This article is rated Start-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Computing: Security Low‑importance This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing Low This article has been rated as Low-importance on the project's importance scale. This article is supported by WikiProject Computer security (assessed as Mid-importance). Things you can help WikiProject Computer security with: Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here.

The entire theme of this article seems to be to refute the idea of authorization being the action of authorizing, and that it can only be policy making. So Cisco et all were wrong? All based on what seems to be rather weak reasoning:

"It would be absurd to interpret confidentiality as "ensuring that information is accessible only to those who are granted access when requested", because people who access systems e.g. with stolen passwords would then be "authorized".

So when a door is marked "authorized personnel only," trespassing isn't possible? Can one not be authorized under false pretense? The whole Wiki-rampage against a common use of the word seems pointless and unnecessary. Authorization involves creating policy and enforcing it. And if it doesn't, this article needs to better describe why not. —Preceding unsigned comment added by 67.188.42.104 (talk) 07:45, 22 April 2009 (UTC)[reply]

Agree on "Authorization involves creating policy and enforcing it.". I've reworded the article to say that authz and access control are related. Miparnisari (talk) 18:53, 1 May 2025 (UTC)[reply]

In computer security authorisation is not necessarily provided by the operation system. Consider the EBay SDK, for example. It has an authorisation component that is not provided by the operation system. A relational database (MySQL, Postgres, ...), for another example, has usally an authorisation system that is independent from the underlying OS.

Agreed. I have recast the lead a little. Anyone want to tackle the rest of the article? Rupert Clayton (talk) 17:11, 11 December 2007 (UTC)[reply]

This is certainly not the only context in which the word 'authorization' can be used. I could authorize anyone to do anything by just writing a note and signing it. Maybe legal issues are relevant to be described here as well. --Blonkm 17:52, 21 September 2006 (UTC)[reply]

A more general article on authorization is needed. This article is about a specific form of authorization, therefore, I've renamed the page to Authorization (computer access control). The Transhumanist 01:03, 3 December 2014 (UTC)[reply]

The article mentions authentication, but this is a very different concept and should not be confused.

Agreed. I have tried to make the difference clear in the lead. Rupert Clayton (talk) 17:11, 11 December 2007 (UTC)[reply]

The article states: "On a distributed system, it is often desirable to grant access without requiring a unique identity". I don't understand this, on any serious distributed system surely it is normal only to grant access to objects to users who are authenticated and authorized? Aarghdvaark (talk) 03:12, 14 November 2008 (UTC)[reply]

Yeah, this part seems weird. The article gives the example of access tokens, but you cannot get those unless your identity has been validated... Miparnisari (talk) 18:58, 1 May 2025 (UTC)[reply]

Authorisation in legal sense: what is the legal concept behind authorisation? — Preceding unsigned comment added by 95.97.50.190 (talk) 11:34, 20 November 2016 (UTC)[reply]

should we mention https://openid.net/wg/authzen/specifications/? At the time of writing, it's in draft. Miparnisari (talk) 21:22, 1 May 2025 (UTC)[reply]

Has the draft received any coverage? A first draft doesn't strike me as particularly notable. Brandon (talk) 00:12, 2 May 2025 (UTC)[reply]

Yes it has received considerable coverage from the analyst community (Gartner, Kuppinger Cole) and it's back by 15+ orgs including Axiomatics, Okta, Thales and Ping Identity David (talk) 08:00, 10 May 2025 (UTC)[reply]

Also it's now an implementer's draft which is more formal than a simple draft. David (talk) 08:00, 10 May 2025 (UTC)[reply]

Linking to the coverage would be helpful and is essentially the only thing that matters. There are a ton of standards documents with impressive industry backing that never receive secondary coverage and thus never are mentioned on Wikipedia. Brandon (talk) 16:45, 10 May 2025 (UTC)[reply]

Good point. Thanks David (talk) 22:35, 10 May 2025 (UTC)[reply]