What are You Looking for?

Authentication and Authorization- Terminology

Authentication and authorization are critical components of modern security systems, ensuring users and systems can access only what they are permitted to. Understanding the terminology behind these concepts is crucial for developers, engineers, and security professionals to implement robust access control solutions. This page provides a detailed glossary of key terms related to authentication and authorization, helping you navigate and apply these principles effectively.

Subject & Objects

In the context authentication and authorization, subjects can be users, programs, processes, services, computers, or anything else that can access a resource. When authorized, subjects can modify objects. A subject is an active entity that accesses a passive object to receive information from, or data about, an object.

An object refers to any passive entity that provides information to active subjects. Examples of objects include files, databases, computers, programs, processes, services, printers, and storage media.

Permissions, Rights and Privileges

Permissions

Generally, permissions refer to the access granted to an object and determines what you can do with it. Suppose, If you have read permission to a file, you will be able to open it and read it. Also, you can grant user permissions to create, read, edit, or delete a file on a file server. Similarly, you can grant a user access rights to a file, so in this context, access rights and permissions are synonymous.

For instance, you may be granted read and execute permissions for an application file, which gives you the right to run the application.

Furthermore, you may be granted data access rights within a database, allowing you to retrieve or update information in the database.

Rights

A right of a subject refers its ability to take an action on an object. For example, a user might have the right to modify the system date and time on a computer or the right to restore backed-up data.

This is a fine distinction and not always emphasized. Seldom, youโ€™ll rarely see the right to take action on a system referred to as a permission.

Privileges

The combination of rights and permissions are known as privileges of a subject. For instance, an administrator of a computer will have full privileges, granting the administrator full rights and permissions on the computer. The administrator will be able to perform any actions and access any data on the computer.

Access Controls

Access control is a crucial part of information security that establishes who has access to certain information, applications, and resourcesโ€”and under what conditions.

Digital assets are protected by access control procedures in the same way that physical spaces are protected by locks and guest lists with prior approval.

They essentially allow the right individuals in while keeping the bad ones out. Access control policies heavily rely on methods like authentication and authorization, which enable organizations to explicitly confirm that users are who they claim to be and that they are granted the proper level of access based on context, including device, location, role, and many other factors.

One of the main reasons organizations implement access control mechanisms is to prevent losses. IT losses can be categorized into 3 types: loss of confidentiality, availability, and integrity. Protecting against these losses is so integral to IT security that they are frequently referred to as the CIA Triad.

Types of Access Controls

There are four basic categories of access control, and each one has different ways of managing access to private data.

  1. Discretionary access control (DAC)

In this model, every object in a protected system has an owner, and owners grant access to subjects at their discretion. DAC provides case-by-case control over resources.

  1. Mandatory access control (MAC)

This is an access control method in which users are granted access in the form of a clearance. A central supervisory authority regulates access rights and organizes them into multiple tiers. Often this model is seen in government and military contexts.

  1. Role-based access control (RBAC)

This is a widely used access control mechanism that restricts access to computer resources based on individuals or groups with defined business functions, access rights are granted based on defined business functions, rather than individualsโ€™ identity or seniority. The goal is to provide users only with the data they need to perform their jobsโ€”and no more.

  1. Rule-based access control
    In this model, the rules governing access to resource objects are established by the system administrator. These rules frequently depend on circumstances, such the time of day or the place.
  2. Attribute-based access control (ABAC)

In ABAC, access is granted flexibly based on a mix of attributes and environmental conditions, such as time and location. ABAC is the most granular access control model and helps reduce the number of role assignments.

Authentication

The process of confirming that a subject (user/system), in fact, who or what it claims to be is known as authentication.

Authentication technologies enforces access control for systems by checking to see if the subjectsโ€™ credentials match the credentials stored within the server. By doing this, authentication assures secure systems, secure processes and enterprise information security.

There are several forms of authentication. Subjects (users/systems) are often assigned a unique identifier for identification purposes, and authentication takes place when the subject provides credentials such a password that exactly matches their identifier.

