Once a subject has successfully authenticated, the next logical step is to get an authorized access to the resources assigned.
Upon successful authorization, an authenticated identity can request access to an object provided it has the necessary rights and privileges.
An access control matrix is one of the most common techniques used to evaluate and compare the subject, the object, and the intended activity. If the subject is authorized, then a specific action is allowed, and denied if the subject is unauthorized.
It is important to note that a subject who is identified and authenticated may not necessarily be granted rights and privileges to access anything and everything. The access privileges are granted based on the role of the subject and on a need-to-know basis. Identification and authentication are all-or-nothing aspects of access control.
The following table shows a sample access control matrix:
| Resource | ||
| User | File 1 | File 2 |
| User 1 | Read | Write |
| User 2 | - | Read |
| User 3 | Write | Write |
From the preceding sample access control matrix, we can conclude the following:
- User 1 cannot modify file 1
- User 2 can only read file 2 but not file 1
- User 3 can read/write both file 1 and file 2
Common attacks on authorization include the following:
- Authorization creep: Authorization creep is a term used to describe that a user has intentionally or unintentionally been given more privileges than he actually requires
- Horizontal privilege escalation: Horizontal privilege escalation occurs when a user is able to bypass the authorization controls and is able to get the privileges of a user who is at the same level in the hierarchy
- Vertical privilege escalation: Vertical privilege escalation occurs when a user is able to bypass the authorization controls and is able to get the privileges of a user higher in the hierarchy