorization determines the actions, resources, or data that identity can use.
Authorization is also not always static. Many systems consider role, device state, project membership, location, or time before granting access, especially in cloud and zero-trust environments.