 |
The management of access to IT-based resources can be divided into four areas:
- authentication
- who is trying to access the resource?
- authorization
- is she allowed to access the resource in this way?
- accounting
- ensures she is billed for the access
- auditing
- institution-wide retrospective on resource usage
Authorization is the general process by which
the resource steward allows that resource to be accessed.
For files in a filesystem, typical accesses are read and modify.
The set of people allowed to modify any particular file
is typically much smaller and well-controlled than
the set of people allowed to read that file.
It might be claimed that
there is some dual between an unauthenticated person
and a person who is authenticated but not authorized to do anything.
In fact,
there are good reasons to maintain authentication information
during times when there is no authorization.
For example, a worker changing jobs internally
may lose authorization for her old duties
before gaining authorization for her new duties.
Construction
Authentication should NOT convey any intrinsic authorization
Modern systems are role-based
|
