Deciding What You Can Do and Proving You Did It 💡🔑🧾
In the previous article on Authentication & Accounting, we focused on verifying user identities and recording system activity. Building on that foundation, this article explains how systems decide what actions are allowed and how those actions can be proven afterward. 👉 Authentication & Accounting
Imagine you’re visiting a secure office building.
First, the security guard checks your ID and lets you in. Once inside, you can’t go everywhere—your badge might allow you into the lobby and meeting rooms, but not the server room or executive offices. That control over what you’re allowed to access is authorization.
Now imagine you sign a document or swipe your badge to enter a restricted area. Later, if there’s a question about who accessed what or who approved something, there’s proof—a signature, a log entry, or a recorded action. You can’t simply say, “That wasn’t me.” This assurance and accountability is called nonrepudiation.
In the digital world, authorization ensures users and systems can access only what they are permitted to, while nonrepudiation ensures that actions—such as sending a message, approving a transaction, or changing data—can be traced back to the responsible party.
Together, these two concepts help organizations maintain control, accountability, and trust in secure systems. In the sections ahead, we’ll explore each of them in more detail and see how they work behind the scenes to protect digital environments.
Authorization 🔑🛂
Once it has been determined who the user is, the next step in access control is deciding what the user is allowed to do. This process is known as authorization.
Authorization ensures that users can perform only specific actions on specific resources based on the permissions granted to them. In most computer systems, access is controlled through a system of permissions, which are essentially groups of privileges.
For example, a user might be allowed to edit one file. Still, only open and read another. Similarly, a user may access a database to view data but not modify or delete it.
One of the most important foundations of authorization is the principle of least privilege. This principle states that users should be granted only the minimum level of access required to perform their job, and no more. By limiting access in this way, organizations reduce the risk of accidental changes, data leaks, or malicious activity.
Real-World Example 🏢
Imagine entering an office building. You first show your ID to confirm your identity, which lets you get inside. However, once inside, your badge only enables you to access certain rooms—such as your workspace or meeting areas—while restricting access to sensitive locations like the server room. Verifying your identity is authentication, and deciding which areas you can access is authorization.
- Authentication confirms who you are
- Authorization determines what you are allowed to do
The least privilege model applies not just to files, but to databases, applications, networks, and all other system resources. There are four common access control methods used to implement authorization:
- Role-Based Access Control
- Rule-Based Access Control
- Mandatory Access Control
- Discretionary Access Control
Each of these methods is discussed in the sections below.
Mandatory Access Control (MAC) 🔒🏛️
Of the four access control methods, Mandatory Access Control (MAC) is the most restrictive. In this model, all security decisions are centrally managed by a system administrator, including access to files and resources created by users themselves.
MAC is commonly used in highly secure environments, such as systems owned or operated by government agencies or military organizations, where strict control over information is essential. While this approach offers the highest level of security, it also requires significant effort and resources to manage properly.
In Mandatory Access Control, every object—such as files, folders, and system resources—is assigned a security label. This label contains:
- A classification level (for example: Top Secret, Confidential, Restricted), and
- A category, which specifies which departments or groups are allowed access.
Users are also assigned their own classification level and category. When a user attempts to access an object, the system checks whether the user’s classification and category meet the required level for that resource. Access is granted only if both conditions match.
Security classifications are hierarchical. This means a user with Top Secret clearance can access resources classified at lower levels, such as Confidential or Restricted, but not vice versa.
Real-World Analogy 🏛️📁
Think of government files stored in a secure facility. Each document is labeled Confidential or Top Secret, and only officials with the appropriate clearance can view them. Even if you created the document, you still cannot change who can access it—the system enforces the rules.
Discretionary Access Control (DAC) 🧑💻📂
In Discretionary Access Control (DAC), users can set their own security permissions for resources on their computers. This model is commonly used in workgroups or small office environments, where strict centralized control is not required.
Instead of security labels, DAC uses Access Control Lists (ACLs). An ACL defines which users or groups can access an object and what level of access they have. For example, one user may have read-only access to a file, while another user may be allowed to modify or delete it.
Discretionary Access Control is much more flexible than Mandatory Access Control and places less administrative burden on system administrators. However, because users are responsible for managing access to their own resources, security depends heavily on how carefully those users apply permissions. This flexibility may or may not be appropriate depending on the organization and its security requirements.
Real-World Analogy 🏠🔑
Think of sharing files on your personal laptop at home. You decide who can view, edit, or delete your files. While this is convenient and flexible, it relies on you to make the right security choices.
Role-Based Access Control (RBAC) 👥🔑
In Role-Based Access Control (RBAC), access to resources is managed through administrator-defined roles rather than individual users. These roles usually reflect job functions or organizational departments.
