{"id":17149,"date":"2025-05-02T14:47:59","date_gmt":"2025-05-02T09:17:59","guid":{"rendered":"https:\/\/razorpay.com\/learn\/?p=17149"},"modified":"2025-05-23T16:27:49","modified_gmt":"2025-05-23T10:57:49","slug":"what-is-authorization","status":"publish","type":"post","link":"https:\/\/razorpay.com\/learn\/what-is-authorization\/","title":{"rendered":"What Is Authorization and How Does It Work?"},"content":{"rendered":"<p dir=\"ltr\">Managing who gets access to what in your organisation is complex. Your decisions must balance business needs with industry rules. Effective authorization ensures your systems stay compliant while letting staff do their jobs. Without proper controls, you risk exposing sensitive data or violating regulations that could harm your business. In this article we will explore, what is authorization, how it works, and the difference between authorization and authentication.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_80 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-69e5a2c860783\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-69e5a2c860783\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/razorpay.com\/learn\/what-is-authorization\/#What-Is-Authorization\" >What Is Authorization?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/razorpay.com\/learn\/what-is-authorization\/#Difference-Between-Authorization-and-Authentication\" >Difference Between Authorization and Authentication<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/razorpay.com\/learn\/what-is-authorization\/#Importance-of-Authorization\" >Importance of Authorization<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/razorpay.com\/learn\/what-is-authorization\/#Authorization-Use-Cases-and-Methods\" >Authorization Use Cases and Methods<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/razorpay.com\/learn\/what-is-authorization\/#Authorization-Examples\" >Authorization Examples<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/razorpay.com\/learn\/what-is-authorization\/#Frequently-Asked-Questions-FAQs\" >Frequently Asked Questions (FAQs)<\/a><\/li><\/ul><\/nav><\/div>\n<h2 dir=\"ltr\"><span class=\"ez-toc-section\" id=\"What-Is-Authorization\"><\/span>What Is Authorization?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p dir=\"ltr\">Authorization determines what you can do in a system after logging in. It answers &#8220;What can this user access?&#8221; by granting or denying permissions based on your identity and privileges. While authentication confirms who you are through credentials, authorization controls what systems and data you can use.<\/p>\n<p dir=\"ltr\">Organisations have a tiered structure where different staff access different resources based on their job needs. This protects sensitive information like customer data and intellectual property. Following the principle of least authority, you&#8217;re given only the access essential for your role. This reduces security risks if credentials are compromised. How Does Authorization Work?<\/p>\n<h3 dir=\"ltr\">1. Basic Level of Authorization<\/h3>\n<p dir=\"ltr\">Authorization grants you access to apps and information after you enter a username and password. This lets you use tools like word processors, email, and customer databases based on what you&#8217;re allowed to see and do.<\/p>\n<h3 dir=\"ltr\">2. Challenges of Basic Authorization<\/h3>\n<p dir=\"ltr\">This simple approach breaks down as your company gets bigger. Users face frustrations while your security team deals with growing risks that need better solutions.<\/p>\n<h3 dir=\"ltr\">3. Scalability Issues<\/h3>\n<p dir=\"ltr\">When your company expands, keeping track of who can access what becomes a headache. Your IT staff struggles with the manual workload, making mistakes more likely.<\/p>\n<h3 dir=\"ltr\">4. Inconvenience for Users<\/h3>\n<p dir=\"ltr\">You must juggle different passwords for various systems at work. This often leads to bad habits like using the same password everywhere or writing them on sticky notes.<\/p>\n<h3 dir=\"ltr\">5. Security Concerns<\/h3>\n<p dir=\"ltr\">Basic systems might give you too much access to sensitive data. When you change roles or leave, removing your old permissions can be slow or incomplete.<\/p>\n<h3 dir=\"ltr\">6. Solutions Provided by Robust Authorization Protocols<\/h3>\n<p dir=\"ltr\">Better systems fix these problems by setting up your access rights automatically. You can sign in once to use multiple systems. When someone leaves your company, their access gets cut off right away.<\/p>\n<h2 dir=\"ltr\"><span class=\"ez-toc-section\" id=\"Difference-Between-Authorization-and-Authentication\"><\/span>Difference Between Authorization and Authentication<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<table dir=\"ltr\">\n<tbody>\n<tr>\n<th data-colwidth=\"295\">\n<p dir=\"ltr\" data-node-text-align=\"center\">Authentication<\/p>\n<\/th>\n<th>\n<p dir=\"ltr\" data-node-text-align=\"center\">Authorization<\/p>\n<\/th>\n<\/tr>\n<tr>\n<td data-colwidth=\"295\">\n<p dir=\"ltr\">It confirms your identity when you log in.<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">It determines what you can access after logging in.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td data-colwidth=\"295\">\n<p dir=\"ltr\">Uses credentials you provide (username, password).