Authorization Basics
Authorization Basics
Learn how applications decide what an authenticated user is allowed to access, view, create, update, delete, or manage.
Introduction
Authorization is a core secure programming practice that controls what a user is allowed to do after their identity has been verified.
In the previous lesson, we learned that authentication answers the question “Who are you?”. Authorization answers the next important question: “What are you allowed to do?”
For example, a student may be allowed to view their own marks, but not edit marks. A teacher may be allowed to update marks, but not manage system users. An admin may have wider permissions, but even admin access should be controlled carefully.
Easy Real-Life Example
Authorization as Room Access in an Office
Imagine entering an office building. Showing your ID card proves who you are. But that does not mean you can enter every room. Your access card decides which rooms you are allowed to enter.
Authentication:
Security checks your ID card.
Question: Who are you?
Authorization:
System checks which rooms your card can open.
Question: What are you allowed to access?
Software:
Login verifies identity.
Authorization checks permissions.
Authentication lets the system know who the user is. Authorization decides what that user can do.
What is Authorization?
Authorization is the process of checking whether a user, system, or application has permission to access a specific resource or perform a specific action.
Resources may include pages, files, APIs, reports, database records, admin panels, dashboards, buttons, forms, or business operations.
Simple Example
User:
Student
Requested Action:
Edit another student's marks
Authorization Check:
Students are not allowed to edit marks.
Result:
Access denied
Authentication vs Authorization
Authentication and authorization work together, but they are different security controls.
| Authentication | Authorization |
|---|---|
| Verifies identity. | Checks permissions. |
| Answers: Who are you? | Answers: What can you do? |
| Usually happens during login. | Happens whenever protected resources or actions are requested. |
| Uses password, OTP, MFA, token, or identity provider. | Uses roles, permissions, policies, ownership, or access rules. |
| Example: User logs in successfully. | Example: User can view profile but cannot access admin panel. |
Why Authorization is Important
Authorization is important because applications usually have different users with different responsibilities.
If authorization is missing or weak, users may access data or features they should not access.
Authorization Helps To
- Prevent unauthorized access.
- Protect sensitive data.
- Limit users to their allowed actions.
- Separate admin, staff, and normal user permissions.
- Reduce risk of accidental or intentional misuse.
- Support least privilege access.
- Protect business rules.
- Improve auditability and accountability.
- Make applications safer and more professional.
What Can Go Wrong Without Authorization?
Without proper authorization, an authenticated user may access features or data that should be restricted.
Weak Authorization Problems
- A student can edit another student’s marks.
- A normal user can open admin pages.
- A user can delete records without permission.
- A user can access another user’s private profile.
- API endpoints allow actions without permission checks.
- Hidden buttons are removed from UI but backend still allows access.
- Users keep old permissions after role changes.
Strong Authorization Habits
- Check permission before protected actions.
- Apply least privilege.
- Use roles and permissions properly.
- Enforce access control on the server side.
- Check ownership of resources.
- Review permissions regularly.
- Log important access decisions safely.
Access Control
Access control is the broader security concept that controls who can access what.
Authorization is the decision-making part of access control. It decides whether a user should be allowed or denied.
Access control question:
Can this user access this resource and perform this action?
Example:
Can Teacher A update marks for Class 10?
Can Student B view Student C's report?
Can Admin delete a user account?
Roles
A role represents a user’s responsibility or position in the application.
Roles help group permissions in a meaningful way.
Example Roles:
- Student
- Teacher
- Principal
- Admin
- Support Staff
- Guest
Instead of assigning every permission manually to each user, applications often assign permissions to roles and then assign users to roles.
Permissions
A permission defines a specific action that can be performed on a resource.
Example Permissions:
- view_marks
- edit_marks
- delete_student
- create_report
- manage_users
- approve_request
- view_dashboard
Permissions should be clear, specific, and connected to real application actions.
Role-Based Access Control
Role-Based Access Control, or RBAC, is an authorization model where access is granted based on user roles.
In RBAC, permissions are assigned to roles, and users receive permissions through the roles assigned to them.
RBAC Flow:
1. Define permissions.
2. Group permissions into roles.
3. Assign roles to users.
4. Check role permissions before allowing actions.
RBAC Example
| Role | Allowed Actions |
|---|---|
| Student | View own marks, view attendance, update profile. |
| Teacher | View students, enter marks, generate class report. |
| Principal | View reports, approve academic records. |
| Admin | Manage users, manage roles, configure system settings. |
Principle of Least Privilege
The principle of least privilege means users should receive only the minimum permissions required to perform their tasks.
Unsafe Permission Assignment
Every teacher receives admin access because it is convenient.
Safer Permission Assignment
Teachers can enter marks and generate class reports.
Only admins can manage users and system settings.
Least privilege reduces damage if an account is misused or compromised.
