Access Control / AuthZ

  • There are a number of factors that matter in authorization
  • Question: "Should a requested action be allowed?"
  • Who/what is the actor? Not necessarily a person
  • What resource(s) are they trying to interact with?
  • What action are they trying to take?
  • Are there any other important pieces of context to consider?
    • Is the user's IP address coming from a suspicious location?
    • Is this the first time they're using this device?
  • Outcome is generally to allow, deny, or challenge the action (get more info)

8 / 26