<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">Based on permissions assigned to you.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td data-colwidth=\"295\">\n<p dir=\"ltr\"><a href=\"https:\/\/razorpay.com\/learn\/two-factor-authentication-in-payments\/\">Two-factor authentication<\/a> adds security by requiring a second verification.<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">Your access is limited to specific resources you&#8217;re authorised to use.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td data-colwidth=\"295\">\n<p dir=\"ltr\">Happens first when you access a network.<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">Occurs after you&#8217;ve successfully authenticated.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td data-colwidth=\"295\">\n<p dir=\"ltr\">Gets you through the front door.<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">It decides which rooms you can enter once inside.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td data-colwidth=\"295\">\n<p dir=\"ltr\">Without it, you cannot enter the network at all.<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">Without it, you might enter but cannot use services.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td data-colwidth=\"295\">\n<p dir=\"ltr\">Example: When you sign in to your company account.<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">Example: When you can view only your department&#8217;s files.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 dir=\"ltr\"><span class=\"ez-toc-section\" id=\"Importance-of-Authorization\"><\/span>Importance of Authorization<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3 dir=\"ltr\">1. Security<\/h3>\n<p dir=\"ltr\">Authorization shields your systems from attackers seeking sensitive information. It creates defense in depth with multiple security layers like firewalls and identity management protecting your network. When you limit access rights, you reduce potential damage if someone&#8217;s login gets compromised.<\/p>\n<h3 dir=\"ltr\">2. Compliance<\/h3>\n<p dir=\"ltr\">You must follow regulations like HIPAA to protect confidential data about patients, customers, or employees. Without proper controls, your company risks fines, legal troubles, and reputation damage. Your customers might leave if they don&#8217;t trust you with their information.<\/p>\n<h3 dir=\"ltr\">3. Operational Efficiency<\/h3>\n<p dir=\"ltr\">Authorization helps your team work better by showing you only what you need for your job, preventing information overload, and boosting productivity. Single sign-on systems simplify daily access while maintaining security, letting you access multiple resources with one login while keeping unauthorised users out.<\/p>\n<h2 dir=\"ltr\"><span class=\"ez-toc-section\" id=\"Authorization-Use-Cases-and-Methods\"><\/span>Authorization Use Cases and Methods<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3 dir=\"ltr\">Use Cases<\/h3>\n<p dir=\"ltr\">Offboarding former employees: When employees leave your company, authorization processes can automatically terminate their access to corporate accounts. This quick removal of privileges prevents potential data theft by ensuring former staff can&#8217;t continue accessing sensitive systems or information after their departure.<\/p>\n<p dir=\"ltr\">Working with vendors and contractors: Authorization allows you to assign specific privileges to third parties like managed service providers while keeping your sensitive data protected. You can grant temporary access based on their project timeline and specific needs, ensuring vendors only see what&#8217;s necessary for their work.<\/p>\n<p dir=\"ltr\">Diminishing privilege creep: Privilege creep occurs when users accumulate unnecessary permissions over time. Through regular authorization reviews, you can identify and revoke these excess privileges. This process reduces security risks by ensuring employees only maintain access to systems and data required for their current roles.<\/p>\n<h3 dir=\"ltr\">Authorization Approaches and Methods<\/h3>\n<p dir=\"ltr\">Token-based authorization: Under this authorization type provides you with secure tokens (like JSON Web Tokens) after your initial login. These tokens carry your permission information with each request, validating your access rights without requiring you to re-authenticate constantly. This approach improves both security and user experience.<\/p>\n<p dir=\"ltr\">Role-based access control (RBAC): RBAC assigns permissions through predefined roles within your organisation. When you add someone as a &#8220;manager&#8221; or &#8220;employee,&#8221; they automatically receive the appropriate access rights for their position. This streamlines access management by grouping permissions into logical roles.<\/p>\n<p dir=\"ltr\">Access control lists (ACLs): ACLs take a reverse approach to access control by associating permissions directly with applications and files rather than user roles. This method provides precise control over who can access specific resources. In network infrastructure, ACLs play a crucial security role by controlling traffic at the network perimeter, allowing you to filter connections based on predefined security rules.