Access Control / AuthZ
- There are a number of factors that matter in authorization
- Question: "Should a requested action be allowed?"
- Who/what is the actor? Not necessarily a person
- What resource(s) are they trying to interact with?
- What action are they trying to take?
- Are there any other important pieces of context to consider?
- Is the user's IP address coming from a suspicious location?
- Is this the first time they're using this device?
- Outcome is generally to allow, deny, or challenge the action (get more info)
8 / 26