Authentication vs. Authorization

In computing systems, authentication and authorization must work in tandem to provide effective security. Without authentication, there would be no way to determine if individuals are who they claim to be. Without some sort of authorization in place, it may not matter who they claim to be — as with no authorization in place, essentially anyone could access anything simply by telling the truth about who they are.


Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. To access most technology services of Indiana University, you must provide such proof of identity.

In private and public computer networks (including the Internet), authentication is commonly done through the use of login passwords or passphrases; knowledge of such is assumed to guarantee that the user is authentic. Thus, when you are asked to "authenticate" to a system, it usually means that you enter your username and/or password for that system.

Authentication services at IU


In computing systems, authorization is the process of determining which permissions a person or system is supposed to have. In multi-user computing systems, a system administrator defines which users are allowed access to the system, as well as the privileges of use for which they are eligible (e.g., access to file directories, hours of access, amount of allocated storage space). Authorization can be seen as both the preliminary setting of permissions by a system administrator, and the actual checking of the permission values when a user obtains access. Authorization is usually preceded by authentication.

Types of authorization services

Active Directory security groups

Active Directory security groups are an effective way to provide strict authorization lists. The basic concept is that access to a particular resource or service is granted to a particular group, rather than a list of users. At IU, a person can use their Network ID passphrase to authenticate against the ADS domain, which will then lookup to see if they are members of the authorizing group. If so, access is granted.

Important to note is that Active Directory security groups can be nested — so one group can be a member of another group, and if properly configured, access can be granted to any user in any of the authorizing groups.

The Apache Require directive

Apache Require is a directive that selects which authenticated users can access a particular resource. That is, it executes after the authentication phase is complete — and relies on a locally maintained list of users and/or groups to decide whether the currently authenticated user is able to access a particular resource.

External access control lists

Many applications maintain their own access control lists in places such as databases or XML files. This can allow an application to store its own authorization information, often helpful for reducing external dependencies or incompatibility issues.

Why it's important not to confuse the two

Consider the process of purchasing an airplane ticket and boarding a plane. The guard at the security checkpoint attempts to authenticate you — that is, s/he examines your I.D. and determines whether the person standing in front of them matches the person on both the boarding pass and on the photo I.D. presented to them. They make no attempt to authorize who is eligible to board the airplane at that time.

Once you approach the gate, a ticket agent will eventually call you to board the plane. They will usually scan your boarding pass, thus authorizing you to board the plane. The ticket agent does not examine your I.D. — as they rely on the security officer to have already authenticated you. Presumably, if you were not who you claimed to be, there would have been no reason to continue on to the authorization phase of the process.

How does this apply to information security?

Effective security must employ both strong authentication and strict authorization. Let's say that your web application authenticates users via CAS — CAS is a very effective way to determine who a user is, but that's it. CAS provides no authorization mechanism.

So, if CAS is your only method of authentication/authorization, your web application would effectively allow anyone who could authenticate to CAS (including guest accounts, this could be the entire world). Your application also requires a strict authorization list, in order to determine who is able to access which service or aspect of the application. Active Directory security groups are an excellent, efficient, and scalable way to build an authorization system. AD groups can be integrated into web applications, file/print servers, which persons can login to which desktop workstations, and more.

These are a few ways to help you assess, build, and maintain a strong, robust infrastructure to assist you when restricting access to information resources.

Security & Policy Blog Posts

  • Drupal announced the availability of a patch to fix a critical SQL injection vulnerability in Drupal 7.
  • Creating and maintaining a disaster recovery plan for departments and thier critical services
  • How workplace culture affects information security and how that culture can be improved.
  • The FBI has issued a public service bulletin regarding recent cyber-crimes which target university employees and students. Criminal activities involve payroll and IRS filings.

    Recent Security Bulletins

  • Adobe Flash is vulnerable to exploit that could allow an attacker to take control of the affected system.
  • Vulnerability in SSL 3.0
  • Critical Bash Exploit: Shellshock
  • Vulnerability in OpenSSL versions 1.0.1 before 1.0.1g