<\/p>\n<h2 dir=\"ltr\"><span class=\"ez-toc-section\" id=\"Authorization-Examples\"><\/span>Authorization Examples<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3 dir=\"ltr\">Attribute-based access control (ABAC)<\/h3>\n<p dir=\"ltr\">ABAC grants you access based on attributes directly associated with you as a user. Instead of relying solely on your role, this method considers factors like your department, location, time of access, or project assignment. For example, when you possess a secure USB key, this physical attribute can instantly grant you access to sensitive files and applications. The system recognises the key as proof of your authorization. This provides flexibility and granular control than traditional role-based systems.<\/p>\n<h3 dir=\"ltr\">Mobile Access Control<\/h3>\n<p dir=\"ltr\">Mobile access control functions as a specialised variation of ABAC, where possession of your smartphone serves as the key attribute for authentication. When you tap your phone on a PIN pad to make a <a href=\"https:\/\/razorpay.com\/learn\/mobile-payment\/\">mobile payment<\/a>, the system authenticates you through your device without requiring additional credentials. This approach simplifies secure access while maintaining strong protection. Your mobile device essentially becomes your digital identity. It streamlines how you interact with secure systems.<\/p>\n<h3 dir=\"ltr\">Graph-based Access Control (GBAC)<\/h3>\n<p dir=\"ltr\">GBAC configures access permissions at the object level \u2014 focusing on files and applications rather than employees or roles. This method uses graph theory to model complex relationships between users, resources, and permissions. By implementing query language to generate access rights, GBAC reduces the workload of exhaustively listing permissions for each role. The system can dynamically evaluate relationships and authorization paths. This makes it valuable when you need to manage access in complex organisational structures with multiple interconnected systems.<\/p>\n<h2 dir=\"ltr\"><span class=\"ez-toc-section\" id=\"Frequently-Asked-Questions-FAQs\"><\/span>Frequently Asked Questions (FAQs)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3 dir=\"ltr\" data-node-text-align=\"start\">1. How does authorization differ from authentication?<\/h3>\n<p dir=\"ltr\" data-node-text-align=\"start\">Authentication verifies who you are, while authorization determines what you can do. Authentication happens first, followed by authorization to grant or deny access to resources.<\/p>\n<h3 dir=\"ltr\" data-node-text-align=\"start\">2. What information is required for authorization to be granted for a debit card transaction?<\/h3>\n<p dir=\"ltr\">Authorization for debit card transactions typically requires verifying the cardholder&#8217;s identity (via authentication methods like PIN, biometrics, or OTP) and checking if the card has sufficient funds and permissions for the transaction amount. The system also evaluates risk factors to approve or decline the transaction.<\/p>\n<h3 dir=\"ltr\" data-node-text-align=\"start\">3. How long does authorization typically take for debit card transactions?<\/h3>\n<p dir=\"ltr\">Authorization for debit card transactions is usually processed in real-time or within a few seconds to ensure smooth payment experiences. The Reserve Bank of India mandates timely processing to enhance online <a href=\"https:\/\/razorpay.com\/blog\/payment-security-types-explained\/\">payment security<\/a> while balancing user convenience.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Managing who gets access to what in your organisation is complex. Your decisions must balance business needs with industry rules. Effective authorization ensures your systems stay compliant while letting staff do their jobs. Without proper controls, you risk exposing sensitive data or violating regulations that could harm your business. In this article we will explore,<\/p>\n","protected":false},"author":151156613,"featured_media":17531,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1387],"tags":[4342,4343],"class_list":{"0":"post-17149","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-payments","8":"tag-authorization","9":"tag-what-is-authorization"},"_links":{"self":[{"href":"https:\/\/learn.razorpay.in\/learn\/wp-json\/wp\/v2\/posts\/17149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/learn.razorpay.in\/learn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/learn.razorpay.in\/learn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/learn.razorpay.in\/learn\/wp-json\/wp\/v2\/users\/151156613"}],"replies":[{"embeddable":true,"href":"https:\/\/learn.razorpay.in\/learn\/wp-json\/wp\/v2\/comments?post=17149"}],"version-history":[{"count":3,"href":"https:\/\/learn.razorpay.in\/learn\/wp-json\/wp\/v2\/posts\/17149\/revisions"}],"predecessor-version":[{"id":17161,"href":"https:\/\/learn.razorpay.in\/learn\/wp-json\/wp\/v2\/posts\/17149\/revisions\/17161"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/learn.razorpay.in\/learn\/wp-json\/wp\/v2\/media\/17531"}],"wp:attachment":[{"href":"https:\/\/learn.razorpay.in\/learn\/wp-json\/wp\/v2\/media?parent=17149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/learn.razorpay.in\/learn\/wp-json\/wp\/v2\/categories?post=17149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/learn.razorpay.in\/learn\/wp-json\/wp\/v2\/tags?post=17149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}