AuthZ, also known simply as “authorization”, is the process of authorizing the permissions of an authenticated user as a part of the field of Identity and Access Management. After a user logs in and their credentials have been authenticated, AuthZ determines what “rights” the user has, granting permissions to access specific data.
Establishing permissions, or the rights a user has to access data is a granular process. Usually, a user is assigned to a group that represents their permissions level. AuthZ examines tokens using custom logic, predefined rules, or signed requests that have specific policies.
The most permissive user group is an “admin” or “superuser,” which gives the user read/write access to the entire data repository. On the other extreme, a user may only have read-only access to a subset of data. For example, a CRM administrator can create data structures, control user permissions, and edit the templates that allow specific user groups to view subsets of data. Or, a sales development rep may only be able to view the leads that are assigned to them, and view phone numbers, emails, tasks, and scripts for conducting their outreach.
These user groups specific to each role need individual policies that govern their read/write access to data. The policies can be quite complicated, especially with B2B use cases, and require careful planning and enforcement.
Application environments typically have read/write permissions for the entire database, meaning it’s up to the software developers to manage authorization policies that enforce more granular levels of read/write access. A mistake by the software engineer could accidentally provide an anonymous user with read/write permissions for the data repository, highlighting why it’s critical for these policies to be enforced correctly.
Here are some examples of activities that are subject to AuthZ policies:
While AuthZ stands for “authorization,” AuthN stands for “authentication.” The primary difference between AuthZ and AuthN is that AuthZ is focused on authorizing “permissions,” while AuthN focuses on authenticating “identities.”
Here are some common methods of AuthZ implementation:
Mandatory Access Control (MAC) defines access policies that depend on a pre-defined clearance. They are usually established at the owner or organizational level so that for example, a system file cannot be deleted even by an administrator.
Discretionary Access Control (DAC) is typically used to enable administrators or super users to control policies and permissions for predefined sets of users. DAC is frequently used by teams or admins that have to share files and data with other groups or individuals.
Role-based Access Control is used to establish sets of permissions based on an individual’s “role.” This is the most commonly used method of AuthZ. If you’d like a deep dive on how it works, check out our RBAC glossary page.
The most advanced method of AuthZ that helps to enable Zero Trust practices is Attribute-based Access Control (ABAC). This method uses “attributes” and context such as roles, privileges, time, place, actions, devices, and more to ensure that users only access the data they should, when they should.
Saviynt’s innovative, cloud-native IGA solution provides full visibility into how and where users interact with data and offers flexible deployment opportunities for on-premises, hybrid, and cloud infrastructures. This gives organizations visibility into a universe of permissions and entitlements across identities, as well as different types of assets such as applications, infrastructure, and data. With this toolkit organizations can provision and deprovision the permissions to identities either via requests or in an automated manner based on access control policies (e.g. RBAC/ABAC, etc).
Saviynt’s peer and usage-based analytics and fine-grained attribute capabilities provide visibility into access and permissions. With this data, organizations can automate access control and revoke access when an employee moves or leaves.
Companies can streamline their access controls by using intelligent analytics to monitor request risk and provide appropriate access. Users can request and obtain near-real-time access as their risk gets assessed across a wide swath of peer and usage-based data. Predictive analytics prevents excessive access and informs the requestor if access presents a risk.
Saviynt helps organizations embrace new technologies and migrate to a modern, identity-based foundation for security. Saviynt transcends rigid RBAC controls and instead leverages agile ABAC and time-based access to more precisely manage access.
Saviynt’s cloud-native Identity Governance and Administration (IGA) platform protects your most sensitive information. It increases organizational efficiency and agility by ensuring that the right people have the right access to the right resources for only the right amount of time.