Authorization is the process of deciding what an authenticated identity is allowed to access or do.
Authorization is the process of deciding what an identity is allowed to do after that identity has been established. In plain language, it determines which data, systems, features, or actions a user or service can access once authentication has already happened.
Authorization matters because proving identity alone does not make an action safe. A user may be legitimate, but that user should still only reach the systems and functions appropriate to the role, device, context, and task.
It also matters because poor authorization creates some of the most damaging security failures. Overly broad admin rights, weak object-level access checks, and poorly scoped service permissions can expose sensitive systems even when authentication is strong.
Authorization appears in SaaS role models, API scopes, cloud IAM policies, database permissions, Kubernetes access rules, and privileged admin workflows. It is where organizations implement Least Privilege, map users to Role-Based Access Control, or apply more dynamic rules such as Attribute-Based Access Control.
Security teams also review authorization during audits and incident investigations. They ask whether a user should have had the relevant permission at all, whether access should have expired, and whether privileged actions were protected with stronger workflows.
Two employees successfully sign in to the same HR system. One works in payroll, and the other is a general manager. Both are authenticated users, but authorization rules allow only the payroll employee to export salary data or change compensation settings.
Authorization is not the same as Authentication. Authentication verifies identity. Authorization determines allowed actions. Confusing the two leads to systems that know who a person is but still grant the wrong level of access.
Authorization is also not always static. Some systems consider role, device state, location, project membership, or time of day before granting access. That is why authorization design can range from simple role mapping to more dynamic policy engines.