Although originally coming from the organizational environment, authorization concepts play an important role in the use of resources in information technology . In addition to data and information, resources also include the technical infrastructure such as system access, storage space, computing power or computer programs . An authorization concept should protect these resources from being changed or destroyed ( data security ) and prevent their unlawful use ( data protection ) without inhibiting the productivity of the organization.
In addition to the resources to be protected, the authorization concept also describes and regulates the tools to be used to protect these resources, which belong to the system software or system-related software, and how they are used, for example how users of computer systems identify themselves with passwords or access codes .
A simple authorization concept assigns each potential resource user a number of resources that he is actually allowed to use or, conversely, each resource a list of the respectively authorized users. The type of authorization can also be specified, for example read, change, delete, use. The restriction to upper limits can also be defined, for example for storage space or transferred data volumes.
Purely user-related concepts tend to be confusing and are therefore often only rudimentary. A concept based on roles or user groups is better . This allows authorizations to be summarized, for example all authorizations that employees need in payroll accounting, as it results from the business processes there . This role is assigned to every employee who now specifically works in personnel accounting. An employee can, however, have several roles if he has several functions. In this way it is achieved that changes in the responsibilities of the individual employees, as well as changes in the business process, only have to be tracked at one point in the authorization concept and this remains consistent and manageable.
Defining user roles is part of the authorization administration task, while assigning roles to users is part of user administration.
In order to avoid unauthorized access, the authorization concept must be checked regularly. This check is done through a target / actual comparison. The target status corresponds to a documented status, the actual status is determined from the system. Deviations are identified and documented during the inspection. Depending on the classification of the deviation, either the target concept is updated or the actual status in the system is adjusted.
- Identity management: Authorization concept for the use of IT services Document from the University of Freiburg, approved by the Rectorate on June 24, 2009