InfoSec Notes
Understanding authorization mechanisms, access control models, permission systems, and the principle of least privilege for controlling what authenticated users can do within systems.
What is Authorization?
Authorization is the process of determining what an authenticated user, service, or system is permitted to do. While authentication answers "who are you?", authorization answers "what are you allowed to do?"
Authentication vs Authorization
==================================
User: "I am Alice" → Authentication (verify identity)
System: "Alice can read files, but cannot delete them" → Authorization
Flow
Identification → Authentication → Authorization → Access
"I am Alice" "Prove it" "Check perms" "Granted/Denied"
Authorization Models
1. Access Control Lists (ACL)
ACLs associate permissions directly with resources:
| Subject | Read | Write | Delete |
|---|---|---|---|
| Alice | ✓ | ✓ | ✓ |
| Bob | ✓ | ✓ | ✗ |
| Charlie | ✓ | ✗ | ✗ |
| Everyone | ✗ | ✗ | ✗ |
ACL
2. Role-Based Access Control (RBAC)
Users are assigned roles, and roles have permissions:
3. Attribute-Based Access Control (ABAC)
Decisions based on attributes of user, resource, action, and environment:
The Principle of Least Privilege
The cornerstone of authorization is granting the minimum permissions necessary:
Least Privilege Implementation
=================================
Bad Practice (Overprivileged)
Developer → Role: admin → All permissions on everything
Good Practice (Least Privilege)
Developer → Role: dev_team_a → {
read: [source_code, docs]
write: [source_code (own repos only)]
deploy: [staging environment only]
NO access to: production, customer_data, billing
}
Privilege Escalation Path (what attackers exploit)
Low-privilege account → Vulnerability → Higher privileges
Prevention
- Regular access reviews
- Just-In-Time (JIT) access
- Privileged Access Management (PAM)
- Separation of duties
Authorization in APIs
from functools import wraps
def require_permission(permission):
"""Decorator for API endpoint authorization."""
def decorator(func):
@wraps(func)
def wrapper(request, *args, **kwargs):
user = request.authenticated_user
if not user:
return {"status": 401, "error": "Authentication required"}
if permission not in user.permissions:
return {
"status": 403,
"error": f"Forbidden: requires '{permission}' permission"
}
return func(request, *args, **kwargs)
return wrapper
return decorator
# Usage in API endpoints
# @require_permission("users:read")
# def get_users(request):
# return {"users": User.find_all()}
# @require_permission("users:delete")
# def delete_user(request, user_id):
# User.delete(user_id)
# return {"status": "deleted"}Common Authorization Vulnerabilities
| Vulnerability | Description | Prevention |
|---|---|---|
| IDOR (Insecure Direct Object Reference) | Accessing other users' resources by changing IDs | Verify ownership in every request |
| Privilege Escalation | Gaining higher permissions than assigned | Validate roles server-side, input validation |
| Missing Function-Level Access Control | Admin endpoints accessible without checks | Centralized authorization middleware |
| Path Traversal | Accessing files outside authorized directory | Canonicalize paths, whitelist approach |
| JWT Manipulation | Altering token claims to gain permissions | Validate signatures, use short expiry |
Interview Questions
- What is the difference between RBAC and ABAC?
- RBAC assigns permissions based on user roles (static). ABAC evaluates multiple attributes (user, resource, environment, action) against policies (dynamic). ABAC is more flexible and granular but more complex to manage.
- Explain the Principle of Least Privilege with a real-world example.
- A database administrator needs access to manage database schemas but should not have access to read customer PII. Using least privilege, they get DBA tools access without SELECT permission on sensitive tables. This limits damage if their account is compromised.
- What is an IDOR vulnerability and how do you prevent it?
- IDOR (Insecure Direct Object Reference) allows users to access resources by manipulating identifiers (e.g., changing /api/orders/123 to /api/orders/456). Prevention: Always verify the authenticated user owns or has permission to access the requested resource.
- How do you implement authorization in a microservices architecture?
- Options include: API Gateway with centralized policy enforcement, JWT tokens containing roles/permissions validated by each service, service mesh with mutual TLS and authorization policies, or a dedicated authorization service (like OPA/Open Policy Agent) queried by services.
- What is separation of duties and why is it important?
- Separation of duties ensures no single person can complete a critical action alone. Example: The person who writes a check cannot also approve it. This prevents fraud and reduces the risk of insider threats by requiring collusion between multiple parties.
Summary
Authorization is the enforcement layer that ensures authenticated users can only perform actions appropriate to their role and context. Proper authorization implementation — using least privilege, appropriate access control models, and regular reviews — is essential for preventing unauthorized access and data breaches.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Authorization in Information Security.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Information Security topic.
Search Terms
information-security, information security, information, security, fundamentals, authorization, authorization in information security
Related Information Security Topics