A Consistent Definition of Authorization

  • Audun JøsangEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10547)


A shared understanding of terms and concepts is a condition for meaningful discussions in any domain of scientific investigation and industrial development. This principle also applies to the domain of information security. It is therefore problematic when central terms are assigned inconsistent meanings in the literature and mainstream textbooks on information security. In particular, this is case for the concept of ‘authorization’ for which the security community still has not arrived at a clear and common understanding. We argue that there can only be one interpretation of authorization which is consistent with fundamental security concepts. Consistent definitions of security terms are important in order to support good learning and practice of information security. The proposed definition of authorization is not only consistent with other fundamental security terms, it is also simple, logical and intuitive.


Cybersecurity Security education Authorization Access control Authentication IAM 


  1. 1.
    Department of Finance and Deregulation: National e-Authentication Framework (NeAF). Australian Government Information Management Office, Canberra (2009)Google Scholar
  2. 2.
    Fajardo, V., et al.: RFC 6673 - Diameter Base Protocol. IETF, October (2012).
  3. 3.
    Fraser, B.: RFC 2196 - Site Security Handbook. IETF, Fremont (1997). URL: (visited 30.01.2017)
  4. 4.
    Harris, S., Maymí, F.: CISSP All-in-One Exam Guide, 7th edn. McGraw-Hill, New York City (2016)Google Scholar
  5. 5.
    Hu, V.C., et al.: Guide to attribute based access control (ABAC) definition and considerations. NIST Special Publication 800-162. Technical report, National Institute of Standards and Technology, January (2014)Google Scholar
  6. 6.
    Hulsebosch, B., Lenzini, G., Eertink, H.: Deliverable D2.3 - STORK quality authenticator scheme. Technical report STORK eID Consortium (2009)Google Scholar
  7. 7.
    ISO: ISO/IEC 29115:2013. Entity authentication assurance framework. ISO, Geneva, Switzerland (2013)Google Scholar
  8. 8.
    ISO: ISO/IEC 27000:2016 - Information technology - security techniques - information security management systems - overview and vocabulary. ISO/IEC (2016)Google Scholar
  9. 9.
    ITU: Recommendation X.800, Security Architecture for Open Systems Interconnection for CCITT Applications. International Telecommunications Union (formerly known as the International Telegraph and Telephone Consultantive Committee), Geneva (1991). (X.800 is a re-edition of IS7498-2)Google Scholar
  10. 10.
    OASIS: eXtensible Access Control Markup Language (XACML) Version 3.0. Organization for the Advancement of Structured Information Standards, 22 January 2013Google Scholar
  11. 11.
    Rigney, C., et al.: RFC 2865 - Remote Authentication Dial in User Service (RADIUS). IETF, Fremont (2000)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.University of OsloOsloNorway

Personalised recommendations