Authorization FAQs:

Q: Is a authorization thus the function of the policy definition phase which precedes the policy enforcement phase where access requests are approved or disapproved based on the previously defined authorizations?

A: Yes.

Q: Is an authorization a feature of trusted systems used for security or social control?

A: Yes.

Q: Is a authorization the responsibility of an authority?

A: Yes, such as a department manager, within the application domain, but is often delegated to a custodian such as a system administrator.

Q: Is an authorization a hold placed on a customer's account when a purchase is made using a debit card or credit card?

A: Yes.

Q: Is an authorization an alternative to per-system authorization management?

A: Yes, where a trusted third party securely distributes authorization information.

Q: Are authorizations expressed as access policies in some types of "policy definition application", e.g?

A: Yes, in the form of an access control list or a capability, on the basis of the "principle of least privilege": consumers should only be authorized to access whatever they need to do their jobs.