This step in a security process, follows authentication typically. It asks and answers the question what can they/who do exactly, after determining and confirming they are who they say they are, identity. Authentication and authorization are oftentimes confused – they are not the same process. This is a permission level access granted type process verification providing access to a user to certain data, files, environments, resources and more. Could specific access and restrictions for example. Security measure at its heart and core, for data and users. It is a novel concept that enables most of what we do/can do in and through technology, data, files, even the web. Associations, user access, levels, security all form part of this dynamic and are specified and assigned, membership as it were, guiding who gets to do what, when, where, how often, to what extent, with all qualifiers. Authentication (checking a user’s identity) and user access or right to access resources, (authorization), form part of these processes. It also encompasses and protects measure to restrict or prohibit unauthorized use.

Imagine a real-life example, access to a building or office. Your ID-badge or employee number access-code will be your authentication, security guard checking you in, allowing gaining access is the authorization part and step of/in the process. Authentication is typically done through user-names and passwords. Resource access might still be restricted, even if you gain access, you still need permission, access and authorization – the green light as it were to proceed, have access to resources to do what you want to do. If not and verification is not specified, given or fails, you will be denied. There are authorization restriction mechanisms and lists like DACL’s (see elsewhere) to show and specify who is allowed to do what and whom, what NOT. Permissions or authorizations can be explicit or inherited. Controlling, modifying, reading could all form part of authorized levels or permissions and actions.