Single-factor authentication, sometimes referred to as SFA, is the practice of requiring a user ID and password. Organization have recently reinforced authentication by requesting more authentication elements, including a special code that is sent to a user through a mobile device when an authentication attempt is made or a biometric signature, like a thumbprint or face scan known as Two-factor authentication (2FA).

By limiting access to protected resources to only authorized users or processes, authentication helps companies maintain the security of their Information systems.

An authentication factor is a piece of information or a characteristic that may be used to verify a user’s identity when they ask for system access.

Popular Authentication Factors

  1. Knowledge Factor (Type1)- Any authentication credentials that are made up of data that the user owns, such as a personal identification number (PIN), a username, a password, or the solution to a secret question, can be considered to be part of the knowledge factor, or something you know.
  2. Possession Factor (Type2)- is something you have, may be any credential based on items that the user can own and carry with them, including hardware devices, like a security token or a mobile phone used to accept a text message or to run an authentication app that can generate a one-time password (OTP) or PIN.
  3. Inherence Factor (Type3)- Typically, the inherence factorโ€”or what you areโ€”is based on a biometric identification method, such as fingerprints or thumbprints, face recognition, retina scans, or any other type of biometric data.
Authorization 

Authorization is the process of granting a subject (user/services) permission to access specific resources or capabilities once their identity is verified.

It also goes by the name AuthZ. In order for the system to know who is accessing the information, authorization often works in conjunction with authentication. A security framework called authorization is used to determine user or client rights or access levels for system resources such software, files, services, data, and application features.

Typically, authentication is done before authorization in order to confirm the subjectsโ€™ identity.

A system verifies an authenticated user’s access policies during authorization and either permits or denies the user access to the resource. Modern operating systems with multiple users rely on carefully thought-out authorization procedures to facilitate the deployment and management of applications.

For smooth integration of security policies, authorization might be based on a corporate user repository Active Directory (AD). For instance, to offer authentication and authorization services for web-based.NET applications, ASP.NET collaborates with Internet Information Server (IIS) and Microsoft Windows.

Windows supports Access Control Lists (ACL) for some resources using the New Technology File System (NTFS). The final authority on resource access is the ACL. An alternative role-based security technique for authorization support is supported by the.NET Framework.

Access Control Matrix

A table that includes both subjects and objects is known as an access control matrix. People who might need to access items are typically referred to as subjects. Typically, objects are documents, information, or other resources that subjects may need to access. They might also be a piece of hardware or a system process. The information in the matrix specifies access levels and permissions for subjects and objects. Access control matrices are created by organizations to guarantee authorized access and guard against malicious or accidental unauthorized access to sensitive data.

These five often used properties are used to indicate permissions inside a user permissions matrix.

Read (R) โ€“ Read access allows the subject to open and read the file, but not to edit.
Write (W) โ€“ A write access allows the subject to not only read the file but to add or write new content in the file.
Delete (D) โ€“ In comparison to write permissions, delete rights are higher level. Subjects with delete or edit permissions can delete files or content.
Execute (E) โ€“ Execute permission allows a user to execute particular programs.
Dash (-) โ€“ A dash represents that the subject is prohibited from accessing the object.

Sample Access Control Matrix:

 Asset1Asset2FileDevice
HR DepartmentRead, write, execute, deleteExecuteReadWrite
Sales DepartmentReadRead, write, execute, delete  
Clipping Levels

Clipping levels are thresholds for acceptable user mistakes and suspicious activity. If this level is surpassed, it must be documented, and the administrator must determine whether malicious behavior is taking place or if the user need training.

Also Read: Authentication and Authorization-Mechanisms, Authentication and Authorization Section

Your trusted source for Secure SDLC, Application Security (AppSec), and DevSecOps resources. Explore our comprehensive tutorials, insightful articles, and practice questions to enhance your skills and knowledge. Join our community and stay updated on the latest trends and best practices in software security.
Facebook LinkedIn
© 2025 โ€” code2cia. All Rights Reserved.