Differentiating between Authentication and Authorization
It is highly unlikely that we all have not heard the words 'authentication' and ‘authorization’. I will try and use a common real life example to explain the difference between the two.
Remember the day you went to the store to purchase your favorite cheese? You got to the point of sale (commonly known as the till) and ring it up, but then immediately realize that you’ve purchased Clover cheese instead of Parmalat? You asked the lady at the till to remove it from your list, and instead ring up your Parmalat cheese. Annoyed, but with no choice, the cashier lady shouted 'authorization.’
You hear these terms almost all the time but never stop to think about what they actually mean. So this article will break down what Authentication and Authorization means.
Authentication is basically confirming that you are you, or making sure that you are the person that you say you are. Think of using your username and password to log into your Netflix account. That is you authenticating yourself. But just because your are authenticated does not mean that you are allowed access. This is where authorization comes in. It always comes after authentication. Authorization is basically saying 'is this identity allowed access?’ or 'what are you allowed to do once you’re granted access?’ Different people have different authorization levels but all of them have to be authenticated.
Now back to the store at the point of sale system. A different lady, often with a 'manager' tag often comes to the point of sale and helps the cashier lady to remove your Clover cheese from your list of items that you want to purchase. The manager is authorized or 'allowed' to remove items that you no longer need from your purchases. However, the cashier lady is not allowed to do so. She is only allowed to carry out sales.
Here’s another good example. The finance department of that store may be authorized to pay the employees their salaries, while the manager is not authorized to do so. Or, a CEO of that same store may be allowed to look at sales across different stores, but a manager might not be allowed to.
Authorization is a critical aspect of any business, and you cannot just let anyone have access to your business applications and processes.
Now go get that cheese! The right brand this time!