For example, a school may define roles such as Student, Faculty, and Staff, each with different levels of access. Similarly, a business might create roles such as Marketing, Sales, Finance, and Human Resources, with permissions tailored to each department’s needs.
Most operating systems use RBAC by default. When an OS is installed, an administrator account is created with full access to system files and services. In addition, standard user accounts are created with limited permissions—typically allowing access only to the files they own, while restricting their ability to manage system services or access other users’ files.
In RBAC, permissions are assigned to roles, not to individual users. As a result, all users assigned to the same role have the same level of access. In a proper RBAC system, a user account is assigned only one role at a time, and permissions cannot be customized for individual users outside of that role.
Real-World Analogy 🏢🪪
Think of an organization where employees receive access based on their job title. Everyone with the same role—such as Sales Representative—gets the same keys and system access, regardless of who they are individually.
Rule-Based Access Control (Rule-BAC) 📜🔐
In a Rule-Based Access Control system, access to resources is governed by a set of rules defined by an administrator. Like Discretionary Access Control, rule-based systems often rely on Access Control Lists (ACLs) to determine whether access should be allowed or denied.
When a user or group attempts to access a resource, the system checks the ACL rules to determine whether the requested action is permitted. These rules may be based on conditions such as the time of access, location, request type, or system state, rather than just on who the user is.
Rule-Based Access Control allows organizations to enforce consistent, automated security decisions without requiring users to manage permissions themselves. This makes it especially useful in environments where access must follow strict policies.
Real-World Analogy 🚦🕒
Think of traffic lights at an intersection. Drivers don’t decide when to go—the rules control access. When the light is green, cars are allowed to proceed; when it’s red, access is denied, regardless of who the driver is.
Nonrepudiation ✍️🧾
People sometimes joke, “If there’s no video, it didn’t happen.” While that may be funny in casual conversations, it becomes a serious issue in information security.
The goal of nonrepudiation is to ensure that a person or system cannot deny that a specific action took place. In other words, it provides proof that someone did something—such as logging in, approving a transaction, or accessing data.
Accounting and activity tracking are the first steps toward nonrepudiation. However, logs alone may not always be enough. For example, if a log shows that your computer visited a suspicious website, how do you prove that you were—or were not—the one who did it? Nonrepudiation mechanisms help answer that question.
Below are four common methods of nonrepudiation.
Video 🎥
Video recordings are one of the strongest forms of nonrepudiation. Cameras are everywhere today—from security systems to smartphones. While modern technology can manipulate videos, such alterations often leave detectable traces that experts can identify. If a clear video exists, it is usually accepted as strong proof.
Real-World Analogy: A security camera recording showing someone entering a building provides undeniable evidence that the event occurred.
Biometrics 🧬
Biometrics have been used for decades, especially by law enforcement. Fingerprints, facial recognition, and retinal scans uniquely identify individuals. When a system requires biometric verification, it strongly ties the action to a specific person.
Biometrics are commonly used for authentication, but they also serve as a powerful form of nonrepudiation—it’s difficult to deny an action when your physical traits were required to perform it.
Real-World Analogy: A fingerprint found at a crime scene links a person directly to the event.
Signatures ✍️
Signatures have long been considered legally binding. In the digital world, signatures may be captured using a stylus, a touchscreen, or by typing a name and confirming intent via a checkbox.
The main weakness of signatures is that they can be forged. However, this issue can be mitigated using cryptographic digital signatures, which verify both identity and integrity. In general, signatures—especially digital ones—are widely accepted in court.
Real-World Analogy: Signing a contract means you cannot later claim you never agreed to it.
Receipts 🧾
A receipt serves as proof that a transaction occurred. Receipts may be physical or digital and often include details such as time, date, amount, and parties involved.
Real-World Analogy: A store receipt proves that a purchase was made, even if the buyer later disputes it.
Key Takeaway 🧠
Nonrepudiation strengthens security by ensuring accountability. It protects systems, organizations, and individuals by making it difficult—or impossible—to deny actions after they occur.
Wrapping Up 🧭
Authorization and nonrepudiation work together to create secure, accountable systems. Authorization ensures that users can access only what they are permitted to, while nonrepudiation ensures that actions taken within the system can be traced and verified.
Without proper authorization, sensitive resources could be misused. Without nonrepudiation, users could deny their actions, making investigations and accountability difficult. When combined, these concepts help organizations enforce control, trust, and responsibility across users, systems, and data.
As systems continue to grow in complexity, understanding how permissions are assigned and how actions are proven becomes essential—not just for security professionals, but for anyone working with modern technology.
This article is part of the Security Concepts & Threats series, which explores the fundamentals of protecting data, people, and devices in a connected world. For the full overview of how modern risks, defenses, and access controls fit together, refer to the main article in this series. 👉 Security Concepts&Threats