3AUTHORIZATION AND ACCESS CONTROLS
After you’ve received a party’s claim of identity and established whether that claim is valid, as discussed in Chapter 2, you have to decide whether to allow the party access to your resources. You can achieve this with two main concepts: authorization and access control. Authorization is the process of determining exactly what an authenticated party can do. You typically implement authorization using access controls, which are the tools and systems you use to deny or allow access.
You can base access controls on physical attributes, sets of rules, lists of individuals or systems, or other, more complex factors. ...
Get Foundations of Information Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.