Authorization Concepts
Simple Concepts of Authorisation There are always questions asked how access rights (authorisation) should be granted to users when they are signed up as a systems or platform user (end-users and administrative users) - Should they be read-only users? input only users? or full access users? To simply the thought process and make more sense out of this maze, there are some authorization concepts that can be used before designing the access rights matrix or providing user a set of access rights (if the system doesn't allow the grouping of access rights). 1. Need-to-know principle Only assign access rights based on their duties. For example, if a user's duty is a data entry officer, that user should only be given access to input function of the system or application. It should not be granted the access rights to query the whole bunch of data. This might result the breach of data privacy. 2. Authorization creep The assigning access rights to a user without review