Authorization ensures that we give the correct privilege levels provided to subject.

This is done through access controls: they permit authorized entities (persons, processes etc) to perform authorized functions.

Access rights (the permissions), can have different level of granularity such as:

  • Create
  • Read
  • Update
  • Delete
  • Full control (administrator)

Another layer of access control is entitlements: more granular of access controls, often based on group membership. It enforces access rules.

Access controls are at the heart of information security: all of security comes down to who is on our system and what can they do on it. And of course, have a record of all the activities taking place.