Authorization concept

from Wikipedia, the free encyclopedia

An authorization concept describes which access rules apply to individual users or user groups to the data of an IT system .

Although originally coming from the organizational environment, authorization concepts play an important role in the use of resources in information technology . In addition to data and information, resources also include the technical infrastructure such as system access, storage space, computing power or computer programs . An authorization concept should protect these resources from being changed or destroyed ( data security ) and prevent their unlawful use ( data protection ) without inhibiting the productivity of the organization.

In addition to the resources to be protected, the authorization concept also describes and regulates the tools to be used to protect these resources, which belong to the system software or system-related software, and how they are used, for example how users of computer systems identify themselves with passwords or access codes .

Basic concept

A simple authorization concept assigns each potential resource user a number of resources that he is actually allowed to use or, conversely, each resource a list of the respectively authorized users. The type of authorization can also be specified, for example read, change, delete, use. The restriction to upper limits can also be defined, for example for storage space or transferred data volumes.


Purely user-related concepts tend to be confusing and are therefore often only rudimentary. A concept based on roles or user groups is better . This allows authorizations to be summarized, for example all authorizations that employees need in payroll accounting, as it results from the business processes there . This role is assigned to every employee who now specifically works in personnel accounting. An employee can, however, have several roles if he has several functions. In this way it is achieved that changes in the responsibilities of the individual employees, as well as changes in the business process, only have to be tracked at one point in the authorization concept and this remains consistent and manageable.

Defining user roles is part of the authorization administration task, while assigning roles to users is part of user administration.


In order to avoid unauthorized access, the authorization concept must be checked regularly. This check is done through a target / actual comparison. The target status corresponds to a documented status, the actual status is determined from the system. Deviations are identified and documented during the inspection. Depending on the classification of the deviation, either the target concept is updated or the actual status in the system is adjusted.

See also

Web links

Individual evidence

  1. Authorization concept Institute for Security and Data Protection in Health Care, accessed on December 19, 2017
  2. Oliver Schonschek: Step by step to the authorization concept February 10, 2017
  3. Inadequate role and authorization concept, Federal Office for Information Security , as of 2014