The process of deciding if device X is allowed to have access to service Y. This is where the concept of trusted exists. Trusted devices (the device is authenticated and indicated as "trusted"), are allowed access to services. Untrusted or unknown devices may require authorization based on user interaction before it is allowed access to the services. This does not principally exclude that the authorization maight be give by an application automatically. Authorization always includes authentication. In security engineering, authorization is the process by which an entity attempts to confirm that another entity is allowed to access a resource.

The problem of authorization is often considered to be identical to that of authentication: however, there are many cases in which these two problems are different, although the process of authorization is based on identification and authentication processes.

For example, it is often desirable to grant access without requiring a unique identity. Familiar examples of authorization tokens include keys and tickets: they grant access without proving identity.

Even when authorization is performed by using a combination of authentication and access control lists, the problems of maintaining the access control lists is non-trivial, and often represents as much administrative burden as proving the necessary user identities. It is often desirable to remove a user's authorization: to do this with access control lists requires that the lists be updateable. Attacking the access control list updates can then compromise the entire system, and if any update is needed, communication systems are required, together with additional authorization and security systems to protect the access control list updates.

It may also be desired to grant authorization in a way that is irrevocable: this is hard to do with access control list systems.

See also:

• Access control
• Kerberos (protocol)