Authorization FAQs:


Q: Is a Authorization the function of specifying access rights/privileges to resources related to information security and computer security in general and to access control in particular?

A: Yes, More formally, "to authorize" is to define an access policy.

Q: Is a Authorization the responsibility of an authority?

A: Yes, such as a department manager, within the application domain, but is often delegated to a custodian such as a system administrator.

Q: Are Authorizations expressed as access policies in some types of "policy definition application", e.g?

A: Yes, in the form of an access control list or a capability, on the basis of the "principle of least privilege": consumers should only be authorized to access whatever they need to do their jobs.

Q: Is an Authorization a feature of trusted systems used for security or social control?

A: Yes.

Q: Is an Authorization an alternative to per-system authorization management?

A: Yes, where a trusted third party securely distributes authorization information.

Q: Is an Authorization a hold placed on a customer's account when a purchase is made using a debit card or credit card?

A: Yes.

Q: Is a Authorization the function of the policy definition phase which precedes the policy enforcement phase where access requests are approved or disapproved based on the previously defined authorizations?

A: Yes.