Authorization: conceptual model

In security systems, authorization is distinct from authentication. Authorization determines whether an authenticated client has the required permissions to do a task on a specific resource in a domain. Authentication ensures the individual is who that individual claims to be. When servers enforce security in a domain, each client must provide proof of its identity. In turn, security policy determines whether that client has the required permission to do a task on a requested resource. Access to every resource in a domain is controlled by a server. The demands on the server for authentication and authorization can provide comprehensive network security. In the ISAM authorization model, authorization policy is implemented independently of the mechanism for user authentication. Users can authenticate their identity with a public/private key, secret key, or customer-defined mechanisms. Part of the authentication process involves the creation of a credential describing the identity of the client. Authorization decisions made by an authorization service are based on user credentials. The resources in a domain receive a level of protection that is dictated by the security policy for the domain. The security policy defines the legitimate participants of the domain. It also defines the degree of protection that surrounds each resource that requires protection.

Traditional applications bundle the policy enforcer and resource manager into one process. An example of this structure is Security Verify Access WebSEAL. The independent functions of these authorization components allow flexibility in the design of the security enforcement strategy. For example, such independence allows the security administrator to control:

See:

Parent topic: Security Verify Access overview