Home > Glossary > Certified in Cybersecurity > Authorization

📖 What is Authorization?

The process of determining what an authenticated user is permitted to do or access within a system.

🥋 Sensei Says:

"Comes AFTER authentication. You are logged in, but do you have permission to delete this file?"

📚 Certification: Certified in Cybersecurity (CC)

🔑 What are the Key Concepts of Authorization?

▸ Authorization relies on pre-defined permissions and access control lists (ACLs) to regulate resource access after successful authentication.
▸ Role-Based Access Control (RBAC) is a common authorization model, assigning permissions based on a user’s role within an organization.
▸ Least privilege is a core authorization principle, granting users only the minimum necessary access to perform their job functions.
▸ Authorization mechanisms include Access Control Lists (ACLs), Capabilities, and Attribute-Based Access Control (ABAC) which uses attributes.
▸ Proper authorization prevents privilege escalation attacks and limits the impact of compromised accounts by restricting their capabilities.

🎯 How does Authorization appear on the CC Exam?

You may be asked to identify the authorization method used when a user’s access to files is determined by their department and security clearance level.

A scenario might describe a security incident where an attacker gained access to a system but could only view, not modify, data – this demonstrates effective authorization.

Expect questions about how to implement authorization controls to comply with specific regulations like HIPAA or GDPR, focusing on data access restrictions.

❓ Frequently Asked Questions

How does authorization differ from authentication in a real-world example?

Authentication is showing your ID to enter a building; authorization is whether your ID grants you access to specific offices or floors within that building. Both are required for secure access.

What are the risks of overly permissive authorization settings?

Overly permissive settings increase the attack surface, allowing attackers to move laterally within a network and access sensitive data more easily. It violates the principle of least privilege.

Can authorization be bypassed, and if so, how?

Authorization can be bypassed through vulnerabilities like SQL injection or cross-site scripting (XSS) that allow attackers to manipulate access controls or impersonate authorized users.

Related Terms from Certified in Cybersecurity

Recovery Point Objective (RPO) Least Privilege Encryption Malware DMZ (Demilitarized Zone) Phishing

📝 Related Study Guides

Study Guide 8 min read

ISC2 CC Certification Guide: Your Free Entry into Cyber

The ISC2 Certified in Cybersecurity (CC) is a free, entry-level certification designed for beginners. It covers five core domains—Security Principles, BCP/DR, Access Control, Network Security, and Security Operations—via a 100-question exam. It's the ideal starting point for career changers to build a foundation without financial barriers.

Exam Tips 8 min read

ISC2 CC Exam Domains: What You Need to Know to Pass

The ISC2 CC exam consists of five domains: Security Principles, Business Continuity (BC), Disaster Recovery (DR), and Incident Response (IR), Access Controls, Network Security, and Security Operations. To pass, you must master the CIA Triad and security governance, while prioritizing high-weight domains through targeted practice and domain-specific analytics.

Comparison 8 min read

CISSP vs CISM: Which Certification Should You Pursue in 2026?

Choose CISSP if you want broad technical security expertise across eight domains, including cryptography, network security, and software development. Choose CISM if you're focused on information security management, governance, and risk management from a leadership perspective. CISSP is ideal for hands-on security architects, while CISM is designed for security managers and directors.