Difference Between "Authentication" and "Authorization"
Introduction
Authentication and Authorization are two commonly confused concepts in access control, representing the questions: Who are you? What are you allowed to do? It also introduces common authorization models like RBAC and ABAC.
Authentication and Authorization Behind a Hotel
Upon arrival at the hotel, the front desk staff requests identification to “authenticate” booking information and identity. After successful validation, the hotel key is given, which allows access to various hotel services. This key “authorizes” the hotel guest to use the services, with VIP keys, employee keys, and regular guest keys having different authorization scopes.
Authorization Models
Most people have the opportunity to encounter permission management, such as in social media settings where it asks, “Who can see my posts?” This is a kind of authorization. There are many ready-to-use models for managing permissions, each with its own advantages and disadvantages, and they can even be used in combination.
Attribute-Based Access Control (ABAC)
ABAC is suitable for detailed and flexible permission control, offering high flexibility, fine granularity, and dynamic capabilities to effectively meet complex access control needs.
Role-Based Access Control (RBAC)
RBAC simplifies permission management, enhances manageability, provides flexible permission allocation, and supports dynamic permission management.
Conclusion
- Authentication: Confirming user identity.
- Authorization: Confirming what content the user has access to.
- Authorization Scope: The range of resources or actions a user can access or perform.
- Access Token: A pass to access resources.
Further Reading
- Learn about authentication and authorization - Google Workspace
- Role-based access control (RBAC) vs. Attribute-based access control (ABAC) - IBM Technology