One subject I often see many new developers become confused about is the difference between Authentication and Authorisation.
These things although linked, are very different. The dictionary (in the capacity of computing) defines these things as:
The process or action of verifying the identity of a user or process.
Authorisation is the process of giving someone permission to do or have something.
Authentication is the act of making sure someone is who they say they are, it's all about verification.
Passport: proving that you are in fact who you say you are and are of a certain nationality.
Work ID: a pass with your photo and company logo proving that is your name and you do work there
Authorisation on the other hand is what permissions this person has. What can they do or access once they're inside?
You work for let's say a superstore as a warehouse manager.
When you get to work, you enter via the employee-only entrance. There is a security guard who asks for your workplace identification. This is used to
authenticate (verify you are who you say you are).
To authenticate they need the following credentials:
- Your name
- Your photo ID
- Staff Number
Above, you can see, that someone can't provide the correct credentials to authenticate themselves, therefore can not be authenticated and allowed access to the staff entrance.
Now someone has been able to provide the correct details they are "authenticated" and can access the entrance.
So we've looked at authenticating, now let's look at authorisation. Using the same analogy as before (the SuperStore), what do we do now we're in the store?
Our user has the Warehouse Manager job role. They've been assigned a role within the organisation, and with this comes responsibilities and permissions.
This job has the following permissions
- Can view warehouse delivery schedule
- Can hire / fire warehouse staff
- Can complete checkout tasks/jobs
They also inherit by default the permissions of the customer, i.e purchase goods, and browse the store (as anyone can do that without being authenticated and doesn't require authorisation).
Let's imagine this scenario,
The manager has attempted to view the CCTV in the security room. However, this is not listed on their role's permissions and authorised task list. Therefore they are not "authorised" to access this area.
How does this translate to the world of the web? You know when you try to access your social media page, that online store, or your emails? Well, every time you enter your username and password, these are authenticated against what is stored in the database.
There are many forms of authentication though, these can be email and password, it could be an account number, date of birth and password combination. FaceID , fingerprint sensors? These are all ways you're proving who you say you are to access your devices, systems and websites.
We won't' go into too much depth about the process of authentication, this I'll discuss in another article.
This is just like when you log into your favourite social media site. You've proved who you are by typing in your email & password, but wait, you can't access the admin area. This is because your account is not authorised to do so.
During the authentication process i.e during login, you are assigned a role by the system which has associated permissions and level of access linked to it. In this case, you are assigned the role of "user" or "account owner". This grants you access to your page.
In most systems, there is always a default user role. Default roles will have basic privileges.
As an example by default you are authorised to:
- Post on your wall
- Upload photos / videos etc.
- Change your profile photo
- Change your name and basic information
Have you ever tried to view another person's story / or profile but first you need to become a friend of theirs? This is due to authorisation. You have not been granted authorisation, as you are not registered in the system as being their friend, and they have set up authorisation rules meaning only friends can see their profile. This works in the same way as being blocked by someone on social media. You are no longer authorised to know their social media presence exists.
Once you are friends, or you've been invited to a group or anything like this, your account will be given more permissions. Meaning that the next time you wish to view that person's social media page, the authorisation check will now pass and grant access.
So there you have it, the difference between authentication and authorisation. Authenticate proves you are who you say you are, and authorisation checks your permissions/level of access within the site.