Authorization: Difference between revisions
Mindmatrix (talk | contribs) m Reverted edits by 195.250.185.42 (talk) to last version by 24.170.135.224 |
Delete section called "confusion"... it was an gibberish saying as much as "black is white". Tag: section blanking |
||
| Line 15: | Line 15: | ||
Even when access is controlled through a combination of authentication and [[access control list]]s, the problems of maintaining the authorization data is not trivial, and often represents as much administrative burden as managing authentication credentials. It is often necessary to change or remove a user's authorization: this is done by changing or deleting the corresponding access rules on the system. Using [[Atomic Authorization|atomic]] authorization is an alternative to per-system authorization management, where a [[trusted third party]] securely distributes authorization information. |
Even when access is controlled through a combination of authentication and [[access control list]]s, the problems of maintaining the authorization data is not trivial, and often represents as much administrative burden as managing authentication credentials. It is often necessary to change or remove a user's authorization: this is done by changing or deleting the corresponding access rules on the system. Using [[Atomic Authorization|atomic]] authorization is an alternative to per-system authorization management, where a [[trusted third party]] securely distributes authorization information. |
||
==Confusion== |
|||
The term authorization is often incorrectly used in the sense of policy enforcement. This confusing interpretation can be traced back to the introduction of Cisco's AAA server. Examples of this can be seen in RFC2904,<ref name="RFC2904">J. Vollbrecht ''et al.'' AAA Authorization Framework. IETF, 2000 [http://www.ietf.org/rfc/rfc2904.txt txt].</ref> and Cisco AAA.<ref name="Caroll2004">B.J. Caroll. Cisco Access Control Security: AAA Administration Services. Cisco Press, 2004</ref> However, the correct and fundamental meaning of authorization is not compatible with this usage of the term. For example, the fundamental security services [[confidentiality]], [[integrity]] and [[availability]] are defined in terms of authorization (ISO7498-2,<ref name="ISO7498-2">ISO 7498-2 Information Processing Systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture. ISO/IEC 1989</ref> X.800.<ref name="X.800">Recommendation X.800: Security Architecture for Open Systems Interconnection for ITU/CCITT Applications. ITU/CCITT 1991</ref> For example, ''confidentiality'' is defined by [[International Organization for Standardization|ISO]] in ISO7498-2<ref name="ISO7498-2"/> as ''"ensuring that information is accessible only to those authorized to have access"'', where authorization must be interpreted as policy definition. It would be absurd to interpret it as policy enforcement because confidentiality would then be wrongly defined as "ensuring that information is accessible only to users whose access request has been approved by the system". This would be totally wrong because attackers who access systems e.g. with stolen passwords would then be "authorized". It is common that login screens provide warnings like: "Only authorized users may access this system", e.g.<ref name="Berkeley">[http://technology.berkeley.edu/policy/warnings.html Access Warning Statements, University of California, Berkeley]</ref> Incorrect usage of the term authorization would invalidate such warnings, because attackers with stolen passwords could claim that they were authorized. |
|||
The confusion around authorization is so widespread that both interpretations (i.e. authorization both as policy definition and as policy enforcement) often appear within the same document (e.g. SOA Security Redbook<ref name="IBM2007">Understanding SOA Security Design and Implementation. IBM Redbook 2007 [http://www.redbooks.ibm.com/redbooks/pdfs/sg247310.pdf PDF ]</ref> and X.800<ref name="X.800"/>). The X.800<ref name="X.800"/> standard defines authorization as ''"the granting of rights, which includes the granting of access based on access rights"'', i.e. as both definition and enforcement of access policies, which is meaningless because it makes attackers authorized by definition. In order to clear up this confusion Gollmann (in his book Computer Security, p. 387, bottom <ref name="Gollmann-2011">Dieter Gollmann. Computer Security, 3rd ed. Wiley Publishing, 2011</ref>) argues that ''"authorization"'' should mean policy definition, and ''"approval"'' should mean policy enforcement. |
|||
Examples of correct usage of the authorization concept include e.g.<ref name="LM2007">A. H. Karp. Authorization-Based Access Control for the Services Oriented |
|||
