Authorization (or establishment or entitlement) defines a user’s (or process’) rights and permissions to a resource. After a user (or process) is authenticated, authorization determines what that user can do to the resource.
Here are some authorization strategies to improve security:
- By default, grant users no rights and permissions
- Grant users least privileged rights and permissions on “need to know” basis
- Push authorization processes from upper/applications layers to lower/OS layers as much as possible
- Prepare or plan Role-Based authorization
- Move from manual authorization management processes to automated authorization management processes with next generation IAM role/group management products
Please be aware of that Role-Base authorization will be a subset of Claim-Based authorization in long term.