Once the identity of a user has been verified, the security system needs to control what information the user is allowed to see, modify, or which applications this user is allowed to execute. Controlling access to a data source is called access control; assigning permissions to users or groups of users to access secured assets is called authorization.
An asset can be a document, database information, another computer system, an application, or any other object within the enterprise’s computer systems.
The process of implementing access control involves defining the information and the access permissions assigned to that information. Next, authorization to access the data is assigned to the user or a role assumed by the user.
Typical access permissions include read, write, update, create, and delete. A permission can also be the right to start or stop an application or access some other back-end system.
