Key-based authentication offers functionality to securely associate connections with peers within an infrastructure. Very often it is enough to make sure that only authenticated systems can communicate. There are also cases where we need to allow / disallow certain operations based on the remote peer issuing the command. The process of verifying whether a peer is allowed to issue a certain command or not is called authorization, as mentioned earlier in the chapter.

Very often we associate one or more roles to specified users or systems in the infrastructure. An example is that IT administrators need to perform different operations from regular users of a system. It could also be different from operations performed by an automated backup system.

Also, defining what each of the users or applications in the system is allowed to perform can be very time consuming. If our application offers a large number of features and supports hundreds of users or systems, it is a tedious process to define a set of features for each user.

A typical approach to standardizing this is to define roles, which can be a set of allowed and disallowed operations. It can also be additional information for these operations. A good example is distinguishing between users with limited permissions, normal users, and administrators. All these are roles and define sets of allowed operations.