Common Authorization Models
Different applications may use different authorization models depending on their needs.
| Model | Meaning | Simple Example |
|---|---|---|
| RBAC | Access is based on user roles. | Teacher role can update marks. |
| ABAC | Access is based on attributes. | User department, location, time, or data classification affects access. |
| ACL | A list defines who can access a resource. | Specific users can view a shared file. |
| Ownership-Based Access | Users can access resources they own. | Student can view only own profile. |
Ownership-Based Authorization
Ownership-based authorization checks whether the requested resource belongs to the current user.
Example:
A student wants to view report card with studentId = 205.
Authorization check:
Is currentUser.studentId equal to 205?
If yes:
Allow access.
If no:
Deny access.
This is important for applications where users have personal records, orders, messages, documents, or profiles.
Server-Side Authorization
Authorization must be enforced on the server side or trusted backend.
Hiding a button on the user interface is not enough because users may still try to call backend APIs directly.
Unsafe Approach
Hide "Delete User" button from normal users,
but backend delete API does not check permission.
Secure Approach
Hide "Delete User" button from normal users,
and backend API also checks permission before deleting.
Basic Authorization Logic
Weak Version
FUNCTION deleteStudent(studentId)
DELETE student record
RETURN "Student deleted"
END FUNCTION
This code deletes a student record without checking whether the current user has permission.
Improved Authorization Version
FUNCTION deleteStudent(currentUser, studentId)
IF currentUser.role is not "Admin" THEN
RETURN "Access denied"
END IF
DELETE student record
RETURN "Student deleted"
END FUNCTION
The improved version checks permission before performing a sensitive action.
Permission-Based Authorization Example
FUNCTION canPerformAction(user, requiredPermission)
IF requiredPermission is in user.permissions THEN
RETURN true
ELSE
RETURN false
END IF
END FUNCTION
IF canPerformAction(currentUser, "edit_marks") THEN
UPDATE marks
ELSE
DISPLAY "Access denied"
END IF
Permission-based checks are useful when applications need more control than simple role checks.
Role and Ownership Combined Example
FUNCTION canViewReport(currentUser, reportOwnerId)
IF currentUser.role is "Admin" THEN
RETURN true
END IF
IF currentUser.userId == reportOwnerId THEN
RETURN true
END IF
RETURN false
END FUNCTION
This allows admins to view reports and also allows users to view their own reports.
Real-World Example: E-Commerce Authorization
| User Type | Allowed Actions | Restricted Actions |
|---|---|---|
| Guest | View products. | Place order, view order history. |
| Customer | Place order, view own orders, update own profile. | View other customers’ orders. |
| Seller | Manage own products, view own sales. | Manage another seller’s products. |
| Admin | Manage users, review platform settings. | Should still follow controlled access and audit rules. |
Student-Friendly Example: School Portal Authorization
Student:
- Can view own marks
- Can view own attendance
- Cannot edit marks
Teacher:
- Can view students in assigned class
- Can enter marks
- Can generate class report
Admin:
- Can create users
- Can assign roles
- Can manage system settings
Each role receives only the access needed for its responsibility.
Broken Access Control
Broken access control happens when users can access resources or actions they should not be allowed to access.
Examples:
- User changes URL parameter to view another user's data.
- Normal user opens admin API endpoint.
- Hidden page is accessible directly by URL.
- User edits records belonging to someone else.
- Backend trusts frontend role information without verification.
Broken access control is dangerous because it may expose data, allow unauthorized changes, or bypass business rules.
Insecure Direct Object Reference
Insecure Direct Object Reference, often called IDOR, happens when a user can access another user’s resource by changing an identifier.
Risky Example
/student/report?studentId=101
User changes URL to:
/student/report?studentId=102
If the system does not check ownership or permission,
the user may access another student's report.
Safer Check
Before showing report:
Check whether current user is allowed to view studentId.
If not allowed:
Return "Access denied".
Permission Review
Authorization is not only a coding task. Permissions should be reviewed regularly.
Permission Review Questions
- Does this user still need this access?
- Does this role have too many permissions?
- Are old users or inactive accounts still assigned roles?
- Are admin permissions limited to necessary users?
- Are permissions aligned with current responsibilities?
- Can sensitive actions be audited?
Authorization Checklist
Before Finalizing Authorization, Ask:
- Is authorization checked after authentication?
- Are protected actions checked on the backend?
- Are permissions based on least privilege?
- Are roles clearly defined?
- Are permissions clearly named?
- Is ownership checked for user-specific resources?
- Are admin actions restricted?
- Are API endpoints protected?
- Are authorization failures handled safely?
- Are important access decisions logged?
- Are permissions reviewed regularly?
- Are test cases written for allowed and denied access?
Common Beginner Mistakes
Mistakes
- Assuming logged-in users can access everything.
- Checking authorization only in the frontend.
- Not checking ownership of records.
- Giving admin access for convenience.
