What is Identity Authorization?

Authorization is determining what a user can and can’t do based on their identity

Formally

The process of determining what rights or privileges an individual or entity should be granted.

Simply put

What do you get once we know it’s you?

Status quo authorization processes

Authorization typically takes a combination of verification and an authentication event to grant a user permission to perform certain actions. For example, after logging into her Netflix account, a customer will be granted access to streaming services based on her status as a paying member. However, if that user travels outside the U.S., she may not be authorized to view certain content based on a change in her location, a core identity attribute in this transaction. From a service provider prospective, effective authorization procedures involve robust internal process flows built on a foundation of accurate verification and authentication processes. A trend in authorization has been to move from role-based (a defined set of static permissions) to attribute-based (a more dynamic set of permissions).

The problem with the status quo

Authorization fundamentally requires flexibility, as both roles and attributes change frequently and users authenticate (or fail to authenticate) into systems on a regular basis. Failure to accurately monitor key identity attributes could lead to illegitimate access of sensitive information or costly services. At the same time, however, it is an untenable burden, in terms of both cost and security, to undergo continuous identity verification for all customers in order to ensure roles and attributes have remained constant for authorization purposes.

As the internet of things expands, authorizing devices to perform actions – be they to initiate a purchase in a consumer focused setting or initiate a production incident in an industrial setting – will become a key capability to harness the power of the Internet of Things (IoT).

X