• There are a number of factors that matter in authorization
• Question: "Should a specific requested action be allowed?"
• Who/what is the actor? Not necessarily a person
• What resource(s) are they trying to interact with?
• What action are they trying to take?
• Are there any other important pieces of context to consider?
  • Is the user's IP address coming from a suspicious location?
  • Is this the first time they're using this device?
• Outcome is generally to allow, deny, or challenge the action (get more info)

4 / 23