Authorization

Authorization is the process of determining what a verified user is permitted to do — what resources they can access, what actions they can perform, and what data they can view or modify. Authorization happens after authentication: first the system confirms your identity, then it checks what permissions your identity has been granted.

Authorization is implemented through access control mechanisms like role-based access control (RBAC), where permissions are assigned based on job roles, or attribute-based access control (ABAC), where access decisions consider multiple factors like user role, time of day, location, and data sensitivity.

Why It Matters

Proper authorization controls — ensuring users can only access what they need for their job — are a CMMC requirement under access control and least privilege principles. Overly permissive authorization is a common finding during assessments.

Related Resources

CMMC: PE.L1-3.10.1
NIST 800-171: 3.10.1
NIST 800-53: AC-3(2)
NIST 800-53: AC-3(8)
NIST 800-53: AC-24(1)
NIST 800-53: AU-9(5)
NIST 800-53: CA-1
NIST 800-53: CA-2