- Hardcoding role checks everywhere without a clear design.
- Using vague permissions like
canAccess. - Not testing denied access scenarios.
- Not removing permissions when users change roles.
- Allowing API endpoints without permission checks.
Better Habits
- Check authorization for every protected action.
- Enforce access control on the backend.
- Use least privilege.
- Define roles and permissions clearly.
- Check resource ownership.
- Use reusable authorization functions.
- Test both allowed and denied access.
- Review permissions regularly.
- Log important access control events safely.
Best Practices for Authorization
Recommended Practices
- Separate authentication and authorization logic.
- Never assume login means full access.
- Apply least privilege access.
- Use clear roles and permissions.
- Use RBAC for role-based systems.
- Use ownership checks for user-specific resources.
- Enforce authorization on trusted backend systems.
- Protect all sensitive API endpoints.
- Use centralized authorization checks where practical.
- Return safe access denied messages.
- Log important authorization failures safely.
- Review roles and permissions regularly.
- Test authorization using positive and negative test cases.
- Avoid giving broad admin access unnecessarily.
Prerequisites Before Learning Authorization
Students should understand the following topics before learning authorization deeply:
Required Knowledge
- Basic programming syntax.
- Conditional statements.
- Functions or methods.
- Authentication basics.
- Secure programming practices.
- Input validation.
- Basic web application concepts.
- Basic API concepts.
- Basic database record ownership concept.
Trace Table Example: Delete Student Authorization
FUNCTION canDeleteStudent(currentUser)
IF currentUser.role == "Admin" THEN
RETURN true
ELSE
RETURN false
END IF
END FUNCTION
| Test Case | User Role | Expected Result | Reason |
|---|---|---|---|
| TC_001 | Admin | Allowed | Admin role has delete permission. |
| TC_002 | Teacher | Denied | Teacher should not delete student records. |
| TC_003 | Student | Denied | Student should not delete records. |
| TC_004 | Guest | Denied | Guest has no protected access. |
Practice Activity: Add Authorization
Improve the following pseudocode by adding an authorization check.
FUNCTION updateMarks(studentId, marks)
SAVE marks for studentId
RETURN "Marks updated"
END FUNCTION
Sample Improved Version
FUNCTION updateMarks(currentUser, studentId, marks)
IF currentUser.role is not "Teacher" AND currentUser.role is not "Admin" THEN
RETURN "Access denied"
END IF
IF marks < 0 OR marks > 100 THEN
RETURN "Invalid marks"
END IF
SAVE marks for studentId
RETURN "Marks updated"
END FUNCTION
The improved version checks whether the user has permission before updating marks.
Practice Test Cases
| Test Case | Scenario | Expected Output |
|---|---|---|
| TC_001 | Teacher updates valid marks | Marks updated |
| TC_002 | Admin updates valid marks | Marks updated |
| TC_003 | Student tries to update marks | Access denied |
| TC_004 | Guest tries to update marks | Access denied |
| TC_005 | Teacher enters marks above 100 | Invalid marks |
Mini Quiz
What is authorization?
Authorization is the process of checking whether a user has permission to access a resource or perform an action.
What question does authorization answer?
Authorization answers the question: What are you allowed to do?
What is RBAC?
RBAC means Role-Based Access Control, where permissions are assigned to roles and users receive permissions through their roles.
What is least privilege?
Least privilege means giving users only the minimum permissions required to perform their tasks.
Is frontend authorization enough?
No. Authorization must be enforced on trusted backend logic because frontend controls can be bypassed.
Interview Questions on Authorization Basics
Define authorization in secure programming.
Authorization is the process of deciding whether an authenticated user has permission to access a resource or perform an action.
What is the difference between authentication and authorization?
Authentication verifies identity, while authorization checks access permissions after identity is known.
Why is least privilege important?
Least privilege reduces security risk by ensuring users receive only the access required for their responsibilities.
What is a role in RBAC?
A role is a collection of permissions that represents a responsibility or user type in the system.
What is broken access control?
Broken access control occurs when users can access data or actions they should not be allowed to access.
Quick Summary
| Concept | Meaning |
|---|---|
| Authorization | Checking what a user is allowed to access or do. |
| Authentication | Verifying user identity. |
| Access Control | Managing access to resources and actions. |
| Role | A group of permissions based on responsibility. |
| Permission | A specific allowed action on a resource. |
| RBAC | Role-Based Access Control. |
| Least Privilege | Giving only the minimum required access. |
| IDOR | Accessing another user’s resource by changing an identifier. |
Final Takeaway
Authorization is a key secure programming practice that controls what authenticated users are allowed to do. Students should remember that login does not mean full access. Applications must check roles, permissions, ownership, least privilege, and backend access rules before allowing sensitive actions. Strong authorization prevents unauthorized access, protects data, supports business rules, and makes applications safer and more trustworthy.