Definition: Authorization is a concept that directly relates to who has the right or privilege to access the information infrastructure. Access rights are determined by an information security plan that should be approved by the organization’s legitimate authority or governing board. The right to access particular records or software is also determined in the same manner. For example, the clerical and support staff would more than likely be without the right to access, read or to make changes to documents in the payroll department.
Its Relevance: Individuals may be properly authenticated to a computer or network. However, restrictions would need to apply to control access to specific resources. Otherwise, if everyone in the organization could access, read and modify records, the confidentiality, integrity and available of information could be significantly harmed. Information systems must be assured. A massive cybercrime wave is now ravaging the world.
Users should only be granted the least privileges they need to accomplish their employment-related tasks. Authorization is the "glue" that holds a security plan together.