Editing Authorization (section)

==Overview==
[[identity management|IAM]] consists the following two phases: the configuration phase where a user account is created and its corresponding access authorization policy is defined, and the usage phase where user authentication takes place followed by access control to ensure that the user/consumer only gets access to resources for which they are authorized. Hence, access control in [[computer]] systems and [[Computer network|networks]] relies on access authorization specified during configuration.  

Authorization is the responsibility of an [[authority]], such as a department manager, within the application domain, but is often delegated to a custodian such as a system administrator. Authorizations are expressed as access policies in some types of "policy definition application", e.g. in the form of an [[access control list]] or a [[Capability-based security|capability]], or a policy administration point e.g. [[XACML]]. 

Broken authorization is often listed as the number one risk in web applications. <ref>{{Cite web |title=A01 Broken Access Control - OWASP Top 10:2021 |url=https://owasp.org/Top10/A01_2021-Broken_Access_Control/ |access-date=2025-05-01 |website=owasp.org}}</ref> On the basis of the "[[principle of least privilege]]", consumers should only be authorized to access whatever they need to do their jobs, and nothing more.<ref>{{Cite web |title=Authorization - OWASP Cheat Sheet Series |url=https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html#enforce-least-privileges |access-date=2025-05-01 |website=cheatsheetseries.owasp.org}}</ref>

"Anonymous consumers" or "guests", are consumers that have not been required to authenticate. They often have limited authorization. On a distributed system, it is often desirable to grant access without requiring a unique identity. Familiar examples of [[access token]]s include keys, certificates and tickets: they grant access without proving identity.