Authorization (or establishment or entitlement) defines a user's (or process') rights and permissions to a resource. After a user (or process) is authenticated, authorization determines what that user can do to the resource.

Here are some authorization strategies to improve security:

  • By default, grant users no rights and permissions
  • Grant users least privileged rights and permissions on "need to know" basis
  • Push authorization processes from upper/applications layers to lower/OS layers as much as possible
  • Prepare or plan Role-Based authorization
  • Move from manual authorization management processes to automated authorization management processes with next generation IAM role/group management products

Please be aware of that Role-Base authorization will be a subset of Claim-Based authorization in long term.