Authorization

In the authorization phase, an authenticated entity (application, device, or individual) is assigned privileges to access system resources and/or to perform various functions. Predefined access control policies are applied to the entity based on its identity, role, or group. From a confidentiality and integrity standpoint, a foundational authorization approach is the principle of least privilege, wherein the authenticated entity is assigned a minimum set of privileges (or none) to begin with. Another principle is separation of functions, wherein an entity is allowed some well-defined functions. In a server OS, containerization provides such separation.

The IAM system also allows associating policies that are role-specific or group-specific. This improves the scalability of the IAM system, where a new entity gets added to a role or group and the policies associated with the role get applied to it.