Information Technology Reference
In-Depth Information
application programming interface (API) of the PAM component
instead. The PAM can be configured to authenticate against any desired
form of authentication service, returning identity validation to the call-
ing application.
Authorization
Authorization is the practice of providing access to specific resources
based on the rights allowed or assigned to an authenticated identity.
Access rights to files and database information can include read, edit,
write, or change capabilities, while service access rights may also include
log-on, shutdown, and administrative management functions beyond
simple change control settings.
Authorization involves comparison of authenticated identities against
established security policies such as time-of-day and point-of-origin
restrictions, as well as application of the principle of least privilege. This
principle involves granting only the minimum level of access needed in
order to perform assigned tasks, and restricting all other access. By pre-
venting users from logging in using administrative accounts for daily
access, accidental compromise of a user's session remains a local matter,
thus not exposing elevated privilege or access rights to compromise. Simi-
larly, database and file access can be restricted to the least information
and access capability required to perform legitimate operations.
Access Controls
An identity may be authorized to access a requested resource using many
different criteria, including:
•
Anonymous.
Some resources are available to any request, regardless
of the requestor's identity. Public-facing websites are an example of
this type of access, which require no form of authorization. In some
settings, generic “guest” accounts provide a specific identity that is
available anonymously for access.
•
Rule-based.
Resources may be available only during working hours,
or only to requests made from particular terminal locations. Rule-
based access restrictions are typically coupled with additional forms
