authorization. In many host-based systems (and even some
client/server systems), the two mechanisms are performed by the same physical
hardware and, in some cases, the same software.
It is important to draw the distinction between these two mechanisms,
however, since they can (and, one might argue, should) be
performed by separate systems.
What, then, distinguishes these two mechanisms from one another?
Authentication is the mechanism whereby systems may securely identify
their users. Authentication systems provide an answers to the questions:
- Who is the user?
- Is the user really who he/she represents himself to be?
Authorization, by contrast, is the mechanism by which a system
determines what level of access a particular authenticated user should have
to secured resources controlled by the system. For example, a database
management system might be designed so as to provide certain specified
individuals with the ability to retrieve information from a database but not
the ability to change data stored in the datbase, while giving other
individuals the ability to change data. Authorization systems provide
answers to the questions:
- Is user X authorized to access resource R?
- Is user X authorized to perform operation P?
- Is user X authorized to perform operation P on resource R?
Authentication and authorization are somewhat tightly-coupled mechanisms --
authorization systems depend on secure authentication systems to ensure that
users are who they claim to be and thus prevent unauthorized users from
gaining access to secured resources.