Authorization
The
security
quality subfactor,
authorization, is the degree to which a
business
enterprise,
application,
component, or
center properly grants and enforces access and usage
privileges of authenticated externals.
Authorization is typically measured in terms of:
- The percentage of authenticated externals (e.g., by
identity, by role, by group) that are authorized to perform a
specific task in a specified situation.
See
authorization requirements.
Typical mechanisms for implementing support for
authorization include:
- Authorization lists or databases
- Person vs. role-based vs. group-based authorization
- Commercial intrusion protection systems
- Hardware electronic keys
- Physical access controls (e.g., door locks, security
guards)
The following guidelines have been found to be useful
regarding authorization :
- Authorization depends on both identification and
authentication.
- Authorization can be granted to:
- Individual persons or applications.
- Groups of related persons or applications.
- Authorization should be granted on the basis of user
analysis and the associated operational requirements.
- Only a limited number of people (or roles) should be
appointed to grant or change authorizations.