Chapter 8

Authorization

It is easier to exclude harmful passions than to rule them,and to deny them admittance than to control them after they have been admitted.

—Seneca

You can always trust the information given to you by people who are crazy; they have an access to truth not available through regular channels.

—Sheila Ballantyne

8.1 Introduction

Authorization is the part of access control concerned with restrictions on the actions of authenticated users. In our terminology, authorization is one aspect of access control and authentication is another. Unfortunately, some authors use the term “access control” as a synonym for authorization.

In the previous chapter we discussed authentication, where the issue is one of establishing identity. In its most basic form, authorization deals with the situation where we’ve already authenticated Alice and we want to enforce restrictions on what she is allowed to do. Note that while authentication is binary (either a user is authenticated or not), authorization can be a much more fine grained process.

In this chapter, we’ll extend the traditional notion of authorization to include a few non-traditional topics. We’ll discuss CAPTCHAs, which are designed to restrict access to humans (as opposed to computers), and we’ll consider firewalls, which can be viewed as a form of access control for networks. We’ll follow up the section on firewalls with a discussion of intrusion detection systems, which come into play when firewalls fail to keep the ...

Get Information Security: Principles and Practice, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.