Architecture. Proceedings of the Fourth International Conference on Creating, Connecting, and Collaborating through Computing (C5), 26–27 January 2006, Berkeley, CA, USA.[http://www.hpl.hp.com/techreports/2006/HPL-2006-3.pdf PDF]</ref> |
|||
.<ref>A. Jøsang, D. Gollmann, R. Au. A Method for Access Authorisation Through Delegation Networks. Proceedings of the Australasian Information Security Workshop (AISW'06), Hobart, January 2006. [http://persons.unik.no/josang/papers/JGA2006-AISW.pdf PDF]</ref> |
|||
==Related Interpretations== |
==Related Interpretations== |
||
Revision as of 14:31, 30 September 2011
Authorization (also spelt Authorisation) is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy. For example, human resources staff are normally authorized to access employee records, and this policy is usually formalized as access control rules in a computer system. During operation, the system uses the access control rules to decide whether access requests from (authenticated) consumers shall be approved (granted) or disapproved (rejected). Resources include individual files' or items' data, computer programs, computer devices and functionality provided by computer applications. Examples of consumers are computer users, computer programs and other devices on the computer.
Overview
Access control in computer systems and networks relies on access policies. The access control process can be divided into two phases: 1) policy definition phase where access is authorized, and 2) policy enforcement phase where access requests are approved or disapproved. Authorization is thus the function of the policy definition phase which precedes the policy enforcement phase where access requests are approved or disapproved based on the previously defined authorizations.
Most modern, multi-user operating systems include access control and thereby rely on authorization. Access control also makes use of authentication to verify the identity of consumers. When a consumer tries to access a resource, the access control process checks that the consumer has been authorized to use that resource. Authorization is the responsibility of an authority, such as a department manager, within the application domain, but is often delegated to a custodian such as a system administrator. Authorizations are expressed as access policies in some type of "policy definition application", e.g. in the form of an access control list or a capability, on the basis of the "principle of least privilege": consumers should only be authorized to access whatever they need to do their jobs. Older and single user operating systems often had weak or non-existent authentication and access control systems.
"Anonymous consumers" or "guests", are consumers that have not been required to authenticate. They often have limited authorization. On a distributed system, it is often desirable to grant access without requiring a unique identity. Familiar examples of access tokens include keys and tickets: they grant access without proving identity.
Trusted consumers are often authorized for unrestricted access to resources on a system, but must be authenticated so that the access control system can make the access approval decision. "Partially trusted" and guests will often have restricted authorization in order to protect resources against improper access and usage. The access policy in some operating systems, by default, grant all consumers full access to all resources. Others do the opposite, insisting that the administrator explicitly authorizes a consumer to use each resource.
Even when access is controlled through a combination of authentication and access control lists, the problems of maintaining the authorization data is not trivial, and often represents as much administrative burden as managing authentication credentials. It is often necessary to change or remove a user's authorization: this is done by changing or deleting the corresponding access rules on the system. Using atomic authorization is an alternative to per-system authorization management, where a trusted third party securely distributes authorization information.
Related Interpretations
Public policy
In public policy, authorization is a feature of trusted systems used for security or social control.
Banking
In banking, an authorization is a hold placed on a customer's account when a purchase is made using a debit card or credit card.
Publishing
In publishing, sometimes public lectures and other freely available texts are published without the consent of the author. These are called unauthorized texts. An example is the 2002 'The Theory of Everything: The Origin and Fate of the Universe' , which was collected from Stephen Hawking's lectures and published without his permission as per copyright law.
References
See also
- Security engineering
- Computer security
- Authentication
- Access control
- Kerberos (protocol)
- Operating system
- Authorization OSID
- Authorization hold
- Privilege escalation
- XACML