Glossary
Authorization has a vocabulary problem. Let's fix that.
A
ABAC
Attribute-Based Access Control. Access decisions based on attributes—of the user, the resource, the environment—rather than just roles. More flexible than RBAC, but more complex to manage without the right tooling.
Access Control
The process of determining and enforcing what actions users can perform on resources. Encompasses both authentication (who are you?) and authorization (what can you do?).
Access Review
A periodic audit process where managers or resource owners verify that users still need the access they have. Often required for compliance but frequently becomes a checkbox exercise without proper authorization infrastructure.
Authentication
The process of verifying identity—proving you are who you claim to be. Typically handled by identity providers through SSO, MFA, passwords, or other credentials. Distinct from authorization.
Authorization
Deciding what a user can do—what resources they can access, what actions they can take, under what conditions. The "gap" in most organizations' security architecture.
Authorization Debt
The accumulated cost of ad-hoc authorization decisions: hardcoded permissions, role sprawl, inconsistent policies across apps. Like technical debt, it compounds over time and becomes increasingly expensive to address.
C
Coarse-Grained Authorization
Access control at a high level—typically whether a user can access an application or feature at all. Contrast with fine-grained authorization, which controls access to specific resources or data.
Compliance
Adherence to regulatory requirements (HIPAA, SOX, GDPR, etc.) that often mandate specific access control capabilities like least privilege, audit trails, and access reviews.
Context-Aware Authorization
Access decisions that factor in real-time context: device type, location, time of day, risk score. A key capability for zero-trust architectures.
D
Decision Log
A record of authorization decisions—who requested access, to what, when, and why the decision was granted or denied. Essential for compliance and incident investigation.
E
Entitlement
A permission or access right granted to a user. Managing entitlements at scale is one of the core challenges of enterprise authorization.
Externalized Authorization
Moving access control logic out of application code and into a dedicated policy layer. The application asks "can this user do this?" and gets an answer, rather than calculating it internally.
F
Fine-Grained Authorization
Access control at a granular level—specific records, fields, or operations. "Can this user see this specific customer's data?" rather than "Can this user access the CRM?"
I
IdP
Identity Provider. A service that manages user identities and handles authentication. Examples include Okta, Azure AD, and Auth0. IdPs handle who you are; authorization handles what you can do.
J
Just-In-Time Access
Granting access only when needed and automatically revoking it after a set period. Reduces standing privileges and supports least privilege principles.
L
Least Privilege
The principle that users should have only the access they need, nothing more. Easy to say, hard to prove without fine-grained authorization and proper audit capabilities.
O
OPA
Open Policy Agent. An open-source, general-purpose policy engine that uses Rego as its policy language. Powerful but requires significant investment to build a complete authorization platform around it.
P
PBAC
Policy-Based Access Control. Access decisions driven by policies that can incorporate roles, attributes, context, and business rules. More expressive than RBAC or ABAC alone.
PDP
Policy Decision Point. The component that evaluates policies and returns access decisions. The "brain" of an authorization system. Can be centralized or distributed.
PEP
Policy Enforcement Point. The component that enforces access decisions—typically in the application, API gateway, or data layer. The "gatekeeper" that acts on PDP decisions.
Permission
A specific action that can be performed on a resource. "Read customer record" or "Approve transaction" are permissions. Permissions are typically grouped into roles or policies.
Policy
A rule or set of rules that determines access. Can be simple ("admins can access everything") or complex ("users can access customer records in their region during business hours").
Policy Engine
Software that evaluates policies against requests and returns decisions. The core of any authorization platform. Examples include OPA, Cedar, and various commercial engines.
Policy Sprawl
The proliferation of inconsistent access policies across different applications and systems. A symptom of decentralized authorization that makes governance and compliance difficult.
R
RBAC
Role-Based Access Control. Access decisions based on roles assigned to users. Simple and widely used, but limited when you need finer-grained or context-aware decisions.
Real-Time Authorization
Making access decisions at the moment of access, with current context, rather than relying on pre-computed permissions. Essential for dynamic, context-aware security.
Rego
The policy language used by OPA (Open Policy Agent). A declarative language for expressing policies. Powerful and flexible, but requires developer expertise to author and maintain.
Role
A named collection of permissions assigned to users. "Admin," "Editor," "Viewer" are common roles. Role explosion occurs when organizations create too many roles to manage.
Role Explosion
The uncontrolled growth of roles in an RBAC system, often to the point where roles become meaningless or unmanageable. A common symptom of trying to use roles for fine-grained access control.
Row-Level Security
Restricting access to specific rows in a database based on user context. "Users can only see customers in their region" is a row-level security policy.
S
SAML
Security Assertion Markup Language. An XML-based standard for exchanging authentication and authorization data between identity providers and service providers. Common in enterprise SSO.
Separation of Duties
A control principle requiring multiple people to complete sensitive tasks. Authorization systems must enforce SoD policies—for example, preventing the same person from creating and approving a transaction.
SSO
Single Sign-On. Authentication mechanism allowing users to log in once and access multiple applications. SSO solves identity, not authorization—knowing who someone is doesn't tell you what they can do.
Z
Zero Standing Privileges
An approach where users have no persistent access rights. All access is granted just-in-time based on need and automatically expires. The logical end-state of least privilege.
Zero Trust
A security model that requires verification for every access request, regardless of location or network. "Never trust, always verify." Authorization is a critical component—you can't verify without knowing what's allowed.
Missing a term?
Authorization is a deep topic. If there's a term you'd like us to add, let us know.
Contact PlainID →