Identity & Access
Authorization
Also known as: AuthZ, Access control
Definition
The process of deciding what an already-authenticated identity is allowed to do — which resources, actions and conditions are permitted.
Examples
- Granting a support agent read-only access to customer tickets but not to billing data.
- OAuth 2.0 access tokens issued with limited scopes such as "orders:read".
Related terms
Authentication
The process of verifying that an entity — user, device or service — really is who or what it claims to be before granting access.
Role-Based Access Control (RBAC)
An authorization model that grants permissions to roles rather than directly to users, so users inherit access by virtue of their role assignments.
Attribute-Based Access Control (ABAC)
An authorization model that evaluates policies over attributes of the subject, resource, action, and environment to decide whether to allow an access request.
Principle of Least Privilege
A security principle that grants every user, process, or service only the minimum privileges strictly required to perform its function — no more.
AAA Framework
A foundational access-control model built on three layered functions: Authentication, Authorization and Accounting.
OAuth 2.0
An open authorization framework that lets a resource owner grant a third-party application limited, scoped access to an API without sharing credentials.